Cyberspies Impersonate Security Researcher

infographic_hacker_update-gp-trans.png

A cyber espionage group thought to be from Iran turned the tables on a security researcher who may have gotten a little too close to its operation: the attackers posed as the researcher in a spear-phishing email.

The researcher, from ClearSky, has been tracking the hacking group, known as Rocket Kitten.

"The researcher had infiltrated … and was able to pose as a person of interest in this group, and they had engaged" with the researcher, says Jon Clay, senior global marketing manager for Trend Micro, which along with ClearSky today published new findings on Rocket Kitten. The spear-phishing email included a malicious link purportedly to a Trend Micro malware scanner.

The attackers first attempted to contact the ClearSky researcher via a phony Facebook profile, a ploy that ultimately failed. In late June, he learned that the attackers had sent a spear phishing email to one of their previous victims, Dr. Thamar E. Gindin, a lecturer on linguistics and pre-Islamic Iranian culture -- using his name as the purported sender. He had worked before Gindin while investigating Rocket Kitten's hacking activities, so the attackers either somehow had obtained previous email correspondence between the two, or they knew of the researcher's investigation into their operations.
"I can't tell what the hackers' motivation was to go after this individual [the ClearSky researcher]; it did give us some good information," Clay says. "We see this often with underground [cybercrime] investigations: a researcher infiltrates a forum and starts to be able to speak with the threat actors, acting like a member of the group."

This latest targeted attack demonstrates how Rocket Kitten's M.O. is now more about targeting individuals rather than organizations for the intel it's after, according to Trend Micro's findings. That's a departure from its earlier days, where the cyber espionage group went after organizations mostly in policy research, diplomacy, international affairs, defense, security, journalism, and human rights groups in the Middle East. Their targets of late appear to be Iranian dissidents and Israelis, more clues that Rocket Kitten is an Iranian attack group whose purpose is intelligence about the individual's activities. It's classic espionage with a geopolitical twist, researchers say.
"The interesting thing we found is that they shifted from going after organizations, to going after individuals associated with those organizations. They can then utilize this personalized data to get into the corporate data; they use that to leverage lateral movement inside the organization," Clay says. The goal is to steal the targeted individual's credentials, for example, to obtain a foothold in the targeted organization and move about "legitimately."

ClearSky has counted some 550 targets, mostly in the Middle East. "They are scientists, journalists, researchers, and sometimes expatriated Iranians living in Western countries. These facts suggest that Rocket Kitten may be engaging some sort of foreign political espionage campaign and may want to find regime-opponents active in driving policy in different ways," the Trend Micro and ClearSky report said. "These people are professionally affiliated with the foreign policy and defense sectors and there is an interest in finding out who they are talking to and what kinds of action they support."

Rocket Kitten isn't considered highly sophisticated; it uses simple hacking tools they may have written as well as pilfered publicly available ones. Researchers from CrowdStrike and Cymmetria, along with the Israeli CERT, late last year discovered that the cyber espionage group had used Core Security's penetration testing tool in their attacks.

While the Kitten group is doggedly persistent--they sometimes go after the same individual on a daily basis with different lures--they are known to make typos and grammatical errors that make them easy to spot, a characteristic often associated with cybercriminals. "However, the attackers do make up for these disadvantages with persistence. Based on our research and profiling, we believe the members of the Rocket Kitten Group could be former cybercriminals who ventured into a new field for some unclear reason and so use some of the methods they used to. Many of their techniques are typically observed in criminal endeavors," the report said.

Trend Micro's Clay says while identifying who's behind hacker groups is "tough," Rocket Kitten's targets appear to suggest it's a pro-Iranian government entity. The big challenge has been measuring the group's hacking success: "In a lot of cases, we're just seeing the initial attempts," Clay says. "We don't know what they are exfiltrating."

Dark Reading:

 

« NSA Gives $300,000 for a Safer Internet of Things
Cognitive Computing: What Can and Can’t Be Done. »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Identiv

Identiv

Identiv is a global security technology company that establishes trust in the connected world, including premises, information and everyday items.

Rambus Security Division

Rambus Security Division

Rambus Security Division solutions span areas including tamper resistance, content protection, network security, mobile payment, smart ticketing, and trusted provisioning services.

SBS CyberSecurity

SBS CyberSecurity

SBS CyberSecurity is a premier cybersecurity consulting and audit firm.

SecuDrive

SecuDrive

SecuDrive, provides hardware encrypted external storage devices to protect a company’s sensitive and important data.

Myra Security

Myra Security

Myra technology monitors, analyzes, and filters malicious internet traffic before virtual attacks can do any real harm.

Infosec (T) Ltd

Infosec (T) Ltd

Infosec (T) Limited is an independent Tanzania based consultancy specializing in IT governance, information security and IT audit.

IEEE Cyber Science and Technology Congress (CyberSciTech)

IEEE Cyber Science and Technology Congress (CyberSciTech)

CyberSciTech provides a platform for scientists, researchers, and engineers to share their latest ideas and advances in the broad scope of cyber-related science, technology, and application topics.

ePLDT

ePLDT

ePLDT delivers best-in-class digital business solutions that include Cloud, Cyber Security, purpose-built Data Center facilities and Managed IT Services.

BAI Security

BAI Security

BAI Security is a Nationally Recognized Leader in IT Security. Keeping your data safe and your business compliant is our singular focus.

Berkeley Varitronic Systems (BVS)

Berkeley Varitronic Systems (BVS)

Berkeley Varitronics Systems is an engineering think tank delivering custom wireless RF engineering products and solutions including cyber security.

Aigner Business Solutions

Aigner Business Solutions

Aigner Business Solutions GmbH is a specialist in IT-Security and Data Protection. Concise and focussed.

Fireblocks

Fireblocks

Fireblocks is a digital asset security platform that helps financial institutions protect digital assets from theft or hackers.

CryptoDATA

CryptoDATA

CryptoDATA develops products and services based on Blockchain technology, that ensure user security and data encryption, applicable in various fields.

Darktrace

Darktrace

Darktrace is a global leader in cybersecurity AI, delivering complete AI-powered solutions in its mission to free the world of cyber disruption.

Obsidian Security

Obsidian Security

Protect your business-critical applications by mitigating threats and reducing risk with Obsidian, the first truly comprehensive security solution for SaaS.

Cydea

Cydea

Cydea are an optimistic cyber security consultancy of experts in security, data, technology and design that want to build a safer, more secure world where more things go right.