# Rocket Kitten **en.wikipedia.org/wiki/Rocket_Kitten** Contributors to Wikimedia projects **Rocket Kitten or the Rocket Kitten Group is a** [hacker group thought to be linked to the](https://en.wikipedia.org/wiki/Hacker_group) [Iranian government.[1]](https://en.wikipedia.org/wiki/Iran) The threat actor group has targeted organizations and individuals in the Middle East, particularly Israel, Saudi Arabia, Iran as well as the United States and Europe. ## Origins Cybersecurity firm [FireEye first identified the group as Ajax Security Team,[2]](https://en.wikipedia.org/wiki/FireEye) writing that the group appears to have been formed in 2010 by the hacker personas "Cair3x" and "HUrr!c4nE!". By 2012, the threat actor group turned their focus to Iran's political opponents. [3] Their targeted attack campaigns, dubbed "Rocket Kitten", have been known since mid 2014.[4] By 2013 or 2014, Rocket Kitten had shifted its focus to malware-based cyberespionage.[3] Security firm [Check Point describes Rocket Kitten as an "attacker group of Iranian origin."](https://en.wikipedia.org/wiki/Check_Point) [1] Rocket Kitten's code uses [Persian language references. The group's targets are involved in](https://en.wikipedia.org/wiki/Persian_language) defense, diplomacy, international affairs, security, policy research, human rights, and journalism. According to Check Point, the group has targeted Iranian dissidents, the Saudi [royal family, Israeli nuclear scientists and NATO officials. Security researchers found that](https://en.wikipedia.org/wiki/NATO) they carried out a "common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus."[4] Other researchers determined that Rocket Kitten's attacks bore a similarity to those attributed to Iran's [Revolutionary Guards.[4]](https://en.wikipedia.org/wiki/Islamic_Revolutionary_Guard_Corps) Intelligence officials from the Middle East and Europe linked Rocket Kitten to the Iranian military establishment.[2] Rocket Kitten favours a [Remote Access Trojan,[5]](https://en.wikipedia.org/wiki/Remote_Access_Trojan) and by 2015, researchers found it was using customised malware.[2] ## History ### Operation Saffron Rose Cybersecurity firm FireEye released a report in 2013 finding that Rocket Kitten had [conducted several cyberespionage operations against United States defense industrial base](https://en.wikipedia.org/wiki/Defense_industrial_base) companies. The report also detailed the targeting of Iranian citizens who use anti-censorship tools to bypass Iran's Internet filters.[3] ### Operation Woolen-Goldfish ----- [Trend Micro identified the Operation Woolen-Goldfish campaign in a March 2015 paper. The](https://en.wikipedia.org/wiki/Trend_Micro) campaign included improved spearphishing content.[1] ### Oyun In November 2015, security errors by Rocket Kitten allowed the firm Check Point to gain password-less root access to "Oyun", the hackers' back-end database. They discovered an application that was able to generate personalized phishing pages and contained a list of over 1,842 individual targets.[2][6] Among Rocket Kitten's spearphishing targets from June 2014 to June 2015, 18% were from Saudi Arabia, 17% were from the United States, 16% were from Iran, 8% were from the Netherlands, and 5% were from Israel.[2] Analysts used [credentials to access key logs of the group's victims and found that Rocket Kitten had](https://en.wikipedia.org/wiki/Keystroke_logging) apparently tested their malware on their own workstations and failed to erase the logs from the data files.