Threats Feed|CopyKittens|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date30/03/2017

CopyKittens Targets Israeli Media and Palestinian Healthcare in Watering Hole Attacks

  • Actor Motivations: Sabotage
  • Attack Vectors: Vulnerability Exploitation,Supply Chain Compromise
  • Attack Complexity: Very High
  • Threat Risk: High Impact/Low Probability

Threat Overview

The Iranian threat agent CopyKittens compromised multiple Israeli websites, including the Jerusalem Post, and one Palestinian Authority website between October 2016 and January 2017. The attackers bought access to the server to gain the access, inserting a single line of Javascript into existing libraries. This enabled them to load further malicious Javascript from a domain they controlled, selectively targeting users based on their IP addresses. The malicious payload used was the BeEF Browser Exploitation Framework.

Reference and Credit: ClearSky - March 2017

Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten

Detected Targets

TypeDescriptionConfidence
CaseDisabled Veterans IDF Organization
The disabled Veterans IDF Organization (The Israeli Defense Force Disabled Veterans Organization) was founded in 1949 and became the main body in Israel, which provides a full aid envelope for all soldiers, troops and security forces who were injured or sick during their service. Disabled Veterans IDF Organization has been targeted by CopyKittens as the main target.
Verified
CaseMaariv
Maariv is a Hebrew-language daily newspaper published in Israel. From Sunday to Thursday, it is printed under the Ma'ariv Hashavu'a brand, while the weekend edition that is out on Friday is called Ma'ariv SofHashavu'a. Maariv has been targeted by CopyKittens as the main target.
Verified
CasePalestinian Ministry of Health
The Palestinian Ministry of Health (MOH) is an independent institution committed to the principle of joint work with all stakeholders to improve the health status of the Palestinian people. Palestinian Ministry of Health has been targeted by CopyKittens as the main target.
Verified
CaseTel Aviv University
Tel Aviv University is a public research university in Tel Aviv, Israel. With over 30,000 students, it is the largest university in the country. Tel Aviv University has been targeted by CopyKittens as the main target.
Verified
CaseThe Jerusalem Post
The Jerusalem Post is a broadsheet newspaper based in Jerusalem, founded in 1932 during the British Mandate of Palestine by Gershon Agron as The Palestine Post. In 1950, it changed its name to The Jerusalem Post. The Jerusalem Post has been targeted by CopyKittens as the main target.
Verified
SectorHealthcare
Medium
SectorMedia
Medium
SectorUniversity
Verified
RegionIsrael
Verified
RegionPalestine
Verified

Extracted IOCs

  • 1e100[.]tech
  • 1m100[.]tech
  • ads-youtube[.]online
  • akamaitechnology[.]com
  • alkamaihd[.]net
  • azurewebsites[.]tech
  • broadcast-microsoft[.]tech
  • chromeupdates[.]online
  • cloudmicrosoft[.]net
  • dnsserv[.]host
  • elasticbeanstalk[.]tech
  • fdgdsg[.]xyz
  • jguery[.]net
  • jguery[.]online
  • microsoft-ds[.]com
  • microsoft-security[.]host
  • nameserver[.]win
  • newsfeeds-microsoft[.]press
  • owa-microsoft[.]online
  • primeminister-goverment-techcenter[.]tech
  • qoldenlines[.]net
  • sharepoint-microsoft[.]co
  • ssl-gstatic[.]online
  • trendmicro[.]tech
  • ea-in-f113.1e100.microsoft-security[.]host
  • ea-in-f155.1e100.microsoft-security[.]host
  • is-cdn.edge.g18.dyn.usr-e12-as.akamaitechnology[.]com
  • js.jguery[.]online
  • msnbot-207-46-194.microsoft-security[.]host
  • msnbot-sd7-46-194.microsoft-security[.]host
  • msnbot-sd7-46-cdn.microsoft-security[.]host
  • msnbot-sd7-46-img.microsoft-security[.]host
  • pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube[.]online
  • ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter[.]tech
  • static.dyn-usr.f-login-me.c19.a23.akamaitechnology[.]com
  • static.dyn-usr.g-blc-se.d45.a63.alkamaihd[.]net
  • static.primeminister-goverment-techcenter[.]tech
  • wk-in-f104.1c100.n.microsoft-security[.]host
  • 4a3d93c0a74aaabeb801593741587a02
  • 5e65373a7c6abca7e3f75ce74c6e8143
  • 64c9acc611ef47486ea756aca8e1b3b7
  • 871efc9ecd8a446a7aa06351604a9bf4
  • cf8502b8b67d11fbb0c75ebcf741db15
  • fb775e900872e01f65e606b722719594
  • 185[.]118.65.230
  • 188[.]120.224.198
  • 188[.]120.228.172
  • 188[.]120.242.93
  • 188[.]120.243.11
  • 188[.]120.247.151
  • 212[.]199.61.51
  • 62[.]109.2.109
  • 80[.]179.42.44
  • 86[.]105.18.5
  • hxxp://pht.is.nlb-deploy.edge-dyn.e11.f20.ads-youtube[.]online/winini.exe
  • hxxp://ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter[.]tech/%d7%a1%d7%a7%d7%a8%20%d7%a9%d7%a0%d7%aa%d7%99.docx
download

Tip: 56 related IOCs (10 IP, 38 domain, 2 URL, 0 email, 6 file hash) to this threat have been found.

Overlaps

TortoiseshellTortoiseshell Targets Israeli Shipping Sector in Watering Hole Attack

Source: ClearSky - May 2023

Detection (two cases): jguery[.]net, jguery[.]online

CopyKittensCopyKitten’s Spearphishing Attack on Israeli Ministry of Communications

Source: DomainTools - March 2017

Detection (five cases): 212[.]199.61.51, 86[.]105.18.5, primeminister-goverment-techcenter[.]tech, ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter[.]tech, static.dyn-usr.f-login-me.c19.a23.akamaitechnology[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
CopyKittens
View CopyKittens's Insights