Threats Feed

The Iranian cyber groups Flying Kitten and Rocket Kitten exhibited overlapping tactics in credential theft and spearphishing, targeting entities in sectors like media, education, and technology across the UK, US, and Iran. Utilizing domains that mimicked legitimate services, such as Google and Microsoft, they orchestrated phishing campaigns to harvest user credentials. Their operations involved shared phishing toolkits and malware, including a keylogger, with connections back to Iranian infrastructure. Despite cessation of Flying Kitten activities post-2014, their tools and tactics were resurrected by Rocket Kitten, highlighting the persistent threat posed by these actors.

Clearsky's "Thamar Reservoir" report details a sustained Iranian cyber-attack campaign targeting over 550 individuals, primarily in the Middle East. The attacks, which began in 2014, used a variety of techniques, including spear-phishing emails with malware, phone calls, and compromised websites to create fake login pages. The attackers were persistent but lacked technical sophistication and made mistakes that aided the investigation. The report concludes that the campaign's targets and methods strongly suggest Iranian state sponsorship, and links it to other known Iranian cyber operations.