ClearSky and Trend Micro have released a new report that details the movements of a notorious cyberespionage group.
Known as CopyKittens, the group appears to be politically-motivated and has increasingly been active in pursuing foreign espionage on strategic targets.
Its main targets are in countries such as Israel, Saudi Arabia, Turkey, The United States, Jordan, and Germany. Occasionally individuals in other countries are targeted as well as UN employees.
The group has been active since 2013 with targeted organisations including government institutions (such as Ministry of Foreign Affairs), academic institutions, defense companies, municipal authorities, sub-contractors of the Ministry of Defense and large IT companies.
"We've been tracking CopyKittens for four years and have become very intimate with its operations,” says Boaz Dolev, CEO at ClearSky Cyber Security.
“Our analysis gives indications about the group’s political motivations. Analysed within this context, these attacks deliver fresh insights."
According to ClearSky and Trend Micro, the group’s main method of attack is to breach and weaponise online news outlets and general websites to act as vehicles for watering hole attacks.
An incident detailed in the report tells how members of the German Bundestag were compromised by watering holes lurking within several legitimate websites that had been hacked and linked to harmful third-party sites.
Another example accounts how a malicious email was sent from a breached account of an employee in the Ministry of Foreign Affairs within the Turkish Republic of Northern Cyprus to launch a massive spear phishing campaign, with victims receiving a highly-target message from a legitimate and known source with the intent to infect multiple targets in other government organisations around the world.
In a different case, a document that had likely been stolen from the Turkish Ministry of Foreign Affairs was used as a decoy to cripple government infrastructure.
ClearSky and Trend Micro have highlighted a specific quality behind the CopyKittens group, which acts as both a strength and a weakness.
The group is extremely persistent, despite the tendency to lack technological sophistication and operational discipline. While this has led to the success of many of its attacks, it has caused it to be relatively ‘noisy’ and made it easy to find, monitor and apply counter measures relatively quickly.
While the group has independently developed several new hacking tools, it also uses commercially available ones that are generally used for penetration testing, thus allowing the group to stay under the radar.
ClearSky and Trend Micro say while attacks from the group have been relatively small in terms of implications, unless users wise up to the advancing technologies it is only a matter of time before they cause substantial repercussions.