Persistent cyber spies try to impersonate security researchers

Rocket Kitten, a cyber espionage group that mostly targets individuals in the Middle East, has been spotted attempting to impersonate security researchers.

The group’s activities were first made publicly known by ClearSky researchers last September, and Trend Micro followed suit with a paper in March 2015. Despite these revelations, the group persists with their attacks.

“We feel fairly certain that Rocket Kitten’s prime targets are not companies and political organizations as entire bodies but individuals that operate in strategically interesting fields such as diplomacy, foreign policy research, and defense-related businesses. We believe the espionage factor and political context make their attacks unique and very different from traditional targeted attacks,” researchers from both companies noted in a recently published new paper.

The group is obviously not interested in corporate espionage. Whether backed by a state or not, they specialize in politically motivated espionage.

“What we know is that the individuals targeted often had strategically interesting professions from a political or geostrategic perspective. They are scientists, journalists, researchers, and sometimes expatriated Iranians living in Western countries,” the researchers shared.

One of the latest confirmed attacks was against Dr. Thamar E. Gindin, an Israeli expert on linguistics and pre-Islamic Iranian culture, who then helped researchers at ClearSky build a detailed picture of the attackers’ modus operandi.

The ways they tried to compromise her accounts and devices were many: spear phishing emails from spoofed email accounts made to look like those of familiar individuals or organizations, phishing phone calls, requests to open sent documents (actually malware), join forums (link was to malicious site), messages via Facebook from fake accounts, attempts to compromise her contacts’ accounts in order to get to her, and so on.

More often than not, these social engineering and spear phishing attempts were poorly executed, but if there is one thing that Rocket Kitten attackers can’t be accused of is that they aren’t persistent: Dr. Gindin was bombarded with these various attempts day after day, and the attacks continued even after ClearSky published a paper on them (the Thamar Reservoir paper).

“Rocket Kitten targets primary victims but also secondary ones that they steal content from to reuse to spear-phish primary targets,” the researchers also pointed out. “One interesting incident involves compromising the email account of a famous Israeli engineer to get nonpublic documents from him. These were then used to more convincingly mimic the engineer in order to get to primary targets within his professional circle.”

Another similar attack has been aimed at a ClearSky threat researcher, who had been contacted by attackers via a fake Facebook account.

“When this attempt didn’t work, they resorted to other techniques. In the latter part of this June, the researcher received a phone call from another attack target whom he had been in contact with during the Thamar Reservoir investigation. This other person wanted to confirm if the researcher indeed sent him an email (which he actually never did),” they shared.

The email was sent from a fake ClearSky email address, and tried to leverage Trend Micro’s good reputation in order to trick the target into downloading the linked malicious executable (a downloader):


“Usurping a threat researcher’s identity is something we haven’t seen until now. But it tells us a back story. The attackers may either have had access to an email account revealing correspondence between the researcher and the victim or they realized that they were being investigated by ClearSky and exploited that knowledge,” the researchers noted.

The group’s use of unsophisticated, off-the-shelf and badly developed malware, and phishing emails with spelling typos and grammatical errors seem to point to a group that consists of former cybercriminals who ventured into a new field for some unclear reason. Still, they are persistent, resourceful and versatile attackers, and that is why they ultimately often successfully pull off their attacks.

Share this
You are reading

Persistent cyber spies try to impersonate security researchers