A hacking operation, possibly linked to a state-sponsored espionage operation, continues to operate across the Middle East, according to US cyber security company Cybereason.
Those responsible for the hacking operation are known as the Gaza Cybergang, also known as Molerats, and have targeted officials in the Palestinian territories, as well as elsewhere in the region.
Writing about the group last year, cyber security company Kaspersky claimed that “targets located within the Palestinian territories were very comfortably in the lead. Quite a few infection attempts also fell on Jordan, Israel, and Lebanon."
Cybereason says what is particularly concerning about the group's most recent tactics is that they make use of well-established platforms, including Facebook, Dropbox, Google Docs and Simplenote for command and control to directly target victims' computers for exfiltration of sensitive data.
Emotive themes
Similar to other recent hacking campaigns in the region, the group used sophisticated phishing tactics to fool unwitting users into downloading malware that allowed access to personal data.
"Themes like Israeli-Saudi relations, Hamas elections, news about Palestinian politicians, and other regional events" were all used to tempt message recipients into clicking on compromised links, according to Cybereason.
“While it’s no surprise to see threat actors take advantage of politically charged events to fuel their phishing campaigns, it is concerning to see an increase in social media platforms being used for issuing command and control instructions and other legitimate cloud services being used for data exfiltration activities,” said Lior Div, Cybereason co-founder and chief executive.
“This puts the onus even more on the defenders to be hypervigilant with regard to potentially malicious network traffic connecting to legitimate services,” he said.
In October, Microsoft said they had uncovered a campaign by Iran-backed group Phosphorus, which used similar, albeit arguably more sophisticated tactics.
Phosphorus tempted email recipients – many of them high-profile figures – with convincing fake invitations to major events related to Middle East politics, such as the Think 20 summit in Saudi Arabia and the Munich Security Conference.
Tom Burt, head of security at Microsoft, said some of the attempts were successful.
“We believe Phosphorus is engaging in these attacks for intelligence collection purposes. The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.”
While Phosphorus has been linked to the Iranian regime, it is not clear who is behind the Molerats group.
On Tuesday, US military official R Clarke Cooper said Washington was weighing the possibility of deploying “advanced capabilities” to the UAE following a blitz of Iranian cyberattacks against the Gulf nation. He did not specify what technology would be used.
Mr Cooper, who serves as assistant secretary of State for Political-Military Affairs, told reporters that the Pentagon may install anti-cyber gear to deter threats against the Emirates, where about 4,000 US servicemen are stationed.
“The UAE reports an increasing number of cyber threats following their participation in the Abraham Accord. This is consistent with what we are seeing elsewhere as Iran attempts to undermine the UAE’s cybersecurity,” said Mr Cooper.
“Thus, it is only natural the Trump administration would carefully consider and expedite where [to deploy] practical, certain advanced capabilities to deter threats, including to nearly 4,000 US service members based in the UAE.”
