This article is more than 1 year old

Shabby but persistent espionage group turn tables on researchers

'Hey it's Mike, open this thing would ya?'

Researchers investigating an active online espionage group have themselves been targeted in persistent social engineering attacks.

Eyal Sela and Cedric Pernet of ClearSky and Trend Micro say the attackers from the Rocket Kitten group targeted an unnamed security bod at the former company with social engineering Facebook messages and emails.

The attackers had impersonated the researcher in emails to their contacts in a bid to strike back at the white hats.

It follows the researcher's work released in March and September 2014 last year that first identified the group.

The bogus emails are woeful compared to the social engineering chops of advanced groups. In the messages, the net scum ask the presumably security-savvy target in an awkward grammatical flow to run a bogus Trend Micro virus scanner executable.

The target contact then pinged the ClearSky researcher in a bid to confirm the phish.

They might be inept in attacking security researchers, but the attackers are persistent: Sela and Pernet say the group has in recent months focused on social engineering efforts to target organisations through staff private online accounts to avoid heavier security defences.

The group has hit some 550 mostly Middle East-based targets, trying their espionage on expatriates living in the West involved in human rights and journalism, but it is not clear what data was stolen.

Popping the enterprise through personal accounts.

Based on their collective findings the research pair reckon that Rocket Kitten is involved in foreign political espionage campaigns, keeping tabs on key personalities that have personal affiliation with foreign policy and defense actors. They are not after cash, the pair contend.

Rocket Kitten targets victims with phishing emails, Facebook messages and even brazen phone calls and text messages in its 'relentless' pursuit to breach personal accounts.

This is a clever move, taking advantage of their lack of peripheral protection at home as opposed to in an organisational setting where monitoring systems are in place and security personnel can help as soon as alarms go off. Now, the attackers very well know that while in theory, work and private lives are completely separate; in the real world, people use personal cloud services and personal devices to store and share work-related content."

This creates a "blissful chain reaction" allowing them to breach corporate networks.

The research duo award the group points for persistence but say their malware stinks. The keylogger was "badly developed" and leaked file transfer protocol credentials, while the attacker's modifications to the Core Impact Pro penetration testing tool was basic. ®

More about


Send us news

Other stories you might like