Cybereason: Hacker group is attacking senior officials in the Middle East

The hackers are an Arabic-speaking group operating in the Palestinian Authority, the UAE, Egypt and Saudi Arabia. The goal: to exfiltrate information on relations with Israel 

Cybereason: Hacker group is attacking senior officials in the Middle East

Photo: Cybereason

The research team of cyber company Cybereason revealed that ever since the signing of the agreement between Israel and the United Arab Emirates, there have been a series of cyberattacks carried out against senior officials in the Palestinian Authority, the UAE, Egypt and Saudi Arabia. It is being carried out by an APT group that mainly carries out politically-motivated attacks in order to exfiltrate information on relations with Israel. 

Cyber defense company Cybereason revealed Wednesday that the APT group is using new attack tools against officials from the Palestinian Authority, the UAE, Egypt and Saudi Arabia with a goal of collecting sensitive intelligence information. Cybereason's research team, Nocturnus, found that these attacks were carried out by the APT group known as "MoleRATs" or "Gaza Cybergang". It is an Arabic-speaking group that mainly carries out politically-motivated attacks, and operates against various targets in the Middle East for the purpose of espionage. 

During the last few weeks, since the arrangement of the relations with the UAE and Saudi Arabia, Cybereason's research group has detected increased activity in the attack infrastructures of the group. Cybereason discovered that the attackers used content on geopolitical current events to distribute malware via phishing. 

One example was the reported meeting between the Saudi crown prince, US Secretary of State Mike Pompeo, and Israeli Prime Minister Benjamin Netanyahu. The group succeeded in making senior and junior officials download files sent to them. When opened, the files installed backdoors that steal data from the computers. The malware are dubbed "MoleNet", "DropBook", and "SharpStage".      

The attacks were carried out in a sophisticated and creative manner. The attackers opened fictitious accounts on the Facebook social network that they used to post messages that looked legitimate, but were actually commands to steal data. The attackers downloaded the stolen data to Google Drive and Dropbox, and thus saved the data in a simple and secure manner. Due to the sophisticated use of this software, they succeeded in concealing their operations for some time.   

"The use of current events to carry out phishing attacks isn't a new method, but the increased use of legitimate platforms and social networks to execute attack orders indicates an advanced method of operation. The attackers take into account that traditional defense networks are not capable of locating these methods, which gives them almost complete freedom in the organization's network.

"The year 2020 spurred many organizations to replace their traditional systems with Cybereason's advanced defense platform to secure remote work, stop sophisticated attacks and keep in pace with the new world," said Lior Div, Cybereason co-founder and CEO. 

Earlier this year, Cybereason discovered two backdoors of the same group called Spark and Pierogi that were used for targeted attacks against senior Palestinian officials with the same methods, via content related to current events, to take control of their computers and exfiltrate sensitive intelligence data. This attack led the Cybereason research team to continue to follow the operations of the APT group, and to discover the current campaign. 

You might be interested also