Hacking activity in Gaza Strip and West Bank have intensified in recent years as rival Palestinian political parties spar between them, the Israelis-Palestinians the conflict continues, and Palestinian hackers are increasingly establishing themselves on the world stage. Now Facebook has discovered two digital spy campaigns in Palestine, active in 2019 and 2020, which exploited a range of devices and platforms, including unique spyware that targeted iOS.
The groups, which seem unrelated, seem to have gone against the grain. But both have used social media platforms like Facebook as jumping off points to connect with targets and launch social engineering attacks to guide them to phishing pages and other malicious websites.
Researchers link a group of attackers with the Palestine Preventive Security Service, an intelligence group under the aegis of the West Bank ruling party, Fatah. In this campaign, the group mainly targeted the Palestinian territories and Syria, with additional activities in Turkey, Iraq, Lebanon and Libya. Hackers appeared largely focused on attacks on human rights and anti-Fatah activists, journalists and entities like the Iraqi army and the Syrian opposition.
The other group, the long time Actor Arid Viper, who has been associated with Hamas, focused on targets in Palestine such as members of the Fatah political party, government officials, security forces and students. Arid Viper has an extensive attack infrastructure in place for its campaigns, including hundreds of websites that have launched phishing attacks, hosted iOS and Android malware, or functioned as command and control servers. for this malware.
“To stop these two operations, we deleted their accounts, posted malware hashes, blocked domains associated with their activity, and alerted people who we believed were targeted by these groups to help them secure their accounts,” said Mike Dvilyanski, Facebook’s head of cyber espionage investigations, and Director of Threat Disruption David Agranovich wrote in a blog post on Wednesday. “We have shared information with our industry partners, including the anti-virus community, so they too can detect and stop this activity.”
The group linked to the Preventive Security Service was active on social media and used both fake and stolen accounts to create characters, often depicting young women. Some of the accounts purported to support Hamas, Fatah, or other military groups and sometimes posed as activists or journalists in an attempt to build relationships with targets and trick them into downloading malware.
The group used both standard malware and their own Android spyware masquerading as a secure chat app to target victims. The chat app collected the device’s call logs, location, contact information, SMS messages, and metadata. It also sometimes included a keylogger. The attackers also used publicly available Android and Windows malware. And researchers saw evidence that attackers had created a bogus content management platform for Windows that targeted journalists who wanted to submit articles for publication. The app didn’t actually work, but came with Windows malware.