Don’t be a copycat: TTPs of CopyKittens revealed
Don’t be a copycat: TTPs of CopyKittens revealed

The tools tactics and procedures used by hacking group CopyKittens are explained in a new in-depth report produced in collaboration by cyber-security firms Trend Micro and ClearSky.

Both firms say the group, which has been active since 2013, has increased its activity in support of its political ambitions. It recently targeted government, security and academic institutions, and websites in Germany and Turkey as well as United Nations' employees and organisations in Saudi Arabia, Israel and Jordan.

In an incident detailed in the report, members of the German Bundestag were compromised by watering holes positioned within several legitimate websites that were hacked and linked to harmful third-party sites.

Another incident analysed in the report shows how a Turkish diplomatic institution was hacked and used as a cover to launch a massive spear-phishing campaign, with victims receiving a highly targeted message from a legitimate, known source.

CopyKittens, according to the report, is a very persistent group, despite lacking technological sophistication and operational discipline. These characteristics cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly.

The group has independently developed several new hacking tools. They also use commercially available hacking tools such Cobalt Strike and Metasploit, which are generally for penetration testing and thus allow them to stay under the radar.

The extensive report details how its experts gained intimate access to the group's activity, methods, tools and infrastructure. They have shed new light on the operations and priorities of the intelligence organisation operating the group.

"We've been tracking CopyKittens for four years and have become very intimate with its operations,” says Boaz Dolev, CEO, ClearSky Cyber Security. “Our analysis gives indications about the group's political motivations. Analysed within this context, these attacks deliver fresh insights," concluded Dolev.