Rocket Kitten 2 – follow-up on Iran originated cyber-attacks

In the past few months ClearSky and Trend Micro have been monitoring  and analyzing the Iranian cyber-attack group known as “Rocket Kitten”. The following report uncovers new attacks performed by the group, its methods and operations.

Rocket Kitten has been operating since at least mid-2014. The group operates against numerous targets in the middle-east including Israelis, Iranian exiles, and enemies of Iran. The targets are researchers and practitioners in the fields of policy, government and international relations, security, defense, journalism, human rights, and others.

The group heavily relies on social engineering, and it is persistent and targeted. Each target is repeatedly attacked using a variety of techniques, such as phone calls, SMS messages, Facebook messages, dedicated phishing websites, and spear phishing.

Our research suggests that the group’s intention is to obtain sensitive information and perform espionage, as they are ideologically motivated.

Previous reports about Rocket Kitten include ClearSky’s Gholee and “Thamar Reservoir“, and  Trend Micro’s Operation Woolen-Goldfish.  Last week Citizen Lab published Two-Factor Authentication Phishing From Iran. The  group was analyzed in a presentation at the Chaos Communication Congress (CCC).

The new joint report – “Rocket Kitten 2” includes incidents from the pass few months, among them one in which the group tried to impersonate a Clearsky analyst and attempted to infect the target by usurping Trend Micro HouseCall.

The report includes the following sections:

  • Rocket Kitten attacker profile
  • The group’s targets and goals
  • Tactics and tools
  • Case studies
  • Safety measures and recommendations

Read the full report: The Kittens Strike Back: Rocket Kitten Continues Attacks on Middle East Targets