First Published: 2017-08-13

Investigation uncovers Iran-backed cyber-espionage group in MENA region
CopyKittens’ activities mostly centred on espionage of strategic targets, particularly Saudi Arabia, Jordan, Turkey, Israel, Germany and the United States.
Middle East Online

By Mohammed Alkhereiji - LONDON

Increased activities.

The Iran-backed cyber-es­pionage group CopyKit­tens has increased activi­ties, launching attacks on governments, defence companies and academic institu­tions in support of Tehran’s politi­cal agenda, a report said.

An investigative study by Israeli firm ClearSky Cybersecurity and Trend Micro called Operation Wilted Tulip traced CopyKittens’ activities to 2013, shedding light on its work patterns and possible motivations.

The report revealed that CopyKit­tens’ activities mostly centred on espionage of strategic targets, particularly Saudi Arabia, Jordan, Turkey, Israel, Germany and the United States.

The group extracted informa­tion from government organi­sations, academic institutions, online news sites and NGOs with the objective of gathering “as much information and data from target organisations as possible,” the report said.

CopyKittens used rudimen­tary techniques, such as phish­ing, malicious e-mail attach­ments and, more recently, watering hole attacks to gather information.

“It’s more that the methods they are using are efficient. They are getting out the data that they need to,” said Robert McArdle, director of research at Trend Micro, adding that the group’s lack of refinement makes it relatively easy to track CopyKit­tens’ activities compared to more sophisticated campaigns that could go on for years without being detected.

McArdle said CopyKittens’ meth­ods are of the more traditional vari­ety, using exploits to take advantage of out-of-date systems, so if the user is missing updates or patches, an automatic infection is more likely. A lot of the group’s attacks go after the most vulnerable parts of any organisation — humans.

“In any computer network secu­rity chain, the weakest link in always the human element,” said Iyad Barakat, a London-based digital analyst.

“Groups more sophisticated than CopyKittens will try to target the human element in the chain, using techniques like a watering hole attack to simply extract passwords because these methods save them time, effort and usually have a higher success rate than the more sophisticated ones.”

McArdle said an effective method to gain the human element’s trust is a social engineering campaign, which uses a number of psycho­logical tricks to get the information needed to access a computer net­work.

“Social engineering is relatively quick and easy to do in terms of setting up fake e-mail accounts or fake Facebook accounts or which­ever social networking profile you are going with,” McArdle said, add­ing that effort is required to manage these resources and accounts.

Social engineering can’t be stopped with traditional protection methods, said David Emm, principal security researcher at Kaspersky Lab.

“Social engineering works and even if businesses have the right protection, without the right staff education they can fall victim,” Emm said. “Awareness is low in the Middle East as generally Western businesses have had longer to grapple with such issues.”

One effective trick that CopyKittens used, McArdle said, is reaching important tar­gets through other compromised accounts. Once CopyKittens gained access to an e-mail account in an organisation, it would not immediately try to take over higher-level targets in the company but log on and wait for a natural conversation to start between the person whose account it controls and the target. It might then reply to an e-mail thread, saying: “You might want to open this link.”

During the Gulf Information Secu­rity Expo and Conference in May in Dubai, experts urged for more cybersecurity cooperation between countries in the Gulf Cooperation Council. The Middle East cyber-security market is projected to grow to $22.14 billion by 2022, with Saudi Arabia expected to contribute the largest share.

Mohammed Alkhereiji is the Arab Weekly’s Gulf section editor.

This article was originally published in The Arab Weekly.


Lebanese army launches anti-IS offensive on Syria border

Israel freezes implementation of settlement law

Erdogan meddles in German politics

UN demands access to Yemen ports

Civilians stay on frontlines despite dangers in Raqa

Low-cost attacks a new reality for Europeans

Forces of Libya's Haftar say commander wanted by ICC in detention

Yemen rebels urged to free political commentator

Iranian footballer breaks silence over ban for playing Israelis

IS fighters almost encircled in Syrian desert

For Israel, White House ties trump neo-Nazis and antisemitism

Saudi Arabia installing cranes at Yemen ports

13 dead, 100 injured in two Spanish seaside city attacks

Iran reform leader ends hunger strike

Van ploughs through pedestrians in Barcelona terror attack

13 killed in Barcelona van attack

Iraq acknowledges abuses in Mosul campaign

Netanyahu under fire for response to US neo-Nazism

Israel to free high-profile suspects in money laundering probe

Spanish police shut down jet-ski migrant smugglers

Syrian actress, activist Fadwa Suleiman dies in Paris

Israeli court extends detention for Islamic cleric over ‘incitement’

UAE to provide $15 million a month to Gaza

Sudan's Bashir 'satisfied' with Nile dam project

US-backed rebels say American presence in Syria to last ‘decades’

Tunisian clerics oppose equal inheritance rights for women

Israel strikes almost 100 Hezbollah arms convoys in 5 years

UN hopes for eighth round of Syria talks before year’s end

LONG READ: How Syria continues to evade chemical weapons justice

Civilians killed in US-led raids on Raqa

Qatari pilgrims begin flooding into Saudi by land

Turkey arrests 9 more journalists for alleged ‘Gulen links’

Iran’s Karroubi on hunger strike over 6-year house arrest

Saudi Arabia to restart work on Grand Mosque expansion

Algeria reshuffles cabinet, nominates three new ministers

Syria rebels lose heavyweight faction

ICC orders Mali ex-jihadist pay 2.7 m euros for Timbuktu destruction

Libya seeks to ‘organise’ NGOs carrying migrant rescue Ops

More than one million South Sudan refugees in Uganda

Beirut, Damascus pledge to boost economic ties

Two killed on Gaza-Egypt border

Qataris to do hajj on Saudi king expenses

Fire breaks out at UNESCO heritage site in Saudi Arabia

Iran military chief in Turkey for talks on Syrian war

Saudi Electricity announces $1.75b in international loans