CopyKittens Exposed by ClearSky and Trend Micro

CERT-LatestNews Malware ThreatsCybercrime ThreatsEconomic ThreatsStrategic TrendMicroNews
What can a hacker do with access to your business email account?

CopyKittens is a cyberespionage group that ClearSky has been reporting on since 2015, tracking their attacks on government-related bodies around the world. Trend Micro has supported this research at several points, including for their latest report released today on the group’s vast espionage campaigns. This research highlights new malware, exploitation, delivery, and command and control (C&C) infrastructure being used by the group. This is Trend Micro’s second collaborative effort with Clearsky, a paper on similarly named Rocket Kittens in 2015.

CopyKittens at Work

The main countries targeted by CopyKittens are Israel, Saudi Arabia, Turkey, the U.S., Jordan and Germany. Within these countries, the targets vary – with government institutions, defense companies, sub-contractors and large IT companies among the most targeted organizations.

Victims are targeted via several methods, including spear phishing emails, watering hole attacks, fake social media profiles and targeting exposed webmail accounts. The group uses a combination of these methods to persistently target the same victim over multiple platforms until they succeed in establishing an initial beachhead of infection – before pivoting to higher value targets on the network.

To do this the group leverages their own custom malware tools in combination with existing, commercial tools, such as Cobalt Strike and Metasploit. This report is the first time some of these custom tools have been publicly discussed. Details are given on how each component is used during initial infection and later lateral movement on the victims network.

Protection Techniques

Security measures for these attack types are well known – and Trend Micro’s solutions like Trend Micro Deep Discovery can mitigate these risks on multiple levels. One particular attack vector does merit an extra mention however – webmail. As stated in our recent Pawn Storm report, we strongly recommend two factor authentication be implemented to protect webmail accounts from being compromised. Webmail accounts can be a treasure trove of information for an attacker, and an extremely strong initial beachhead for pivoting into other targets e.g. replying to existing threads with malicious attachments or links.

You can find further information on this attack campaign in our collaborative paper “Operation Wilted Tulip: Exposing a Cyberespionage Apparatus.”