Security firm says it shut down extensive Iranian cyber spy program
A security firm with headquarters in Israel and the United States says it detected and neutralized an extensive cyber espionage program with direct ties to the government of Iran. The firm, called Check Point Software, which has offices in Tel Aviv and California, says it dubbed the cyber espionage program ROCKET KITTEN. In a media statement published on its website on Monday, Check Point claims that the hacker group maintained a high-profile target list of 1,600 individuals. The list reportedly includes members of the Saudi royal family and government, American and European officials, North Atlantic Treaty Organization officers and nuclear scientists working for the government of Israel. The list is said to include even the names of spouses of senior military officials from numerous nations.
News agency Reuters quoted Check Point Software’s research group manager Shahar Tal, who said that his team was able to compromise the ROCKET KITTEN databases and acquire the list of espionage targets maintained by the group. Most targets were from Saudi Arabia, Israel, and the United States, he said, although countries like Turkey and Venezuela were also on the list. Tal told Reuters that the hackers had compromised servers in the United Kingdom, Germany and the Netherlands, and that they were using these and other facilities in Europe to launch attacks on their unsuspecting targets. According to Check Point, the hacker group was under the command of Iran’s Revolutionary Guards Corps, a branch of the Iranian military that is ideologically committed to the defense of the 1979 Islamic Revolution.
Reuters said it contacted the US Federal Bureau of Investigation and Europol, but that both agencies refused comment, as did the Iranian Ministry of Foreign Affairs. However, an unnamed official representing the Shin Bet, Israel’s domestic security agency, said that ROCKET KITTEN “is familiar to us and is being attended to”. The official declined to provide further details. Meanwhile, Check Point said it would issue a detailed report on the subject late on Monday.
*** In part from SCMagazine:
The researchers uncovered more thorough indicators of compromise, along with new malware strains, including a Remote Access Trojan (RAT) the group apparently favored.
Further down the Rocket Kitten rabbit hole, the researchers appeared to identify the mastermind behind the operation, who goes by “Wool3n.H4t,” as Yaser Balaghi.
The company found references to his alias and real name on various developer forums, within the server itself, and eventually, in an online tutorial he posted on SQL injection.
Additionally, a reported resume for Balaghi has listed “designing a phishing system” as ordered by a “cyber-organization.”
Saying technical evidence can be forged, or information be planted, Tal said he backs his company’s findings because of “overwhelming evidence.”
“All evidence fits the same story and same narrative,” he said. “The probability that this is a false lead is extremely nonexistent in my opinion.”
Given that Balaghi resides in Iran, there will likely not be any repercussions or extradition. However, Tal said the findings have been passed along to European and U.S. search bodies, as well as service providers who hosted the malicious servers.
Most infrastructure has been taken down since then, Tal said, and continued, “don’t expect to see them attacking any time soon.”
