Cobalt Kitty

Campaign updated 4 months ago (2024-05-04T20:32:10.403Z)

Download STIX

Preview STIX

Operation Cobalt Kitty, a significant cyber espionage Advanced Persistent Threat (APT), was executed by the OceanLotus Group, also known as APT32, Canvas Cyclone, APT-C-00, and Cobalt Kitty. Active since at least 2012, the group targeted a global corporation in Asia during this operation. Over the course of the campaign, the attackers successfully compromised more than 40 PCs and servers, including critical infrastructure such as the domain controller, file servers, web application server, and database server. The tools, modus operandi, and indicators of compromise (IOCs) observed in Operation Cobalt Kitty were key to attributing this large-scale cyber espionage APT to the OceanLotus Group. Cybereason conducted an in-depth investigation into Operation Cobalt Kitty, uncovering and analyzing new tools in the OceanLotus Group's attack arsenal. These findings were instrumental in understanding the group's approach and tactics. The unique characteristics of Operation Cobalt Kitty, despite being one part of the group's growing chain of APT campaigns, provided valuable insights into the group's evolving strategies and techniques. As the investigation progressed, some of the IOCs observed in Operation Cobalt Kitty began to appear in the wild, with some even reported as being used in other campaigns. This highlights the dynamic nature of IOCs, which tend to change over time. Nonetheless, these IOCs served as behavioral fingerprints that played a pivotal role in linking Operation Cobalt Kitty to the OceanLotus Group. While Operation Cobalt Kitty is a unique campaign in many respects, it forms a crucial link in the broader context of the group's ongoing APT activities.

Description last updated: 2024-05-04T20:32:09.736Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT32	2	APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality s
OceanLotus	2	OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Cobalt Kitty Campaign was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Cybersecurity threatscape of Asia: 2022–2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
MITRE	2 years ago	Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group
MITRE	2 years ago	New MacOS Backdoor Linked to OceanLotus Found
CERT-EU	a year ago	New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies