 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
APT group: CopyKittens, Slayer Kitten| Names | CopyKittens (Trend Micro) Slayer Kitten (CrowdStrike) | |
| Country |  Iran | |
| Motivation | Information theft and espionage | |
| First seen | 2013 | |
| Description | CopyKittens is an Iranian cyberespionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. | |
| Observed | Sectors: Defense, Education, Government, IT, Media. Countries: Germany, Israel, Jordan, Saudi Arabia, Turkey, USA. | |
| Tools used | Cobalt Strike, EmpireProject, Matryoshka RAT, TDTESS, Vminst, ZPP. | |
| Operations performed | 2013 | Operation “Wilted Tulip” In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group’s modus operandi. We dubbed this activity Operation Wilted Tulip. <https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf> |
| 2015 | CopyKittens has conducted at least three waves of cyber-attacks in the past year. In each of the attacks the infection method was almost identical and included an extraordinary number of stages used to avoid detection. As with other common threat actors, the group relies on social engineering methods to deceive its targets prior to infection. <https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf> | |
| Jan 2017 | Breach of the Israeli newspaper Jerusalem Post As part of our monitoring of Iranian threat agents activities, we have detected that since October 2016 and until the end of January 2017, the Jerusalem Post, as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens. <https://www.clearskysec.com/copykitten-jpost/> | |
| MITRE ATT&CK | <https://attack.mitre.org/groups/G0052/> | |
Last change to this card: 22 April 2020
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |