(JNi.media) A new group of hackers which operated in the Middle East and attacked major Israeli targets has been exposed recently, Israel’s Clear Sky and Minerva Labs revealed this week.
A joint report the two companies issued states that this was a new Middle-Eastern cyber attack group, dubbed by researchers “CopyKittens,” which used malware to attack organizations in Israel and the rest of the region. The CopyKittens are estimated to have attacked dozens of targets, including government ministries in Israel, senior Israeli diplomats working in Europe, public organizations, and top academic researchers who specialize in the Middle East. The report does not reveal the identity of the attackers, but pc.co.il has learned that it is presumed to be Iranian — based on their targets and modus operandi.
According to the report, CopyKittens has been active since at least the middle of 2014. The Group operates in a focused manner against targets in Israel and the Middle East. The group usually attacks the target after gathering information about it, and spear phishing to transplant malware into the computers under attack. The companies’ joint research indicates a high probability that the Group’s activities are for the purpose of espionage and intelligence gathering. According to the report, the hackers rely on human weakness and social engineering for the initial infection.
According to the Clear Sky and Minerva researchers, one of the characteristics of this group is its proprietary malware, known as “Babushka.” This malware stays in the computer’s memory only, meaning it does not use the hard disk to save files. The malware communicates with command and control servers and leaks data it has drawn — through DNS queries. The report details the malware’s unique engagement with command and control servers of the group. The report also states that each component of the malware contains an additional component that depends on the previous one — like a Babushka doll.
The Group conducted usage and copying of parts of code from websites and groups that offer open sourced code, which comprise the malware. Hence the nickname CopyKittens.
The group’s level of sophistication, according to the Israeli researchers’ assessment, is moderate to good, and it improves with every new campaign. Their malware is unique, the researchers noted. “They are using DNS queries for the purpose of monitoring and control, as well as to leak information — which is a rare behavior.” The advantage of this approach is that most defense systems installed nowadays by major organizations do not monitor DNS queries.
In their recommendations the authors write that “It’s required that companies and organizations in Israel strengthen the monitoring of their DNS servers.”
The report ends with the remark that “the objective of the hackers is to steal information, but their identity is in doubt, as well as who is financing them. This is not the last time we’ll be hearing about them: they improve their attack performance and are expected to hit in the future.”