Introduction
CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. ClearSky CopyKittens March 2017 ClearSky Wilted Tulip July 2017 CopyKittens Nov 2015
Activities and Tactics
Targeted Sectors: Government, Private sector, Civil society
Country of Origin: 🇮🇷 Iran
Risk Level: High
Incident Type: Espionage
Suspected Victims: Israel, Jordan, Saudi Arabia, Germany, United States
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1560.003 Archive via Custom Method
- T1560.001 Archive via Utility
- T1059.001 PowerShell
- T1090 Proxy
- T1218.011 Rundll32
- T1564.003 Hidden Window
- T1588.002 Tool
- T1553.002 Code Signing
ATT&CK technique IDs (denormalized)
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate:
- Arabian-Attacker RAT:
- Cyber Eye RAT:
- Sky Wyder:
MITRE ATT&CK Software
- Cobalt Strike (S0154) — malware
- Empire (S0363) — tool
- TDTESS (S0164) — malware
- Matryoshka (S0167) — malware
Attribution and Evidence
Country of Origin: Iran Additional attribution information pending cataloguing.
References
[1] mitre-attack [3] ClearSky Wilted Tulip July 2017 ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. [4] ClearSky CopyKittens March 2017 ClearSky Cyber Security. (2017, March 30). Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten. Retrieved August 21, 2017. [5] CopyKittens Nov 2015 Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024.