November 12, 2023 at 10:37AM
Imperial Kitten, a threat actor linked to the Iranian Armed Forces, has been conducting cyberattacks since 2017. Recently, they targeted transportation, logistics, and technology firms using phishing emails with malicious attachments. They gained network access, moved laterally, and communicated with a command and control server using custom malware. Previously, they carried out watering hole attacks and breached networks through various methods. Indicators of compromise have been provided by cybersecurity companies CrowdStrike and PwC.
Meeting Notes Takeaways:
1. The meeting discussed a new cyberattack campaign by a threat actor known as Imperial Kitten (also referred to as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc).
2. Imperial Kitten has been active since at least 2017 and is linked to the Iranian Armed Forces’ Islamic Revolutionary Guard Corps (IRGC).
3. The recent attacks targeted transportation, logistics, and technology firms.
4. Researchers at CrowdStrike discovered these attacks and made the attribution based on infrastructure overlaps, observed tactics, and the use of specific malware.
5. The attacks involved phishing emails with a job recruitment theme and a malicious Microsoft Excel attachment containing macro code.
6. The attacker used various tools like PAExec, NetScan, and ProcDump for lateral movement, network reconnaissance, and obtaining credentials.
7. Communication with the command and control (C2) server was achieved using custom malware called IMAPLoader and StandardKeyboard.
8. CrowdStrike confirmed that the October 2023 attacks specifically targeted Israeli organizations following the Israel-Hamas conflict.
9. Imperial Kitten has previously carried out watering hole attacks and breached networks through public exploit code, stolen VPN credentials, SQL injection, and phishing emails.
10. Both CrowdStrike and PricewaterhouseCoopers (PwC) provide indicators of compromise (IoCs) for malware and the adversary’s infrastructure used in the attacks.