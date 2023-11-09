CrowdStrike reveals details of cyberattacks targeting Israeli citizens and organizations , [+] Originating from Imperial Kittens – an APT (Advanced Persistent Threat) group with ties to Iran. getty

There is certainly no dearth of cyber criminals and threat actors in the world, but some cyber adversaries stand out for their tenacity and skill. One such actor is “Imperial Kitten”, a cyber adversary with alleged ties to Iran. Recent insights from CrowdStrike shed light on the group’s latest efforts, especially following tensions between Israel and Hamas.

Let’s dig a little deeper into who Imperial Kitten (also known as Tortoiseshell or TA456) is and what they’ve been up to lately.

Who is the Imperial Kitten?

Active since at least 2017, Imperial Kittens is believed to be linked to the Islamic Revolutionary Guard Corps (IRGC), serving Iranian strategic intelligence needs. The group’s standard gameplan is characterized by the use of custom .NET-based implants, with a particular penchant for social engineering—often employing individuals from industries spanning defense, technology, telecommunications, and energy, among other sectors. Recruitment comes in the form of initiatives.

Recent Activities

In the wake of the terrorist attack by Hamas on October 7 and the ongoing Israel-Hamas conflict, CrowdStrike’s Counter Adversary Operations has revealed cyber attacks by Imperial Kitten specifically targeting Israeli organizations in the transportation, logistics, and technology sectors .

These incidents ranged from using public scanning tools and exploiting vulnerabilities for early access to deploying email and even Discord—a popular messaging platform—for command and control (C2) operations. Sophisticated strategies were involved.

toolkit

The Imperial Kittens’ arsenal is both diverse and insidious. CrowdStrike identified several malware samples associated with the group’s recent activity:

IMAPloader : Uses email for command and control.

: Uses email for command and control. standardkeyboard : A malware that shares similarities with IMAPLoader.

: A malware that shares similarities with IMAPLoader. discord-based malware : Leveraging the popular communication platform for C2.

: Leveraging the popular communication platform for C2. python reverse shell: Delivered through macro-enabled Excel documents.

modus operandi

Imperial Kitten’s strategy reveals a deliberate approach to cyber espionage. Their strategic web compromise operations involve tricking individuals into visiting compromised websites that appear legitimate. While widespread, arbitrary cyberattacks are common, this group typically does not use a spray-and-pray approach. It is precise, targeted and extremely effective.

what’s at stake?

Why so much focus on Israeli organizations? The answer probably lies in geopolitical tensions and the intelligence that can be obtained from these regions – information that can potentially serve national interests and strategies.

The Bigger Picture

Particularly noteworthy is the continued evolution of Imperial Kitten’s strategies. Their use of new malware families and adaptation to using mainstream communications platforms for command and control suggests a group that is innovative, resourceful, and not afraid to venture into new technological territory.

threat assessment

CrowdStrike’s findings, although reported with moderate confidence, underscore an important trend: the continued targeting of Israeli entities. The overlap with previously known malware, the specific areas under attack, and the tactics employed paint a picture of an adversary that is persistent and adapting.

“Congratulations to CrowdStrike for publishing a detailed report with IOCs (indicators of compromise) on this campaign,” announced Richard Steinen, principal research analyst at IT-Harvest and author of the Security Yearbook 2023. In a copycat or false flag operation, it is invaluable for potential targets to know what to look for.

puzzle of low self-confidence

While CrowdStrike’s assessment is thorough, they admit to low confidence regarding the early access and post-exploitation methods attributed to Imperial Kitten. This caution arises from the nature of single-source reporting, which, without corroboration, remains a piece of a larger, still uncertain puzzle.

A blog post from CrowdStrike states that their attribution is based on:

Continued use of previously reported SWC infrastructure

Email-based C2 for continued use of C2 and Yandex email addresses

overlaps between IMAPloader and industry-reported pile of sugar Malware family that targeted Israel-based transportation sector organizations in 2022

Continued focus on targeting Israeli organizations in the transportation, maritime, and technology sectors, consistent with the adversary’s target scope

Job-themed bait and lure content is used in their malware operations

takeaway

Organizations, especially those within the sighting radius of the Imperial Kitten, should remain on high alert. The group’s activities are a reminder of the current need for strong cyber security measures and the importance of constant vigilance in an increasingly interconnected world.

Threat actors like the Imperial Kittens perform maneuvers with dangerous sophistication. As they refine their techniques and expand their toolset, the line between digital espionage and full-blown cyber warfare is becoming blurred.

For entities like CrowdStrike, and the organizations they protect, staying one step ahead in this digital chess game isn’t just a goal – it’s an imperative.