A group of Iranian hackers tried over the last two years to spy on Israeli physicists and nuclear scientists, as well as after other senior people in academic institutions, the defense establishment and the business world, as part of the group’s worldwide cyberattacks. This was revealed yesterday by Israeli software provider Check Point. Following this revelation, authorities in Britain, Germany and Holland took down the platform used by the group in its hacking ventures.
- Report: Amid claims of Israeli cyberespionage, Iran mulls smartphone ban for officials
- What prompted Israeli warning about pending cyber attack?
Check Point managed to get into the server the group used in its phishing (deceitful) attempts to obtain personal information. It then compiled a list of more than 1,600 targets the hackers had tracked, managing to uncover the identity of an Iranian computer engineer who was involved in the group’s actions. Various security analysts are convinced that the group worked for Iran.
According to the report, first published by Reuters, the group, which had been uncovered previously, also targeted human rights activists in the Arab world, diplomats in countries such as Saudi Arabia — where they operated against royal family members — Afghanistan, the United Emirates, Iraq and even some commercial agencies in Venezuela, a country with close links to Iran. In some cases the hackers tried to reach their targets through family members.
From analysis performed by Check Point on the server storing the phishing sites created by the hackers, it turns out that most of the cyberattacks were directed at Saudi Arabia (18 percent) with 17 percent targeting the United States. Close behind was traffic within Iran (16 percent), including the hackers themselves checking their work. Following these were Holland and Israel, with 8 percent and 5 percent of the cyberattacks, respectively. Closing the list were Georgia (4 percent) and Turkey (3 percent).
“We don’t have full information on the degree of their success, but over a year of cyberattacks we know that they had a 26 percent success rate in phishing expeditions” says Shahar Tal, the head of a team responsible for Threat Intelligence and Research at Check Point.
The group of hackers, nicknamed Rocket Kitten, was uncovered on several occasions by security firms such as Trend Micro and by Israeli security experts such as Gadi Evron and others. Thus, last June the Israeli company ClearSky Consulting and Intelligence Services found that this group was following Israeli academics dealing in defense matters or in research on Iran. One such target was Dr. Tamar Eilam Gindin, a research fellow at the Ezri Center for Iran and the Persian Gulf at Haifa University. She told Haaretz in the past that hacking attempts against her had begun after she had said in an interview that she maintains online links with Iranian citizens.
ClearSky has written in the past that the favorite method used by the Iranian group seems to be “spear-phishing,” namely a focused effort to extract passwords and other information from senior personnel at target organizations, whether through emails or by other methods such as phone calls. The group used different software for their cyberattacks, such as off-the-shelf software like Metasploit, a platform used by security analysts for performing tests of break-ins, or software they had written on their own. They employed this software from servers located in Germany, Holland, Britain, the United States and Saudi Arabia. Analysts believe that Internet providers whose servers were used were not linked in any way to the hackers.
Check Point started investigating Rocket Kitten after one of its customers was hacked. The company explained that during its investigation they identified an attack server, allowing them to compile a list of targets the group went after. Investigators were surprised to find that the hackers kept open the software they used to manage their servers. Investigators managed to easily use these servers after obtaining permission from providers. The passwords of the network’s operators were also kept in an insecure fashion, allowing investigators to uncover them. The passwords of their victims had not even been encrypted.
“In terms of securing information this was very amateurish,” says Tal. “The cryptography was weak to nonexistent, allowing the discovery of the original passwords.” The software they wrote on their own didn’t impress him either. “The tools and techniques they used were very limited in comparison to their counterparts in the West. But it worked. ... It looks like they took a group of young hackers and told them, ‘Come work here instead of breaking into Israeli coupon sites.’”
Gang that couldn't hack straight
They give numerous examples in their report. A funny incident occurred when the hackers managed to infect one of their own computers with a virus they had developed. A preliminary trial was so successful that they couldn’t remove their own virus files. This allowed Check Point researchers to follow one of the hackers, with the help of the hacker’s own keylogging software (which follows all of a computer’s operations). Using this, they found that the hacker, Yasser Balagi, has an aol email with the password 123456756.
Balagi’s resumé showed that he graduated from a computer sciences program at the Islamic Azad University, then serving as the head of a team developing software, followed by a term as the head of “security and (legal and ethical) hacking.” He mentions that he developed a system for conducting phishing expeditions, ordered by a “cyber organization.” “We can continue, but the key lesson of this chapter is that if you don’t want people to know that you created malware for the government, don’t put it in your resumé,” says Check Point’s report.
Despite the professional criticism of the hackers’ talents, the writers of the report don’t dismiss their actions. “Cyber espionage is no longer reserved for organizations with monstrous budgets that enable them to hire thousands of cyber warriors, employ clusters of super-computers to break codes or to engage in advanced research to infect the firmware in your hard disk,” they write. “In this case, as in others, one can assume that an official body hired local hackers and diverted them from corrupting websites to focused espionage on behalf of the state. As in many cases with inexperienced teams, their limited training was evident in their lack of security awareness, leaving abundant evidence that led to the source of the attacks and the real identities of the hackers.” However, even their detection did not make them desist, although they stopped for a short period over the summer, right after their detection.
The Shin Bet security service told Haaretz that it is aware of the attacks and is taking appropriate measures. Reuters reported that Europol and the FBI refused to comment on the report.