A new report on the group known as “CopyKittens” details its increased activity in support of its political ambitions.
The report is co-authored by Israeli cyber-intelligence company ClearSky and Trend Micro.
CopyKittens, which has been active since 2013, recently targeted government, security and academic institutions, and websites in Germany and Turkey as well as United Nations’ employees and organisations in Saudi Arabia, Israel and Jordan.
In an incident detailed in the report, members of the German Bundestag were compromised by watering holes positioned within several legitimate websites that were hacked and linked to harmful third-party sites.
Another incident cited explains how a Turkish diplomatic institution was hacked and used as a cover to launch a massive spear phishing campaign, with victims receiving a highly targeted message from a legitimate, known source.
CopyKittens is very persistent, despite lacking technological sophistication and operational discipline. These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly.
The group has independently developed several new hacking tools. They also use commercially available hacking tools such Cobalt Strike and Metasploit, which are generally for penetration testing and thus allow them to stay under the radar.
The extensive report details how its experts gained intimate access to the group’s activity, methods, tools and infrastructure. They have shed new light on the operations and priorities of the intelligence organisation operating the group.
“We’ve been tracking CopyKittens for four years and have become very intimate with its operations,” says Boaz Dolev, CEO of ClearSky Cyber Security. “Our analysis gives indications about the group’s political motivations. Analyzed within this context, these attacks deliver fresh insights.”