New insight on the Rocket Kitten Iranian hacking crew

Experts from Check Point firm published a new report on the Rocket Kitten APT that include more insight into the activities of the group.

Do you remember the Rocket Kitten ATP?

The Rocket Kitten group has been suspected to be active since 2011 and have been increasing their activity since 2014. The main targets are based in the Middle East, and it seems that their targets are involved in policy research, diplomacy and international affairs like policy research, diplomacy and international affairs.

Several security firms have analyzed the operations conducted by the Rocket Kitten, experts have used different names to reference the hacking crew. FireEye linked the group to the cyber espionage campaign “Operation Saffron Rose“, the experts at iSIGHT Partners discovered the group was using a network of fake accounts on principal social media to spy on US officials and political staff worldwide,  the NEWSCASTER network. Again, the experts from ClearSky uncovered the Thamar Reservoir operation that is targeting entities in the Middle East, meanwhile researchers at Trend Micro in March a new hacking campaign dubbed Operation Woolen GoldFish likely run by a threat actor group Rocket Kitten.

The Rocket Kitten group is very active and despite the numerous investigations of security firms it is continuing to conduct cyber espionage operations by using different tools in their arsenal for each hacking campaign.

The Rocket Kitten hackers are now in the headlines thanks to a new report published by the Check Point security firm. Check Point was investigating a phishing attack against one of its customers when discovered a server used by the Rocket Kitten group.

According to the report “Rocket Kitten: A Campaign with 9 Lives,” the hackers used a common XAMPP web server that was poorly configured, allowing the investigators to gain root access without authentication.

The experts at Check Point discovered that more than 1,800 victims were already successfully targeted by Rocket Kitten, their information was stored in the database present on the server.

The analysis of the logs from the phishing server revealed the most visitors came from Saudi Arabia (18%), the United States (17%), Iran (16%), the Netherlands (8%) and Israel (5%).

“This list was analyzed to confirm a strong alignment with nation-state political interests, with specific victims known as adversarial or of intelligence value to Iran.” states the report.

It is curious to note that nearly 26 percent of visitors provided their credentials.

Each victim was associated with a particular Rocket Kitten operator, in one case a single operator harvested details of nearly 700 victims. Another operator phished 522 users as part of a campaign targeting human rights activists, company executives and ministry officials in Saudi Arabia.

“Looking at user names, we can spot some potentially Persian names or aliases such as merah, kaveh, ahzab or amirhosein. These were potentially the campaign ‘operators’—tasked with social engineering and tailoring a phishing page per target.” states the report.

A third operator collected information belonging to 233 individuals in organizations operating in the defense sector, including in NATO countries, the United Arab Emirates, Afghanistan, Thailand, and Turkey.

The hackers also targeted Iranians living abroad, Israeli nuclear scientists, former military officials, national security and foreign policy researchers and Venezuelan entities.

The analysis of the phishing server allowed the investigators to reveal the identity of the main developer of the hacking crew, an individual using the nickname “Wool3n.H4T.”

“In this case, as in other previously reported cases, it can be assumed that an official body recruited local hackers and diverted them from defacing web sites to targeted espionage at the service of their country. As is often the case with such inexperienced personnel, their limited training reflects in lack of operational security awareness, leaving a myriad of traces to the origin of the attack and their true identities,” Check Point said in its report.

If you want to do deeper on the investigation give a look to the excellent “Rocket Kitten: A Campaign with 9 Lives” report published by Check Point.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Rocket Kitten, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]