TEL AVIV, July 25, (Agencies): A cyber spying group with links to Iran and active for the past four years is targeting countries including Israel, Saudi Arabia, Germany and the United States, security researchers said on Tuesday.
A new report by Tokyo-based Trend Micro and ClearSky of Israel detailed incidents as recently as April of this year involving a group known as “CopyKittens”.
The group targets its victims using relatively simple techniques like creating fake Facebook pages, corrupting websites or Microsoft Word attachments with a malicious code, according to the report.
It was seen impersonating popular media brands like Twitter, Youtube, the BBC and security firms such as Microsoft, Intel and even Trend Micro.
“CopyKittens is very persistent, despite lacking technological sophistication and operational discipline,” the researchers said in a statement.
“These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly,” they said.
Iranian officials were not available for comment.
The report itself does not link the group to Iran. As a matter of company policy, Trend Micro research into state-backed attacks focuses on technical evidence and forgoes political analysis.
However Clearsky researchers told Reuters that CopyKittens was “Iranian government infrastructure,” adding that the use of “kitten” in the industry indicates Iranian hackers, just as “panda” or “bear” refer to Chinese and Russians, respectively.
CopyKittens is distinct from another Iran-based cyber spy group dubbed Rocket Kitten, which since 2014 has mounted cyberattacks on high-profile political and military figures in countries near Iran as well as the United States and Venezuela.
CopyKittens has been operating since at least 2013, according to the report, though its activities were first exposed publicly in November 2015 by ClearSky and Minerva Labs. Earlier this year, ClearSky wrote another paper detailing more hacking incidents that affected some members of Germany’s parliament.
Eyal Sela, head of threat intelligence at ClearSky, said that once an initial hack against a government or commerical target is successful, CopyKittens uses that access to then attack other groups, though it tries to remain very focused.
As recently as late April, the group breached the email account of an employee in the Ministry of Foreign Affairs in Turkish Cypriot-controlled northern Cyprus and then tried to infect multiple targets in other governments, the report said.
Another time it used a document, likely stolen from Turkey’s Foreign Ministry, as a decoy.
Global ransomware attacks soared by over 11 percent in the 12 months to March, Europol reported Tuesday, but specialist tools developed with its partners had helped unlock some 28,000 encrypted devices.
“Ransomware has soared since 2012, with criminals lured by the promise of profit and ease of implementation,” the European police agency said in a statement.
According to a report by cybersecurity specialists Kaspersky Lab, the “total number of users who encountered ransomware between April 2016 and March 2017 rose by 11.4 percent compared to the previous 12 months, from 2,315,931 to 2,581,026 users around the world”.
Europol and Kaspersky joined forces with the Dutch police and others a year ago to establish the “No More Ransom” initiative, just months before a couple of high-profile cyberattacks made headlines.
In May the WannaCry attack claimed more than 300,000 business victims across 150 countries in its first few days, Europol said.
The attack, using a type of malware that encrypts files on an infected computer and demands money to unlock them, crippled “critical infrastructure and businesses,” Europol said.
Then last month similar attacks hit Europe and North America, and were revealed to be an updated version of a malware called Petya.
“Some organisations are still struggling to recover from ExPetya attacks of 27 June,” the police agency said.
Europol has now posted some 54 decryption tools, provided by nine partners, on the “No More Ransom” website. Theses tools have helped “decrypt more than 28,000 devices, depriving cybercriminals of an estimated eight million euros in ransoms”.
More than 100 partners, including Barclays bank and the Cyber Security Agency of Singapore, have joined the “No More Ransom” initiative.
The website is now available in 26 languages, including Bulgarian, Chinese, Malay, Tamil and Thai.
Europol repeated its warnings to ensure that security on all computer systems was updated.
“If you do become a victim, it is important not to pay the ransom,” it warned, urging victims to call in the police.