Threats Feed|CopyKittens|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date21/03/2017

CopyKitten’s Spearphishing Attack on Israeli Ministry of Communications

  • Actor Motivations: Espionage
  • Attack Vectors: Malicious Macro,Malware,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

CopyKitten, a known cyber-attack group, has launched a spearphishing campaign targeting the Israeli government’s Ministry of Communications. The investigation commenced with the identification of a suspicious domain that led to multiple related domains. One such domain closely mimicked the Israeli Prime Minister's SSL VPN login page and was used to drop a malicious Word document titled "Annual Survey.docx." This document had an embedded OLE object that communicated with a C2 server, signifying a well-planned attack. The campaign appears to be part of CopyKitten's ongoing activities against Israeli interests.

Reference and Credit: DomainTools - March 2017

Hunting Campaign Indicators on Privacy Protected Attack Infrastructure

Detected Targets

TypeDescriptionConfidence
CaseIsrael Ministry of Communications
The Ministry of Communications is the Israeli government ministry responsible for Communications in Israel. It is a relatively minor position in the cabinet. The ministry was established in 1952, and until 1970 was known as the Ministry of Postal Services. Israel Ministry of Communications has been targeted by CopyKittens as the main target.
High
SectorGovernment Agencies and Services
Verified
RegionIsrael
Verified

Extracted IOCs

  • primeminister-goverment-techcenter[.]tech
  • 212[.]199.61.51.static.012.net[.]il
  • ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter[.]tech
  • static.dyn-usr.f-login-me.c19.a23.akamaitechnology[.]com
  • 4d657793ddc9c49abe7e4afcf9abb43626e91a18a925223555070c53fd672b59
  • 5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902
  • 7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6
  • 212[.]199.61.51
  • 86[.]105.18.5
  • hxxp://ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter[.]tech
download

Tip: 10 related IOCs (2 IP, 4 domain, 1 URL, 0 email, 3 file hash) to this threat have been found.

Overlaps

CopyKittensCopyKittens Targets Israeli Media and Palestinian Healthcare in Watering Hole Attacks

Source: ClearSky - March 2017

Detection (five cases): 212[.]199.61.51, 86[.]105.18.5, primeminister-goverment-techcenter[.]tech, ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter[.]tech, static.dyn-usr.f-login-me.c19.a23.akamaitechnology[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
CopyKittens
View CopyKittens's Insights