Flying Kitten, Ajax Security Team

Description

(FireEye) Members of this group have accounts on popular Iranian hacker forums such as ashiyane[.]org and shabgard[.]org, and they have engaged in website defacements under the group name “AjaxTM” since 2010. By 2014, the Ajax Security Team had transitioned from performing defacements (their last defacement was in December 2013) to malware-based espionage, using a methodology consistent with other advanced persistent threat actors in this region.

(Crowdstrike) CrowdStrike Intelligence has also been tracking and reporting internally on this threat group since mid-January 2014 under the name FLYING KITTEN, and since that time has seen targeting of multiple U.S.-based defense contractors as well as political dissidents.

Names

Name	Name-Giver
Flying Kitten	CrowdStrike
Ajax Security Team	FireEye
Group 26	Talos

Country

• Iran

Sponsor

State-sponsored

Motivation

• Information theft and espionage

First Seen

2010

Observed Sectors

• Defense
• dissidents

Observed Countries

• USA

Tools

• Stealer

Operations

• 2013: Operation “Saffron Rose” https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf

Information

• https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/

Mitre Attack

• https://attack.mitre.org/groups/G0130/

Other Information

Uuid

9d17cae3-0777-428b-b9b7-fcbdf52af5ba

Last Card Change

2022-12-30