Story image

New report details exploits of notorious cyberespionage group with EMEA targets

31 Jul 17

ClearSky and Trend Micro have released a new report that details the movements of a notorious cyberespionage group.

Known as CopyKittens, the group appears to be politically-motivated and has increasingly been active in pursuing foreign espionage on strategic targets.

Its main targets are in countries such as Israel, Saudi Arabia, Turkey, The United States, Jordan, and Germany. Occasionally individuals in other countries are targeted as well as UN employees.

The group has been active since 2013 with targeted organisations including government institutions (such as Ministry of Foreign Affairs), academic institutions, defense companies, municipal authorities, sub-contractors of the Ministry of Defense and large IT companies.

"We've been tracking CopyKittens for four years and have become very intimate with its operations,” says Boaz Dolev, CEO at ClearSky Cyber Security.

“Our analysis gives indications about the group’s political motivations. Analysed within this context, these attacks deliver fresh insights."  

According to ClearSky and Trend Micro, the group’s main method of attack is to breach and weaponise online news outlets and general websites to act as vehicles for watering hole attacks.

An incident detailed in the report tells how members of the German Bundestag were compromised by watering holes lurking within several legitimate websites that had been hacked and linked to harmful third-party sites.

Another example accounts how a malicious email was sent from a breached account of an employee in the Ministry of Foreign Affairs within the Turkish Republic of Northern Cyprus to launch a massive spear phishing campaign, with victims receiving a highly-target message from a legitimate and known source with the intent to infect multiple targets in other government organisations around the world.

In a different case, a document that had likely been stolen from the Turkish Ministry of Foreign Affairs was used as a decoy to cripple government infrastructure.

ClearSky and Trend Micro have highlighted a specific quality behind the CopyKittens group, which acts as both a strength and a weakness.

The group is extremely persistent, despite the tendency to lack technological sophistication and operational discipline. While this has led to the success of many of its attacks, it has caused it to be relatively ‘noisy’ and made it easy to find, monitor and apply counter measures relatively quickly.

While the group has independently developed several new hacking tools, it also uses commercially available ones that are generally used for penetration testing, thus allowing the group to stay under the radar.

ClearSky and Trend Micro say while attacks from the group have been relatively small in terms of implications, unless users wise up to the advancing technologies it is only a matter of time before they cause substantial repercussions.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.