Security researchers have lifted the lid on a new cyber-espionage crew that has targeted the German Bundestag and Turkish diplomats.
CopyKittens has attacked government, security and academic institutions, websites in Germany and Turkey, as well as United Nations employees and organisations in Saudi Arabia, Israel and Jordan for the last four years. Government institutions, defence companies, sub-contractors and large IT companies are among the most targeted organisations.
A study on the group co-authored by ClearSky, an Israeli cyber-intelligence firm, and Trend Micro reports how members of the German Bundestag were compromised by a watering hole-style attack run by the group. In another case a malicious email was sent from a breached account of an employee in the Ministry of Foreign Affairs in the Turkish Republic of Northern Cyprus, trying to leverage trust in the supposed source of the email in a bid to infect multiple targets in other government organisations worldwide. In a different case, a document likely stolen from the Turkish Ministry of Foreign affairs was used as decoy.
Israeli embassies have been targeted by the group, as well as foreign embassies in Israel. Fake Facebook profiles (some active for years) have been used to spread malicious links and build trust with marks. Other tactics included breaching exposed webmail accounts.
The group has developed its own bespoke hacking tools. These include TDTESS backdoor; Vminst, a lateral movement tool; and NetSrv, a Cobalt Strike loader. The group also uses Matryoshka v1, a self-developed remote access trojan.
CopyKittens (AKA Rocket Kittens) also makes use of commercially available pen-testing tools such Cobalt Strike and Metasploit.
"CopyKittens is very persistent, despite lacking technological sophistication and operational discipline," according to ClearSky. "These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly."
Previous studies on CopyKittens, like this one by CheckPoint, also accused the group of rubbish OpSec practices.
More on the latest CopyKittens research can be found here and here. Neither ClearSky nor Trend Micro speculates about the identity of CopyKittens but (based on the targets and social media shenanigans) Iran has to be a strong suspect. ®