Rocket Kitten or the Rocket Kitten Group is a hacker group thought to be linked to the Iranian government. The threat actor group has targeted organizations and individuals in the Middle East, particularly Israel, Saudi Arabia, Iran as well as the United States and Europe.
Cybersecurity firm FireEye first identified the group as Ajax Security Team, writing that the group appears to have been formed in 2010 by the hacker personas "Cair3x" and "HUrr!c4nE!". By 2012, the threat actor group turned their focus to Iran's political opponents. Their targeted attack campaigns, dubbed "Rocket Kitten", have been known since mid-2014. By 2013 or 2014, Rocket Kitten had shifted its focus to malware-based cyberespionage.
Rocket Kitten's code uses Persian language references. The group's targets are involved in defense, diplomacy, international affairs, security, policy research, human rights, and journalism. According to Check Point, the group has targeted Iranian dissidents, the Saudi royal family, Israeli nuclear scientists, and NATO officials. Security researchers found that they carried out a "common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus." Other researchers determined that Rocket Kitten's attacks bore a similarity to those attributed to Iran's Revolutionary Guards. Intelligence officials from the Middle East and Europe linked Rocket Kitten to the Iranian military establishment. Rocket Kitten favours a Remote Access Trojan, and by 2015, researchers found it was using customised malware.
Operation Saffron Rose
Cybersecurity firm FireEye released a report in 2013 finding that Rocket Kitten had conducted several cyberespionage operations against United States defense industrial base companies. The report also detailed the targeting of Iranian citizens who use anti-censorship tools to bypass Iran's Internet filters.
Trend Micro identified the Operation Woolen-Goldfish campaign in a March 2015 paper. The campaign included improved spearphishing content.
In November 2015, security errors by Rocket Kitten allowed the firm Check Point to gain password-less root access to "Oyun", the hackers' back-end database. They discovered an application that was able to generate personalized phishing pages and contained a list of over 1,842 individual targets. Among Rocket Kitten's spearphishing targets from June 2014 to June 2015, 18% were from Saudi Arabia, 17% were from the United States, 16% were from Iran, 8% were from the Netherlands, and 5% were from Israel. Analysts used credentials to access key logs of the group's victims and found that Rocket Kitten had apparently tested their malware on their own workstations and failed to erase the logs from the data files. Check Point identified an individual named Yaser Balaghi, going by Wool3n.H4t, as a ringleader of the operation.
In August 2016, researchers identified Rocket Kitten as being behind a hack of Telegram, a cloud-based instant messaging service. The hackers exploited Telegram's reliance on SMS verification, comprising over a dozen accounts and stealing the user IDs and telephone numbers of 15 million Iranians who use the software. Opposition organizations and reformist political activists were among the victims.
- "Rocket Kitten: A Campaign With 9 Lives" (PDF). Check Point. 2015.
- Jones, Sam (April 26, 2016). "Cyber warfare: Iran opens a new front". Financial Times.
- "Operation Saffron Rose" (PDF). FireEye. 2013. Retrieved 26 December 2016.
- Menn, Joseph; Torbati, Yeganeh (2 August 2016). "Exclusive: Hackers accessed Telegram messaging accounts in Iran - researchers". Reuters.
- Carman, Ashley (9 November 2015). "Supposed mastermind behind 'Rocket Kitten' APT identified in research paper". SC Magazine US.
- Muncaster, Phil (10 November 2015). "Opsec Blunders Expose Rocket Kitten Masterminds". Infosecurity Magazine.
- The Spy Kittens Are Back: Rocket Kitten 2, Trend Micro.