Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Iran-Linked Espionage Group Continues Attacks on Middle East

Despite the fact that its activities have been exposed by security researchers, the Iran-linked threat group dubbed “Rocket Kitten” continues to target individuals and organizations, particularly in the Middle East.

Despite the fact that its activities have been exposed by security researchers, the Iran-linked threat group dubbed “Rocket Kitten” continues to target individuals and organizations, particularly in the Middle East.

The political espionage operations of this state-sponsored advanced persistent threat (APT) actor have been analyzed by several security firms, including Trend Micro, ClearSky, iSIGHT Partners (Newscaster attacks) and FireEye (Operation Saffron Rose by Ajax Security Team).

In a report released in March, Trend Micro detailed a Rocket Kitten operation dubbed “Woolen GoldFish,” which targeted civilian and academic organizations in Israel, German-speaking government organizations, and public and private organizations in other European countries. Other security companies detailed attacks targeting high-profile individuals and organizations in the Middle East and the United States.

In a joint paper released on Tuesday, ClearSky and Trend Micro revealed that the group’s activities have intensified over the past months. ClearSky has identified a total of 550 targets, most of which are located in the Middle East. However, researchers noted that the group appears to be currently focusing on individuals rather than organizations.

Two attacks described in detail in the report have targeted a ClearSky researcher and an Iranian lecturer.

The APT group’s attacks against Dr. Thamar E. Gindin, an expert lecturer in linguistics and pre-Islamic Iranian culture, started in mid-2015 after she made some political statements. The attackers sent Dr. Gindin several spear-phishing emails containing malware and links to phishing pages. They also targeted her Google, Facebook and cloud accounts using brute-force attacks and other hacking methods. On a couple of occasions, the malicious actors even called the expert on the phone in an attempt to obtain details they could leverage for social engineering, researchers said.

In June 2015, Dr. Gindin started assisting researchers at ClearSky with a report on “Thamar Reservoir,” a Rocket Kitten campaign targeting Middle Eastern entities. The attacks aimed at the expert continued even after the report was published.

After Dr. Gindin started collaborating with ClearSky, the APT group started targeting one of the company’s researchers. They first attempted to approach the researcher using a fake Facebook profile. When that failed, they used a fake ClearSky email address in an attempt to trick him into clicking on a link leading to a piece of malware.

Advertisement. Scroll to continue reading.

Researchers believe the group is unlikely to end its activities any time soon.

“The more information we gather about [Rocket Kitten’s] tactics and methods, the more we are convinced that what we are facing is a group of resourceful and persistent actors. Rocket Kitten doesn’t need sophisticated skills,” reads the report from Trend Micro and ClearSky. “The infection vectors that the group uses are very simple. The malware they use are mostly purchased from third parties. But these shouldn’t fool anyone into thinking they’re less difficult to deal with. Rocket Kitten makes up for their shortcomings by being extremely persistent and agile.”

The complete report, titled “The Spy Kittens are Back: Rocket Kitten 2,” is available online in PDF format.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.