TEL AVIV (Reuters) – A cyber spying group with links to Iran and active for the past four years is targeting countries including Israel, Saudi Arabia, Germany and the United States, security researchers said on Tuesday.
A new report by Tokyo-based Trend Micro (4704.T) and ClearSky of Israel detailed incidents as recently as April of this year involving a group known as “CopyKittens”.
The group targets its victims using relatively simple techniques like creating fake Facebook pages, corrupting websites or Microsoft Word attachments with a malicious code, according to the report.
It was seen impersonating popular media brands like Twitter, Youtube, the BBC and security firms such as Microsoft, Intel and even Trend Micro.
“CopyKittens is very persistent, despite lacking technological sophistication and operational discipline,” the researchers said in a statement.
“These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly,” they said.
Iranian officials were not available for comment.
The report itself does not link the group to Iran. As a matter of company policy, Trend Micro research into state-backed attacks focuses on technical evidence and forgoes political analysis.
However Clearsky researchers told Reuters that CopyKittens was “Iranian government infrastructure,” adding that the use of “kitten” in the industry indicates Iranian hackers, just as “panda” or “bear” refer to Chinese and Russians, respectively.
CopyKittens is distinct from another Iran-based cyber spy group dubbed Rocket Kitten, which since 2014 has mounted cyberattacks on high-profile political and military figures in countries near Iran as well as the United States and Venezuela. (reut.rs/2tGfOzK)
CopyKittens has been operating since at least 2013, according to the report, though its activities were first exposed publicly in November 2015 by ClearSky and Minerva Labs. Earlier this year, ClearSky wrote another paper detailing more hacking incidents that affected some members of Germany’s parliament.
Eyal Sela, head of threat intelligence at ClearSky, said that once an initial hack against a government or commercial target is successful, CopyKittens uses that access to then attack other groups, though it tries to remain very focused.
As recently as late April, the group breached the email account of an employee in the Ministry of Foreign Affairs in Turkish Cypriot-controlled northern Cyprus and then tried to infect multiple targets in other governments, the report said.
Another time it used a document, likely stolen from Turkey’s Foreign Ministry, as a decoy.
Reporting by Tova Cohen, Ari Rabinovitch and Eric Auchard; Editing by Richard Balmforth