Names | Magic Kitten (CrowdStrike) VOYEUR (NSA) | |
Country | Iran | |
Sponsor | State-sponsored | |
Motivation | Information theft and espionage | |
First seen | 2007 | |
Description | (CEIP) In January 2015, the German news outlet Der Spiegel released previously unpublished documents on cyber espionage conducted by American intelligence agencies.50 One of them revealed an NSA tactic labeled “fourth party collection,” which is the practice of breaking into the command and control infrastructure of foreign-state-sponsored hackers to look over their shoulders. The presentation describes a real-life example of acquiring intelligence and stealing victims from a group code-named VOYEUR by the NSA, otherwise known as Magic Kitten. Magic Kitten appears to be among the oldest and most elaborate threat actors originating in Iran. It is also distinct from other groups because of its apparent relationship with the Iranian Ministry of Intelligence rather than the IRGC. However, Magic Kitten’s activities mirror those of other groups, with the primary targets being Iranians inside Iran and Tehran’s regional rivals. The earliest observed samples of Magic Kitten’s custom malware agent dates to 2007, well before other known malware apparently originated, and the threat actor continues to be active. | |
Observed | Countries: Germany, India, Indonesia, Iraq, Lebanon, Netherlands, Pakistan, Qatar, Sweden, Switzerland, Thailand, UAE. | |
Tools used | ||
Information | <https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140> <https://irancybernews.org/magic-kitten-the-oldest-kitten/> |
Last change to this card: 31 December 2022
Download this actor card in PDF or JSON format
Previous: Subgroup: DEV-0270, Nemesis Kitten
Next: MalKamak
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |