Cyber espionage nowadays plays an important role in politics, it helps governments to decide their “friends” as well their “enemies”, and the more dependent we are of technology the more Cyber espionage will happen and the more powerful will became.
A research conducted by ClearSky was trying to track down a cyber-espionage group (suspected to be based in Iran) known as Rocket Kitten, and maybe because the researcher got “too close” the group changed their attention to the ClearSky researcher and target him with a spear phishing email.
“Their favorite targets seem to be involved in policy research, diplomacy, all aspects of international affairs, defense, security, journalism, human rights, and others. We also observed attacks targeting organizations located in Europe. but in the bigger scheme of things this activity is marginal (about 5% of the total number of targeted attacks). The actors do not seem to be motivated by a hacktivist agenda.” states the report published by Trend Micro.
“[The researcher] had infiltrated … and was able to pose as a person of interest in this group, and they had engaged” explained Jon Clay, a senior global marketing manager for Trend Micro.
As a first attempt, the Rocket Kitten group tried to contact the researcher trough a fake Facebook profile, without success. Not happy with the result, the attackers carried a spear phishing attack on one of the victims of previous campaign by spoofing the name of the targeted researcher and using it as the sender because he had worked with the victim before when he was investigating Rocket Kitten’s activities. This circumstance leads to believe in one of two possibilities, or the attackers knew that they were under investigation, or the attackers got some email correspondence between the victim and the researcher.
“I can’t tell what the hackers’ motivation was to go after this individual, it did give us some good information,”, “We see this often with underground [cybercrime] investigations: a researcher infiltrates a forum and starts to be able to speak with the threat actors, acting like a member of the group.” Said Clay.
The researchers have observed a Rocket Kitten’s operating template in the operations they uncovered, the APT uses spear phishing and social engineering to target the primary or secondary victim.
This can be done by faking accounts and identities:
• Using fake Google Drive™ or Gmail™ accounts (The Rocket Kitten Group often impersonated persons of interest and public figures such as Israeli engineers.)
• Using stolen documents that suggest a legitimate cause and sender
• Using social media accounts as in Facebook to directly contact targets, create rapport via private messages, and log correspondence as well as consequently make users visit phishing websites The spear-phishing email contains a link or a file that when clicked or opened unleashes a payload that takes over the target machine
It was observed that lately, Cyber Espionage groups are targeting more individuals and fewer organizations, to get gather the information they need, getting away from the initial logic used in Cyber Espionage:
“The interesting thing we found is that they shifted from going after organizations, to going after individuals associated with those organizations. They can then utilize this personalized data to get into the corporate data; they use that to leverage lateral movement inside the organization”
ClearSky counted 550 targets used by Rocket Kitten, most of them based in the Middle East, “They are scientists, journalists, researchers, and sometimes expatriated Iranians living in Western countries. These facts suggest that Rocket Kitten may be engaging some sort of foreign political espionage campaign and may want to find regime-opponents active in driving policy in different ways,”
“These people are professionally affiliated with the foreign policy and defense sectors and there is an interest in finding out who they are talking to and what kinds of action they support.”
Who is the Rocket Kitten Group?
The Rocket Kitten groups have been suspected to be active since 2011 and have been increasing their activity since 2014. The group is not considered to have great cyber capabilities, its attacks don’t appear so sophisticated, however, they are difficult to predict. The first time the group was noticed, it was using a malicious version of Core Impact Pro® penetration-testing tool. As I said above the group is increasing their activity since 2014 and this is what we know until the moment:
“Previous reports about Rocket Kitten include ClearSky’s Gholee and “Thamar Reservoir“, and Trend Micro’s Operation Woolen-Goldfish. Last week Citizen Lab published Two-Factor Authentication Phishing From Iran. The group was analyzed in a presentation at the Chaos Communication Congress (CCC).” reported Clearskysec.
What is Rocket Kitten trying to gain?
The main targets are based in the Middle East, and it seems that their targets are involved in policy research, diplomacy and international affairs like policy research, diplomacy and international affairs. The information they held from their attacks are not clear and we don’t know how they intend the use it. At this point, we can only speculate the agenda of the group, but it looks like there is a government hand behind (may or not be)
In my opinion groups, such Rocket Kitten will increase their activity and their power, it is likely the group will target also IoT, and all the devices connected to the internet that could leak information on targets. The new trend is to go after individuals and not so much companies, since companies are more prepared to deal with security issues, and it makes sense, at home, we don’t have any IPS/IDS, Firewall.
These are APT groups and there are normally politically-motivated often they operate backed by foreign governments, as highlighted by former NSA Chief Alexander cyber espionage is the greatest transfer of wealth in history.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – Rocket Kitten, cyber espionage)