Iranian Imperial Kitten hackers targeted Israeli organizations in October

An Iranian hacking group targeted organizations in Israel’s transportation, logistics and technology sectors last month amid an uptick in Iranian cyber activity since the start of Israel’s war with Hamas.

Researchers at the cybersecurity company CrowdStrike’s Counter Adversary Operations attributed the activity to Imperial Kitten, an Iranian advanced persistent threat (APT) group, in a report published Thursday. The group is often linked to the regime’s Islamic Revolutionary Guard Corps.

The CrowdStrike report came as Microsoft researchers cautioned that Iran’s information operations might be inflating the efficacy of a few publicly reported cybersecurity incidents in Israel since the war began October 7. Hamas and Iran are longtime allies.

The activity that CrowdStrike observed in October is connected with behavior the company tracked since 2022, the report says. The researchers honed in on strategic web compromise (SWC) tactics — a social engineering technique in which hackers lure a target to a compromised website. The goal is generally to exfiltrate data, CrowdStrike said.

The researchers found that initially the malicious websites used the open-source analytics software Matomo to profile the details of users who visited them, but more recently the group has used a custom script to collect browser information and IP addresses.

Imperial Kitten has been observed deploying a variety of malware strains, most commonly from the IMAPLoader family, which uses email command-and-control servers. In at least one attack in October, Imperial Kitten used malicious Microsoft Excel documents to deploy malware as part of a phishing operation.

Although the researchers do not go into detail about the specific attacks on organizations carried out since the start of the war, they explain why they believe Imperial Kitten is behind them, including its use of strategic web compromise infrastructure, the industries targeted — namely Israeli organizations in transportation, maritime and technology — and the use of job-themed decoys.

Other cybersecurity companies have recently detected attempted cyberattacks by Iran-linked groups on Israeli targets, including education and tech organizations and other unspecified entities.

More bark than bite?

While the activity of Iranian hacker groups targeting Israel has been in headlines over the last month, their cyber operations in response to the war may not be as coordinated or impactful as they claim, researchers at Microsoft said Thursday.

“Observations from Microsoft telemetry suggest that, at least in the cyber domain, Iranian operators have largely been reactive since the war began, exploiting opportunities to try and take advantage of events on the ground as they unfold​,” they said.

Only 11 days after Hamas launched its attack on October 7 did Iran enter the cyber fray, with the first of two attacks on Israeli infrastructure.

“While online personas controlled by Iran exaggerated the claims of impact from these attacks, the data suggests that both attacks were likely opportunistic in nature,” they wrote. “Specifically, operators leveraged existing access or acquired access to the first available target. Further, the data shows that, in the case of a ransomware attack, Iranian actors’ claims of impact and precision targeting were almost certainly fabricated.”

Through what researchers called “well-integrated deployment of information operations,” Iran has inflated the efficacy of its cyber operations over the last month, for example after compromising connected webcams in Israel. Its information arm claimed the cameras were from a specific Israeli military site, when in fact “the compromised cameras were located at scattered sites outside any one defined region.

“This suggests that despite Iran actors’ strategic claims, this camera example was ultimately a case of adversaries continuing to opportunistically discover and compromise vulnerable connected devices and try to reframe this routine work as more impactful in the context of the current conflict,” they said.

Correction: A previous version of this article erroneously linked the Iranian APT group Charming Kitten with Imperial Kitten. They are separate hacking groups.