Threats Feed|Rocket Kitten|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date03/06/2015

Thamar Reservoir: Iranian Cyber Campaign Targets Middle East Sectors

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Keylogger,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

Clearsky's "Thamar Reservoir" report details a sustained Iranian cyber-attack campaign targeting over 550 individuals, primarily in the Middle East. The attacks, which began in 2014, used a variety of techniques, including spear-phishing emails with malware, phone calls, and compromised websites to create fake login pages. The attackers were persistent but lacked technical sophistication and made mistakes that aided the investigation. The report concludes that the campaign's targets and methods strongly suggest Iranian state sponsorship, and links it to other known Iranian cyber operations.

Reference and Credit: ClearSky - June 2015

Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East

Detected Targets

TypeDescriptionConfidence
SectorDefense
Verified
SectorHuman Rights
Verified
SectorJournalists
Verified
SectorResearchers
Verified
RegionAfghanistan
Verified
RegionCanada
Verified
RegionEgypt
Verified
RegionIran
Verified
RegionIraq
Verified
RegionIsrael
Verified
RegionJordan
Verified
RegionKuwait
Verified
RegionMorocco
Verified
RegionPakistan
Verified
RegionSaudi Arabia
Verified
RegionSpain
Verified
RegionSyria
Verified
RegionTurkey
Verified
RegionUnited Arab Emirates
Verified
RegionUnited Kingdom
Verified
RegionVenezuela
Verified
RegionYemen
Verified
RegionMiddle East Countries
High

Extracted IOCs

  • drive-google[.]co
  • drives-google[.]co
  • gfimail[.]us
  • google-setting[.]com
  • google-verify[.]com
  • login-users[.]com
  • mail-verify[.]com
  • qooqle[.]co
  • video.qooqle[.]co
  • saeed.kn2003@gmail[.]com
  • 55ff220e38556ff902528ac984fc72dc
  • 60f5bc820cf38e78b51e1e20fed290b5
  • b4790618672197cab31681994bbc10a4
  • 476489f75fed479f19bac02c79ce1befc62a6633
  • b67572a18282e79974dc61fffb8ca3d0f4fca1b0
  • d5b2b30fe2d4759c199e3659d561a50f88a7fb2e
  • 072a43123e755ad1bdd159488a85a353227ec51f273c4f79c26ff7e4656c0ef4
  • 1c9e519dca0468a87322bebe2a06741136de7969a4eb3efda0ab8db83f0807b4
  • 69e48eb82ce7387d65cc1a82c5a6a170dc6121d479736b1dd33358d09c483617
  • 107[.]6.172.51
  • 31[.]192.105.10
  • 5[.]39.223.227
download

Tip: 22 related IOCs (3 IP, 9 domain, 0 URL, 1 email, 9 file hash) to this threat have been found.

Overlaps

Flying KittenFlying Kitten to Rocket Kitten: Persistent Phishing Threats from Iran

Source: Iran Threats - December 2017

Detection (two cases): google-setting[.]com, google-verify[.]com

Rocket KittenRocket Kitten’s Operation Woolen-GoldFish Targets Israeli and European Organizations

Source: Trend Micro - March 2015

Detection (two cases): 476489f75fed479f19bac02c79ce1befc62a6633, d5b2b30fe2d4759c199e3659d561a50f88a7fb2e

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Rocket Kitten
View Rocket Kitten's Insights