CheckPoint has raided the servers of a bumbling alleged Iranian hacking group using credentials hardcoded into malware, using its access to name suspected members.
The Rocket Kitten group was revealed September 2014 and later in more detail March targeting organisations throughout the Middle East with persistent, successful, but unsophisticated phishing emails.
CheckPoint has entered the fray into its latest report (pdf), finding holes in the groups horrendously poor operational security to discover what it says is likely the true identities of at least two members.
While attribution is a messy and dangerous business, Rocket Kitten's supreme operational security failures provided the unnamed Check Point researchers with plenty of evidence to link hacker aliases with names: command and control credentials were hardcoded into the malware, and the VXers failed to remove infections on their own machines.
"...we spotted this gem of an operational security mistake in the SQLi instructional video which precisely provided the smoking gun we were after … [the hacker] was now caught giving a public tutorial while logged in under his secret alias, otherwise unlinked with his real identity.
"Among many logged keystroke files containing stolen data, we stumbled on an astonishing discovery: the Rocket Kitten attackers had infected their own workstations, apparently as ‘test-runs’ [and] failed to remove these files from the command and control server, demonstrating, yet again, utter lack of operational security.
"If all that wasn’t enough, we also managed to retrieve an updated resume for [one of the attackers]."
Check Point boffins reckon the crew was pulled off it script kiddie web defacement efforts by Tehran and recruited into targeted espionage "at the service of their country".
A resume Check Point obtained on one of the attackers via yet more lousy operational security alleges he developed malware for Tehran.
Rocket Kitten appears based on collective research to seek information on actors and information on foreign policy and defense, and are not seeking cash.
One in four targets will enter credentials on Rocket Kitten's phishing pages. Victims include Israeli nuclear scientists and physicists, ex-military, Saudi scholars, NATO regional posts, and various media outlets. Hundreds of campaigns, labelled 'projects', have been developed to pop victims.
Researchers at Trend Micro and ClearSky were themselves targeted by the group who late this year attempted to coax them over Facebook messages into opening malware.
The hacking group has since brazenly used the ClearSky name to send Rocket Kitten alerts ostensibly from the security company to targets with a would-be detection tool attachment that actually infects machines. ®