Researchers from ClearSky and Trend Micro uncovered a new massive cyber espionage campaign conducted by CopyKittens dubbed ‘Operation Wilted Tulip’
A joint investigation conducted by experts from the Israeli cyber-intelligence firm by ClearSky and Trend Micro uncovered a new massive cyber espionage campaign dubbed ‘Operation Wilted Tulip’ conducted by an Iran-linked APT group CopyKittens (aka Rocket Kittens).
The hackers targeted government and academic organizations in various countries, according to the experts the group has been active since at least since 2013.
In 2015, ClearSky detected new activity from the Rocket kitten APT group against 550 targets, most of which are located in the Middle East.
The CopyKittens hackers targeted organisations and individuals in Israel, Saudi Arabia, Turkey, the United States, Jordan and Germany.
The joint report published by ClearSky and Trend Micro includes details on the Operation Wilted Tulip and described the TTPs (techniques, tactics, and procedures) adopted by the Rocket Kittens APT group.
“CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date, and are analyzed in this report: TDTESS backdoor; Vminst, a lateral movement tool; NetSrv, a Cobalt Strike loader; and ZPP, a files compression console program. The group also uses Matryoshka v1, a selfdeveloped RAT analyzed by ClearSky in the 2015 report, and Matryoshka v2 which is a new version, albeit with similar functionality. The group often uses the trial version of Cobalt Strike3 , a publicly available commercial software for “Adversary Simulations and Red Team Operations.” states the report .
“Other public tools used by the group are Metasploit, a well-known free and open source framework for developing and executing exploit code against a remote target machine; Mimikatz, a post-exploitation tool that performs credential dumping; and Empire, “a PowerShell and Python post-exploitation agent.” For detection and exploitation of internet-facing web servers, CopyKittens use Havij, Acunetix and sqlmap.”
The hackers used both spear phishing attacks and watering holes to compromise target systems.
CopyKittens compromised websites of media outlets and organizations to deliver its malware. Among the websites compromised by hackers to conduct watering hole attacks, there is The Jerusalem Post, the Maariv news and IDF Disabled Veterans Organization.
Below the full list of methods used by CopyKittens in its campaigns.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.