[6] Check Point identified an individual named Yaser Balaghi, going by Wool3n.H4t, as a ringleader of the operation.[5] ### Telegram hack [In August 2016, researchers identified Rocket Kitten as being behind a hack of Telegram, a](https://en.wikipedia.org/wiki/Telegram_(software)) cloud-based instant messaging service. The hackers exploited Telegram's reliance on SMS verification, comprising over a dozen accounts and stealing the user IDs and telephone numbers of 15 million Iranians who use the software. Opposition organizations and reformist political activists were among the victims.[4] ## References 1. ^ a b c _["Rocket Kitten: A Campaign With 9 Lives" (PDF). Check Point. 2015.](http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf)_ 2. ^ a b c d e _[Jones, Sam (April 26, 2016). "Cyber warfare: Iran opens a new front".](https://www.ft.com/content/15e1acf0-0a47-11e6-b0f1-61f222853ff3)_ _Financial Times._ 3. ^ a b c _["Operation Saffron Rose" (PDF). FireEye. 2013. Retrieved 26 December 2016.](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf)_ 4. ^ a b c d _Menn, Joseph; Torbati, Yeganeh (2 August 2016). "Exclusive: Hackers_ _accessed Telegram messaging accounts in Iran - researchers". Reuters._ 5. ^ a b _Carman, Ashley (9 November 2015). "Supposed mastermind behind 'Rocket_ _Kitten' APT identified in research paper". SC Magazine US._ 6. ^ a b _Muncaster, Phil (10 November 2015). "Opsec Blunders Expose Rocket Kitten_ _Masterminds". Infosecurity Magazine._ ## External links [The Spy Kittens Are Back: Rocket Kitten 2, Trend Micro.](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf) **Hacking in the** **2010s** ----- [Timeline](https://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history#2010s) **Major incidents** **2010** **2011** **2012** **2013** **2014** **2015** [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora) [Australian cyberattacks](https://en.wikipedia.org/wiki/February_2010_Australian_cyberattacks) [Operation ShadowNet](https://en.wikipedia.org/wiki/Shadow_Network) [Operation Payback](https://en.wikipedia.org/wiki/Operation_Payback) [DigiNotar](https://en.wikipedia.org/wiki/DigiNotar) [DNSChanger](https://en.wikipedia.org/wiki/DNSChanger) [HBGary Federal](https://en.wikipedia.org/wiki/HBGary) [Operation AntiSec](https://en.wikipedia.org/wiki/Operation_AntiSec) [Operation Tunisia](https://en.wikipedia.org/wiki/Operation_Tunisia) [PlayStation](https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage) [RSA SecurID compromise](https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise) [LinkedIn hack](https://en.wikipedia.org/wiki/2012_LinkedIn_hack) [Stratfor email leak](https://en.wikipedia.org/wiki/2012%E2%80%9313_Stratfor_email_leak) [Operation High Roller](https://en.wikipedia.org/wiki/Operation_High_Roller) [South Korea cyberattack](https://en.wikipedia.org/wiki/2013_South_Korea_cyberattack) [Snapchat hack](https://en.wikipedia.org/wiki/Snapchat#December_2013_hack) [Cyberterrorism Attack of June 25](https://en.wikipedia.org/wiki/June_25_cyber_terror) [2013 Yahoo! data breach](https://en.wikipedia.org/wiki/Yahoo!