Since early 2014, an attacker group of Iranian origin has been actively targeting persons of interest by means of malware infection, supported by persistent spear phishing campaigns. This cyber-espionage group was dubbed ‘Rocket Kitten,’ and remains active as of this writing, with reported attacks as recent as October 2015.
The Rocket Kitten group and its attacks have been analyzed on numerous occasions by several vendors and security professionals, resulting in various reports describing the group’s method of operation, tools and techniques.
Characterized by relatively unsophisticated technical merit and extensive use of spear phishing, the group targeted individuals and organizations in the Middle East (including targets inside Iran itself), as well as across Europe and in the United States. Many of these targets were successfully compromised by various pieces of custom-written malware; and despite identification and flagging of their infrastructure, the attackers have struck again-and-again by making minor changes to their tools or phishing domains. Check Point has obtained a complete target listing from the attackers’ servers; among confirmed victims are high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.
This report provides a summary of the findings including:
• New evidence obtained during Check Point’s independent investigation into attacker infrastructure, including previously unpublished malware indicators.
• Information that appears to reveal the full extent of operations over the past year, and provides unique insight into target profiles and attacker operation internals.
• Analysis of attack data to reveal details on victims and specific industries that may have special significance to Iranian political and military interests.
• Analysis of attacker mistakes that appear to reveal the true identity of the main developer behind the group’s activities (a.k.a. “Wool3n.H4T”), detailed for the first time.
It is our hope this report and measures taken over the past few weeks lead to an effective shutdown of attacker operations (current generation of tools and infrastructure). While Check Point customers are protected against all known variants of this threat, we urge fellow security vendors and malware research professionals to extend malicious IoC (Indicators-of-Compromise) coverage in current protection infrastructure.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program