ClearSky of Israel and the Tokyo-based Trend Micro say malicious hackers are using social media platforms such as Twitter, Facebook and YouTube to dupe targeted victims in Saudi Arabia, Germany, the U.S. and Israel.
By Reuters and Israel Hayom Staff
A cyber spying group with links to Iran is targeting countries including Israel, Saudi Arabia, Germany and the United States, security researchers said on Tuesday.
A new report by Tokyo-based Trend Micro and ClearSky of Israel detailed incidents as recently as April of this year involving a group known as “CopyKittens,” which has been active for the past four years.
The group targets its victims using relatively simple techniques like creating fake Facebook pages, corrupting websites or Microsoft Word attachments with a malicious code, and impersonating popular media brands like Twitter, YouTube, the BBC and security firms such as Microsoft, Intel and even Trend Micro.
“CopyKittens is very persistent, despite lacking technological sophistication and operational discipline,” the researchers said in a statement.
“These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly,” they said.
Iranian officials were not available for comment.
The report itself does not link the group to Iran. As a matter of company policy, Trend Micro research into state-backed attacks focuses on technical evidence and forgoes political analysis.
However, ClearSky researchers said that CopyKittens was “Iranian government infrastructure,” adding that the use of “kitten” in the industry indicates Iranian hackers, just as “panda” or “bear” refer to Chinese and Russians, respectively.
CopyKittens is distinct from another Iran-based cyber spy group dubbed “Rocket Kitten,” which since 2014 has mounted cyberattacks on high-profile political and military figures in countries near Iran as well as the U.S. and Venezuela.
CopyKittens has been operating since at least 2013 though its activities were first exposed publicly in November 2015 by ClearSky and Minerva Labs. Earlier this year, ClearSky wrote another paper detailing more hacking incidents that affected some members of Germany’s parliament.
Eyal Sela, head of threat intelligence at ClearSky, said that once an initial hack against a government or commercial target is successful, CopyKittens uses that access to then attack other groups, though it tries to remain very focused.
As recently as late April, the group breached the email account of an employee in the Foreign Ministry in Turkish Cypriot-controlled northern Cyprus and then tried to infect multiple targets in other governments, the report said.
Another time it used a document, likely stolen from Turkey’s Foreign Ministry, as a decoy.
View original Israel Hayom publication at: