The notorious Iran-linked advanced persistent threat group, Imperial Kitten, has ongoing cyberespionage operations against Israeli organisations.
According to reports, these relentless cyber-espionage campaigns started last year and continue to this day. The state-sponsored advanced persistent threat (APT) group linked to Iran, known for many aliases, such as Yellow Liderc, Tortoiseshell, TA456, and Crimson Sandstorm, has set its sights on Israeli transportation, logistics, and technology sectors.
Moreover, a recent investigation claims that this sustained effort by the group has ties with Iran’s Islamic Revolutionary Guard Corps in compromising organisations within Israel.
The primary tactic of the Imperial Kitten APT for its campaigns is watering-hole attacks.
Imperial Kitten employs sophisticated tactics, notably watering-hole attacks characterised by experts as “strategic web compromise.” The group commonly breaches legitimate websites, redirecting unsuspecting visitors to attacker-controlled domains designed for phishing personal information and credentials.
These compromised sites, primarily Israeli, serve as channels for exfiltrating sensitive data to a hardcoded domain, facilitating the following stages of the targeted attacks.
According to investigations, the APT group prioritises targeting IT service providers exploiting strategic web compromise for data exfiltration. In addition, Imperial Kitten distributes malware to victims through watering holes by employing email campaigns featuring malicious Microsoft Excel documents in phishing attacks.
In this multi-layered technique, the group deploys scanning tools, utilises stolen VPN credentials, and exploits vulnerabilities to acquire initial access. On the other hand, Imperial Kitten leverages the PAExec so they can laterally move within infected networks. The group’s arsenal includes custom and open-source malware for efficient data exfiltration.
Imperial Kitten’s affiliation with Iran has suspected ties to the Islamic Revolutionary Guard Corps, marking the group as a state-sponsored actor. The motives behind this extensive cyber-espionage campaign appear to focus on gaining a foothold in critical sectors, including transportation, logistics, and technology, raising concerns about potential geopolitical conflicts.
The Imperial Kitten APT’s prolonged cyberattacks on Israeli industries show the growing sophistication of state-sponsored cyber threats. Israeli organisations should employ more robust cybersecurity measures to remain one step ahead of this continued assault from Iranian state-sponsored threat groups.
