Hackers target the German Bundestag and Turkish diplomats
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
July 25, 2017
Security researchers today have discovered a group of hackers that have targeted the German Bundestag and some Turkish diplomats in their aim at committing mischief.
The cyber attack gang is identified as 'CopyKittens' and has already attacked various government departments in Germany, a few security and academic institutions, numerous websites in Germany and Turkey, as well as some United Nations employees.
But CopyKittens have been around for the past four years. They also targeted various organizations in Saudi Arabia, Israel and Jordan since mid-2013.
Government institutions, defence companies, sub-contractors and large IT companies are also among the most targeted organizations, the researchers asserted the internet community.
A report on the group is co-authored by ClearSky, an Israeli cyber-intelligence firm, and Trend Micro. It reports how various members of the German Bundestag were seriously compromised by a 'watering hole-style' cyber attack run by the group.
In another but similar case, a malicious email was sent from a breached account of an employee in the Ministry of Foreign Affairs in the Turkish Republic of Northern Cyprus, trying to leverage trust in the supposed source of the email in a bid to infect multiple targets in other government organizations worldwide.
In another related security incident, a document likely stolen from the Turkish Ministry of Foreign affairs was used as a decoy.
Various embassies in Israel have also been targeted by the group, as well as foreign embassies outside Israel. Fake Facebook profiles (some active for years) have also been used to spread malicious links and help build some trust.
Other tactics included breaching exposed webmail accounts, among other mischiefs. Additionally, it appears that the group has developed its own bespoke hacking tools. These include TDTESS backdoors; Vminst, a lateral movement tool; and NetSrv, a Cobalt Strike loader.
CopyKittens also uses Matryoshka v1, a self-developed remote access trojan that's been around since at least March of this year. The group also makes some use of commercially available pen-testing tools such Cobalt Strike and Metasploit, among others.
"You need to be aware that CopyKittens is very persistent, despite lacking technological sophistication and operational discipline," according to ClearSky. "However, those characteristics cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly."
Previous research on CopyKittens done last month also accused the group of kinky OpSec practices, among others.
The group is very malicious and seems to be escalating its various tactics. Neither ClearSky nor Trend Micro speculates about the identity of CopyKittens, but based on the various targets and their social media shenanigans, Iran, Russia and China could be suspects, depending on who you ask.
Source: ClearSky and Trend Micro.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.