Rocket Kitten

Last updated

Rocket Kitten or the Rocket Kitten Group is a hacker group thought to be linked to the Iranian government. [1] The threat actor group has targeted organizations and individuals in the Middle East, particularly Israel, Saudi Arabia, Iran as well as the United States and Europe.

Contents

Origins

Cybersecurity firm FireEye first identified the group as Ajax Security Team, [2] writing that the group appears to have been formed in 2010 by the hacker personas "Cair3x" and "HUrr!c4nE!". By 2012, the threat actor group turned their focus to Iran's political opponents. [3] Their targeted attack campaigns, dubbed "Rocket Kitten", have been known since mid-2014. [4] By 2013 or 2014, Rocket Kitten had shifted its focus to malware-based cyberespionage. [3]

Security firm Check Point describes Rocket Kitten as an "attacker group of Iranian origin." [1]

Rocket Kitten's code uses Persian language references. The group's targets are involved in defense, diplomacy, international affairs, security, policy research, human rights, and journalism. According to Check Point, the group has targeted Iranian dissidents, the Saudi royal family, Israeli nuclear scientists and NATO officials. Security researchers found that they carried out a "common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus." [4] Other researchers determined that Rocket Kitten's attacks bore a similarity to those attributed to Iran's Revolutionary Guards. [4] Intelligence officials from the Middle East and Europe linked Rocket Kitten to the Iranian military establishment. [2] Rocket Kitten favours a Remote Access Trojan, [5] and by 2015, researchers found it was using customised malware. [2]

History

Operation Saffron Rose

Cybersecurity firm FireEye released a report in 2013 finding that Rocket Kitten had conducted several cyberespionage operations against United States defense industrial base companies. The report also detailed the targeting of Iranian citizens who use anti-censorship tools to bypass Iran's Internet filters. [3]

Operation Woolen-Goldfish

Trend Micro identified the Operation Woolen-Goldfish campaign in a March 2015 paper. The campaign included improved spearphishing content. [1]

Oyun

In November 2015, security errors by Rocket Kitten allowed the firm Check Point to gain password-less root access to "Oyun", the hackers' back-end database. They discovered an application that was able to generate personalized phishing pages and contained a list of over 1,842 individual targets. [2] [6] Among Rocket Kitten's spearphishing targets from June 2014 to June 2015, 18% were from Saudi Arabia, 17% were from the United States, 16% were from Iran, 8% were from the Netherlands, and 5% were from Israel. [2] Analysts used credentials to access key logs of the group's victims and found that Rocket Kitten had apparently tested their malware on their own workstations and failed to erase the logs from the data files. [6] Check Point identified an individual named Yaser Balaghi, going by Wool3n.H4t, as a ringleader of the operation. [5]

Telegram hack

In August 2016, researchers identified Rocket Kitten as being behind a hack of Telegram, a cloud-based instant messaging service. The hackers exploited Telegram's reliance on SMS verification, comprising over a dozen accounts and stealing the user IDs and telephone numbers of 15 million Iranians who use the software. Opposition organizations and reformist political activists were among the victims. [4]

Related Research Articles

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

<span class="mw-page-title-main">Seculert</span> Israeli cloud-based cyber security technology

Seculert is a cloud-based cyber security technology company based in Israel. The company's technology is designed to detect breaches and Advanced Persistent Threats (APTs), attacking networks. Seculert's business is based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.

Carbanak is an APT-style campaign targeting financial institutions, that was discovered in 2014 by the Russian cyber security company Kaspersky Lab. It utilizes malware that is introduced into systems running Microsoft Windows using phishing emails, which is then used to steal money from banks via macros in documents. The hacker group is said to have stolen over 900 million dollars, from the banks as well as from over a thousand private customers.

Operation Cleaver, as labelled in a report by American firm Cylance Inc. in late 2014, was a cyberwarfare covert operation targeting critical infrastructure organizations worldwide, allegedly planned and executed by Iran.

<span class="mw-page-title-main">Operation Newscaster</span>

"Operation Newscaster", as labelled by American firm iSIGHT Partners in 2014, is a cyber espionage covert operation directed at military and political figures using social networking, allegedly done by Iran. The operation has been described as "creative", "long-term" and "unprecedented". According to iSIGHT Partners, it is "the most elaborate cyber espionage campaign using social engineering that has been uncovered to date from any nation".

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on one of the buildings collapsed as a result of the explosion.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

<span class="mw-page-title-main">Democratic National Committee cyber attacks</span> 2015-16 data breaches by Russian hackers as part of US election interference

The Democratic National Committee cyber attacks took place in 2015 and 2016, in which two groups of Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as well as the U.S. government, determined that the cyberespionage was the work of Russian intelligence agencies.

Advanced Persistent Threat 33 (APT33) is a hacker group identified by FireEye as being supported by the government of Iran. The group has also been called Refined Kitten, Magnallium, and Holmium.

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing Security Analytics powered by AI.

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

Charming Kitten is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an Advanced Persistent Threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, and Iron Viking.

Candiru is a Tel Aviv-based technology company offering surveillance and cyberespionage technology to governmental clients.

References

  1. 1 2 3 "Rocket Kitten: A Campaign With 9 Lives" (PDF). Check Point. 2015.
  2. 1 2 3 4 5 Jones, Sam (April 26, 2016). "Cyber warfare: Iran opens a new front". Financial Times.
  3. 1 2 3 "Operation Saffron Rose" (PDF). FireEye. 2013. Retrieved 26 December 2016.
  4. 1 2 3 4 Menn, Joseph; Torbati, Yeganeh (2 August 2016). "Exclusive: Hackers accessed Telegram messaging accounts in Iran - researchers". Reuters.
  5. 1 2 Carman, Ashley (9 November 2015). "Supposed mastermind behind 'Rocket Kitten' APT identified in research paper". SC Magazine US.
  6. 1 2 Muncaster, Phil (10 November 2015). "Opsec Blunders Expose Rocket Kitten Masterminds". Infosecurity Magazine.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.