Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Researchers Hack Infrastructure of Iran-Linked Cyber Spies

 Rocket Kitten - Iranian Hackers

A new report from security solutions provider Check Point provides further insight into the activities of the Iran-linked threat group known as Rocket Kitten.

 Rocket Kitten - Iranian Hackers

A new report from security solutions provider Check Point provides further insight into the activities of the Iran-linked threat group known as Rocket Kitten.

Rocket Kitten has been around since at least early 2014 and its activities have been analyzed by several security firms, including FireEye (Operation Saffron Rose), iSIGHT Partners (Newscaster), ClearSky (Thamar Reservoir) and Trend Micro (Woolen GoldFish).

The fact that its campaigns have been closely monitored by security firms doesn’t seem to have discouraged the advanced persistent threat (APT) group, which simply made some changes to its tools and phishing domains and continued its activities.

Check Point started analyzing Rocket Kitten after the group targeted one of its customers. While investigating a phishing server used by the threat actor, experts noticed that the XAMPP web server hosted on it was not configured properly, allowing anyone to gain root access without needing a password.

An analysis of the attacker’s database revealed a total of more than 1,800 victims who had fallen for the phishing scams and handed over their information. Each of these victims were associated with a particular Rocket Kitten operator.

For example, one operator harvested the details of 522 users as part of a campaign targeting human rights activists, CEOs and ministry officials in Saudi Arabia. Another operator harvested the details of 233 victims in the defense sector, including in NATO countries, the United Arab Emirates, Afghanistan, Thailand, and Turkey. Embassies in countries neighboring Iran were also targeted by the same operator.

The busiest operator is responsible for nearly 700 victims, a list that mainly consists of scholars, persons of influence, education organizations, and media outlets in Saudi Arabia. The database accessed by Check Point shows that the group also focused on Iranians living abroad, Venezuelan entities, and Israeli nuclear scientists, former military officials, and national security and foreign policy researchers.

Logs from the phishing server showed that the largest number of visitors came from Saudi Arabia (18%), the United States (17%), Iran (16%), the Netherlands (8%) and Israel (5%). Experts determined that 26 percent of those who accessed the phishing pages entered their credentials — a relatively high success rate attributed to persistency and well targeted phishing emails.

Advertisement. Scroll to continue reading.

In addition to the phishing server, researchers managed to hack into one of Rocket Kitten’s command and control (C&C) servers by using administrator credentials hard-coded by the attackers into the malware. This allowed Check Point to find information revealing the real identity of the espionage group’s main developer, known as “Wool3n.H4T.”

“In this case, as in other previously reported cases, it can be assumed that an official body recruited local hackers and diverted them from defacing web sites to targeted espionage at the service of their country. As is often the case with such inexperienced personnel, their limited training reflects in lack of operational security awareness, leaving a myriad of traces to the origin of the attack and their true identities,” Check Point said in its report.

The complete report, titled “Rocket Kitten: A Campaign with 9 Lives” is available for download in PDF format.

Related: Long-Term Strategy Needed When Analyzing APTs

Related: Iranian Hackers Targeted US Officials in Social Media Attack Operation

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...