Moscow server hosted WikiLeaks and Iran’s hackers weeks apart

The research by Virginia-based ThreatConnect involves a notorious hacking campaign that targeted more than 500 diplomats, journalists, human rights workers, scientists, and researchers, primarily in the Middle East. The hackers used spear phishing to lure targets into installing malware or entering their passwords into a fake login page. Though technically unremarkable, the hacks stood out for the brazen persistence of the attackers, who in some cases followed up their phishing emails with a phone call encouraging the victim to open the attachment.

The Israeli security company ClearSky detected the campaign in May 2015, and from a number of clues attributed it to the hacking organization “Rocket Kitten,” also known as “APT33,” which has been linked to the government of Iran.

ThreatConnect’s three-page report connects some tentative dots between that attack, which targeted Saudi Arabia more than any other country, and WikiLeaks’ release a few weeks later of hundreds of thousands of diplomatic cables taken from Saudi Arabia’s foreign ministry—and suggests that WikiLeaks may have worked with Rocket Kitten to engineer its own leak.