Iran-Linked Espionage Group Continues Attacks on Middle East

Despite the fact that its activities have been exposed by security researchers, the Iran-linked threat group dubbed “Rocket Kitten” continues to target individuals and organizations, particularly in the Middle East.

The political espionage operations of this state-sponsored advanced persistent threat (APT) actor have been analyzed by several security firms, including Trend Micro, ClearSky, iSIGHT Partners (Newscaster attacks) and FireEye (Operation Saffron Rose by Ajax Security Team).

In a report released in March, Trend Micro detailed a Rocket Kitten operation dubbed “Woolen GoldFish,” which targeted civilian and academic organizations in Israel, German-speaking government organizations, and public and private organizations in other European countries. Other security companies detailed attacks targeting high-profile individuals and organizations in the Middle East and the United States.

In a joint paper released on Tuesday, ClearSky and Trend Micro revealed that the group’s activities have intensified over the past months. ClearSky has identified a total of 550 targets, most of which are located in the Middle East. However, researchers noted that the group appears to be currently focusing on individuals rather than organizations.

Two attacks described in detail in the report have targeted a ClearSky researcher and an Iranian lecturer.

The APT group’s attacks against Dr. Thamar E. Gindin, an expert lecturer in linguistics and pre-Islamic Iranian culture, started in mid-2015 after she made some political statements. The attackers sent Dr. Gindin several spear-phishing emails containing malware and links to phishing pages. They also targeted her Google, Facebook and cloud accounts using brute-force attacks and other hacking methods. On a couple of occasions, the malicious actors even called the expert on the phone in an attempt to obtain details they could leverage for social engineering, researchers said.

In June 2015, Dr. Gindin started assisting researchers at ClearSky with a report on “Thamar Reservoir,” a Rocket Kitten campaign targeting Middle Eastern entities. The attacks aimed at the expert continued even after the report was published.

After Dr. Gindin started collaborating with ClearSky, the APT group started targeting one of the company’s researchers. They first attempted to approach the researcher using a fake Facebook profile. When that failed, they used a fake ClearSky email address in an attempt to trick him into clicking on a link leading to a piece of malware.

Researchers believe the group is unlikely to end its activities any time soon.

“The more information we gather about [Rocket Kitten’s] tactics and methods, the more we are convinced that what we are facing is a group of resourceful and persistent actors. Rocket Kitten doesn’t need sophisticated skills,” reads the report from Trend Micro and ClearSky. “The infection vectors that the group uses are very simple. The malware they use are mostly purchased from third parties. But these shouldn’t fool anyone into thinking they’re less difficult to deal with. Rocket Kitten makes up for their shortcomings by being extremely persistent and agile.”

The complete report, titled “The Spy Kittens are Back: Rocket Kitten 2,” is available online in PDF format.