What CopyKittens Can Teach Us About Cyber-security

By Eyal Aharoni

Thanks to the experts at ClearSky Cyber Security and Trend Micro, a highly professional cyber spy ring, known as CopyKittens, was exposed in an operation with the codename “Wilted Tulip”. The detailed report published on July 25th 2017, paints an alarming picture. CopyKittens has been active since 2013, maybe even longer, causing havoc worldwide. The group has been targeting government institutions, academic institutions, defense companies, municipal authorities, and subcontractors of the Ministry of Defense, and large IT companies in various countries, including the US, Turkey, Germany, Saudi Arabia, Jordan, and Israel. UN employees were also victimized.

Download our white paper comparing different risk assessment methods

CopyKittens members used a range of methods in their attacks. They sent emails containing malicious attachments or links and “watering holes” at widely used trusted websites to their targets. They also used malware and attacking tools that were never published before. Apart from (spear) phishing emails, CopyKittens also used social engineering techniques on social media platforms. Once they gained access to the target’s network, the cyber spies used DNS (e.g., Cobalt Strike) for command and control communication (C&C) and for data exfiltration.

What lesson does this teach us about cybersecurity? Since cybercriminals use a wide range of attack methods through a number of attack vectors, organizations all over the world need to assess their current work procedures and methodologies to determine how vulnerable they are. Let’s take a closer look at the various attack vectors that cybercrooks use.

In first place, we have the good old email vector. In 70% of the cases, attackers are sending hundreds of thousands of malicious emails per day to gain access to networks and cause havoc.
What you can do:

  1. Test and verify that your current security barriers and controls block dangerous emails from entering the organization.
  2. Make your employees aware of the dangers of these kinds of emails. They should not open attachments or click on a link in such an email. Most importantly: they should never provide their credentials!

Next, let’s have a look at the internet browsing vector. Sadly enough, it’s not just malicious websites that we need to worry about. Many legitimate websites are vulnerable too due to lack of security controls or just poor development procedures.
What you can do:

  1. Test and verify that your current security barriers and controls prevent your employees from browsing to hazardous websites or to download malicious content.
  2. Make your employees aware of the dangers of browsing the internet. They should not click on a link in a phishing email, and they should also be wary that clicking on banners and other popups on websites is problematic.

Web application vulnerabilities are also problematic. As we have seen above, vulnerabilities on websites is a problem. This means that you also need to make sure that the web applications of your own organization are secure - both external to the worldwide web and internal to the organization.
What you can do:

  1. Verify that your web applications have been developed with secure coding orientation. There are various ways you can check this, e.g., by using penetration tests, automatic scanning, code proofing tools, etc.
  2. Educate your organization’s developers to work only according to known secure coding methodologies and standards such as OWASP Top 10 and ISO 27034.

Last but not least, the social engineering vector. Social engineering is widely used to reach the organization’s assets. It uses a number of techniques such as asking for credentials, redirecting to another page, or asking the user to download a malicious file.
What you can do:

  1. Test how aware your employees are of the various social engineering attacks they might be facing, such as (spear) phishing and whaling. This could be done using existing standard templates or new ones that are available from various vendors worldwide.
  2. Educate your employees regarding the different social engineering attacks mentioned above using group presentations, workshops, personal online sessions, slide decks etc.

Now let’s see what you can do to prevent a hacker bypassing the current security barriers and controls protecting your organization:

  1. Test the framework and capabilities of your internal security controls. These include heuristic behavior analysis solutions, honeypots and even the existence of known vulnerabilities. Test how difficult it would be for malware or an attacker to enter and lateral move within your network.
  2. Test the efficiency of your DLP controls in order to analyze the ability of data being exfiltrated outside your organization.

At Cymulate, we have made the tasks above easy for you. By using our Cymulate platform, you can test all the above on a regular basis. This will not only verify your cyber security posture, but will also give you the peace of mind to concentrate on your business.

Download our white paper comparing different risk assessment methods

Subscribe to Our Blog

Stay up to date with the latest cybersecurity news and tips