Until the summer of this year, the hostnames pointed to IP addresses belonging to an ISP from the city of Ramallah in the West Bank, Fagerland said.
By searching for malware that historically connected to the same hosts, the Norman researchers managed to find even more Xtreme RAT samples, the oldest of which dated back to October 2011. Some of those samples were used in email attacks that, based on their bait documents, most likely targeted Palestinians, not Israelis, Fagerland said.
The moving of C&C servers from the West Bank to the U.S. might have been triggered by the later switch in targets, Fagerland said. Seeing network traffic directed at an IP address in Palestine might raise suspicion for an Israeli individual or organization, but seeing connections with U.S. IP addresses would be common, he said.
The Norman researchers did not have access to the C&C servers or the opportunity to analyze a machine infected with one of the samples in order to determine what kind of data the attackers were after. However, the evidence gathered by analyzing the malicious files alone point to a year-long cyberespionage operation carried out by the same group of attackers, Fagerland said.
"We have the impression that a cybersurveillance operation is underway (and is probably still ongoing -- most recent sample created Oct. 31) which was first mainly focused on Palestinian targets, then shifted towards Israel," Fagerland said in the report. "The reason for the shift is unknown. Maybe it was planned all along; or caused by changes in the political climate; or maybe the first half of the operation found data that caused the target change."
It's difficult to say who is behind the attacks, Fagerland said. It might be a government organization, a political group or a group of independent hackers, he said.
The attacks are not sophisticated in nature and did not require a lot of resources to pull off. The attackers used free hostnames instead of buying domain names, used cheap hosting solutions for their C&C infrastructure and used Xtreme RAT instead of building their own malware. Xtreme RAT is one the cheapest remote access Trojan programs available; a standard set-up costs around $40, Fagerland said.
The attackers forgot to scrub the metadata from their bait documents, which revealed the names or aliases of the people who created the files: Hitham, anar, Ayman, Tohan, ahmed, aert or HinT.
Some configuration strings found in the RAR archive that was used in the attack against the Israeli police suggest that the file's author was using the Arabic language on his computer when creating it, Jaime Blasco, head of the research lab at security firm AlienVault, said Monday via email.