Iranian Hackers Target Israeli Logistics and IT CompaniesIranian Espionage Group Used Tactics From Previous Campaigns
Iranian state-sponsored hackers with the Imperial Kitten group are orchestrating cyberattacks against Israeli logistics, transportation and technology companies to steal data and credentials and hack systems, according to security company CrowdStrike.
CrowdStrike said it had observed the group attacking Israeli firms between 2022 and 2023. The group uses several methods to obtain initial access to targeted systems, including luring victims to attacker-controlled domains, phishing, credential theft to access VPN appliances, and exploitation of publicly announced one-day vulnerabilities.
Imperial Kitten first emerged in 2017 and has links to Iran's Islamic Revolutionary Guard Corps, a military group aligned with the Khomeini regime.
The group previously targeted defense, aviation, maritime, IT and logistics organizations to collect intelligence for the Iranian state. According to Proofpoint, Imperial Kitten, which it tracks as TA456, uses the Tehran-based company Mahak Rayan Afraz as a front to communicate with the IRGC.
CrowdStrike said the group, in an operation the security company analyzed in October during the Israel-Hamas war, used phishing emails to deliver macro-enabled Excel documents. Once a victim enables the macros, the document extracts three batch files that run a reverse shell that connects to a hard-coded IP address on TCP port 6443 to communicate and receive commands from the C2.
Imperial Kitten also uses publicly available and open-source tools, such as PAExec, NetScan and PsExec, to perform lateral movement; a command-line utility tool called ProcDump to dump the LSASS process memory to harvest credentials; and open-source or custom malware such as MeshAgent to exfiltrate data from compromised systems.
The cybercrime group's toolkit also includes IMAPLoader, a .NET-based malware that downloads additional malware and leverages email as a command-and-control channel to communicate with its operators. According to CrowdStrike's analysis, IMAPLoader was first observed in September and is distributed as a dynamic link library loaded via AppDomainManager injection. Typographical errors in its embedded files suggest its developers are not native English speakers.
Imperial Kitten also deployed a .NET malware dubbed StandardKeyboard, which also uses email for C2 communication and executes Base64-encoded commands received via email. CrowdStrike said the continued use of email as a command-and-control channel helped it attribute the operation to Imperial Kitten.
The security company also based its assessment on similar actions previously attributed to Imperial Kitten, such as its continued focus on targeting Israeli maritime, transportation and technology companies; use of job-themed phishing emails; and continued reliance on previously used web compromise infrastructure. The company said it had attributed the operation with low confidence as most of the indicators were based on single-source reporting.