An Iran-linked cyber espionage group called CopyKittens has been targeting several countries including Israel, Saudi Arabia, the United States, Germany, Jordan and Turkey, security researchers said on Tuesday (25 July). A new report by security firms Trend Micro and ClearSky delved into the group's wide-ranging espionage campaigns, tools and infrastructure used to target government institutions, defence companies, municipal authorities, academic institutions, large IT firms, subcontractors and United Nations employees.
CyberKittens, which has been operating since at least 2013, uses several yet simple tactics when targeting victims, from spear phishing emails and fake social media pages to watering hole attacks and infiltrating exposed email accounts.
However, despite their lack of "technological sophistication and operational discipline," the group is "very persistent," researchers said.
"The group uses a combination of these methods to persistently target the same victim over multiple platforms until they succeed in establishing an initial beachhead of infection – before pivoting to higher value targets on the network," researchers said. "These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly."
Researchers said targeted organisations often discover the breach after the threat group "gets greedy" and infects multiple computers within the company's network.
"This would raise an alarm in various defence systems, making the victims initiate incident response operations", researchers said.
The group's activities were first detailed in November 2015 by ClearSky and Minerva Labs. In March, ClearSky released another report detailing the group's cyberactivities targeting the German Bundestag using watering hole attacks.
CopyKittens uses several other hacking tools as well including a .NET binary backdoor, a lateral movement tool called Vminst, a Cobalt Strike loader dubbed NetSrv and a files compression console program called ZPP. The group also uses a self-developed RAT called Matryoshka v1 and a newer version of it, Metasploit, Mimikatz, Havij and Acunetix to detect and exploit vulnerable web servers.
In April this year, the threat actors infiltrated the email account of an employee in the Ministry of Foreign Affairs in the Turkish Republic of Northern Cyprus to sent a malicious email to several other targets in other government organisations across the globe. In another attack, they used a document likely stolen from Turkey's Foreign Ministry as a decoy, researchers said.
"We strongly recommend two factor authentication be implemented to protect webmail accounts from being compromised", Trend Micro said in a blog post. "Webmail accounts can be a treasure trove of information for an attacker, and an extremely strong initial beachhead for pivoting into other targets e.g. replying to existing threads with malicious attachments or links."