_data_breaches#August_2013_breach) [Singapore cyberattacks](https://en.wikipedia.org/wiki/2013_Singapore_cyberattacks) [Anthem medical data breach](https://en.wikipedia.org/wiki/Anthem_medical_data_breach) [Operation Tovar](https://en.wikipedia.org/wiki/Operation_Tovar) [2014 celebrity nude photo leak](https://en.wikipedia.org/wiki/2014_celebrity_nude_photo_leak) [2014 JPMorgan Chase data breach](https://en.wikipedia.org/wiki/2014_JPMorgan_Chase_data_breach) [Sony Pictures hack](https://en.wikipedia.org/wiki/Sony_Pictures_hack) [Russian hacker password theft](https://en.wikipedia.org/wiki/2014_Russian_hacker_password_theft) [2014 Yahoo! data breach](https://en.wikipedia.org/wiki/Yahoo!_data_breaches#Late_2014_breach) [Office of Personnel Management data breach](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach) [Hacking Team](https://en.wikipedia.org/wiki/Hacking_Team#2015_data_breach) [Ashley Madison data breach](https://en.wikipedia.org/wiki/Ashley_Madison_data_breach) [VTech data breach](https://en.wikipedia.org/wiki/VTech#2015_data_breach) [Ukrainian Power Grid Cyberattack](https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack) [SWIFT banking hack](https://en.wikipedia.org/wiki/2015%E2%80%932016_SWIFT_banking_hack) ----- **2016** **2017** **2018** **2019** [Bangladesh Bank robbery](https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery) Hollywood Presbyterian Medical Center ransomware incident [Commission on Elections data breach](https://en.wikipedia.org/wiki/Commission_on_Elections_data_breach) [Democratic National Committee cyber attacks](https://en.wikipedia.org/wiki/Democratic_National_Committee_cyber_attacks) [Vietnam Airport Hacks](https://en.wikipedia.org/wiki/Vietnamese_airports_hackings) [DCCC cyber attacks](https://en.wikipedia.org/wiki/Democratic_Congressional_Campaign_Committee_cyber_attacks) [Indian Bank data breaches](https://en.wikipedia.org/wiki/2016_Indian_Banks_data_breach) [Surkov leaks](https://en.wikipedia.org/wiki/Surkov_leaks) [Dyn cyberattack](https://en.wikipedia.org/wiki/2016_Dyn_cyberattack) [Russian interference in the 2016 U.S. elections](https://en.wikipedia.org/wiki/Russian_interference_in_the_2016_United_States_elections) [2016 Bitfinex hack](https://en.wikipedia.org/wiki/2016_Bitfinex_hack) [2017 Macron e-mail leaks](https://en.wikipedia.org/wiki/2017_Macron_e-mail_leaks) [WannaCry ransomware attack](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack) [Westminster data breach](https://en.wikipedia.org/wiki/2017_Westminster_data_breach) [Petya cyberattack](https://en.wikipedia.org/wiki/Petya_(malware)) [2017 cyberattacks on Ukraine](https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine) [Equifax data breach](https://en.wikipedia.org/wiki/2017_Equifax_data_breach) [Deloitte breach](https://en.wikipedia.org/wiki/Deloitte#E-mail_hack) [Disqus breach](https://en.wikipedia.org/wiki/Disqus#October_2017_security_breach) [Trustico](https://en.wikipedia.org/wiki/Trustico#DigiCert_and_Trustico_spat,_2018) [Atlanta cyberattack](https://en.wikipedia.org/wiki/Atlanta_government_ransomware_attack) [SingHealth data breach](https://en.wikipedia.org/wiki/2018_SingHealth_data_breach) [Sri Lanka cyberattack](https://en.wikipedia.org/wiki/2019_cyberattacks_on_Sri_Lanka) [Baltimore ransomware attack](https://en.wikipedia.org/wiki/2019_Baltimore_ransomware_attack) [Bulgarian revenue agency hack](https://en.wikipedia.org/wiki/2019_Bulgarian_revenue_agency_hack) [Jeff Bezos phone hacking](https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking) **[Hacktivism](https://en.wikipedia.org/wiki/Hacktivism)** **Advanced** **persistent threats** **[Individuals](https://en.wikipedia.org/wiki/Hacker)** **Major** **[vulnerabilities](https://en.wikipedia.org/wiki/Vulnerability_(computing))** **publicly** **[disclosed](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security))** **[Malware](https://en.wikipedia.org/wiki/Malware)** ----- **2010** **2011** **2012** **2013** **2014** **2015** **2016** [Bad Rabbit](https://en.wikipedia.org/wiki/Ransomware#Bad_Rabbit) [SpyEye](https://en.wikipedia.org/wiki/SpyEye) [Stuxnet](https://en.wikipedia.org/wiki/Stuxnet) [Alureon](https://en.wikipedia.org/wiki/Alureon) [Duqu](https://en.wikipedia.org/wiki/Duqu) [Kelihos](https://en.wikipedia.org/wiki/Kelihos_botnet) [Metulji botnet](https://en.wikipedia.org/wiki/Metulji_botnet) [Stars](https://en.wikipedia.org/wiki/Stars_virus) [Carna](https://en.wikipedia.org/wiki/Carna_botnet) [Dexter](https://en.wikipedia.org/wiki/Dexter_(malware)) [FBI](https://en.wikipedia.org/wiki/FBI_MoneyPak_Ransomware) [Flame](https://en.wikipedia.org/wiki/Flame_(malware)) [Mahdi](https://en.wikipedia.org/wiki/Mahdi_(malware)) [Red October](https://en.wikipedia.org/wiki/Red_October_(malware)) [Shamoon](https://en.wikipedia.org/wiki/Shamoon) [CryptoLocker](https://en.wikipedia.org/wiki/CryptoLocker) [DarkSeoul](https://en.wikipedia.org/wiki/DarkSeoul_(wiper)) [Brambul](https://en.wikipedia.org/wiki/Brambul) [Carbanak](https://en.wikipedia.org/wiki/Carbanak) [Careto](https://en.wikipedia.org/wiki/Careto_(malware)) [DarkHotel](https://en.wikipedia.org/wiki/DarkHotel) [Duqu 2.0](https://en.wikipedia.org/wiki/Duqu_2.0) [FinFisher](https://en.wikipedia.org/wiki/FinFisher) [Gameover ZeuS](https://en.wikipedia.org/wiki/Gameover_ZeuS) [Regin](https://en.wikipedia.org/wiki/Regin_(malware)) [Dridex](https://en.wikipedia.org/wiki/Dridex) [Hidden Tear](https://en.wikipedia.org/wiki/Hidden_Tear) [Rombertik](https://en.wikipedia.org/wiki/Rombertik) [TeslaCrypt](https://en.wikipedia.org/wiki/TeslaCrypt) [Hitler](https://en.wikipedia.org/wiki/Hitler-Ransomware) [Jigsaw](https://en.wikipedia.org/wiki/Jigsaw_(ransomware)) [KeRanger](https://en.wikipedia.org/wiki/KeRanger) [MEMZ](https://en.wikipedia.org/wiki/MEMZ) [Mirai](https://en.wikipedia.org/wiki/Mirai_(malware)) [Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware)) [Petya (NotPetya)](https://en.wikipedia.org/wiki/Petya_(malware)) [X-Agent](https://en.wikipedia.org/wiki/X-Agent) ----- **2017** **2019** [BrickerBot](https://en.wikipedia.org/wiki/BrickerBot) [Kirk](https://en.wikipedia.org/wiki/Kirk_Ransomware) [LogicLocker](https://en.wikipedia.org/wiki/LogicLocker) _[Rensenware ransomware](https://en.wikipedia.org/wiki/Rensenware)_ [Triton](https://en.wikipedia.org/wiki/Triton_(malware)) [WannaCry](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack) [XafeCopy](https://en.wikipedia.org/wiki/Xafecopy_Trojan) [Grum](https://en.wikipedia.org/wiki/Grum_botnet) [Joanap](https://en.wikipedia.org/wiki/Joanap) [NetTraveler](https://en.wikipedia.org/wiki/NetTraveler) [R2D2](https://en.wikipedia.org/wiki/Chaos_Computer_Club#Staatstrojaner_affair) [Tinba](https://en.wikipedia.org/wiki/Tinba) [Titanium](https://en.wikipedia.org/wiki/Titanium_(malware)) [Vault 7](https://en.wikipedia.org/wiki/Vault_7) [ZeroAccess botnet](https://en.wikipedia.org/wiki/ZeroAccess_botnet) Retrieved from "https://en.wikipedia.org/w/index.php? title=Rocket_Kitten&oldid=1071589841" -----