Researchers identify year-long cyberespionage operation targeting Israelis, Palestinians

Recent malware attack against the Israeli police are part of a larger campaign, Norman researchers say

By Lucian Constantin, IDG News Service |  Security

Until the summer of this year, the hostnames pointed to IP addresses belonging to an ISP from the city of Ramallah in the West Bank, Fagerland said.

By searching for malware that historically connected to the same hosts, the Norman researchers managed to find even more Xtreme RAT samples, the oldest of which dated back to October 2011. Some of those samples were used in email attacks that, based on their bait documents, most likely targeted Palestinians, not Israelis, Fagerland said.

The moving of C&C servers from the West Bank to the U.S. might have been triggered by the later switch in targets, Fagerland said. Seeing network traffic directed at an IP address in Palestine might raise suspicion for an Israeli individual or organization, but seeing connections with U.S. IP addresses would be common, he said.

The Norman researchers did not have access to the C&C servers or the opportunity to analyze a machine infected with one of the samples in order to determine what kind of data the attackers were after. However, the evidence gathered by analyzing the malicious files alone point to a year-long cyberespionage operation carried out by the same group of attackers, Fagerland said.

"We have the impression that a cybersurveillance operation is underway (and is probably still ongoing -- most recent sample created Oct. 31) which was first mainly focused on Palestinian targets, then shifted towards Israel," Fagerland said in the report. "The reason for the shift is unknown. Maybe it was planned all along; or caused by changes in the political climate; or maybe the first half of the operation found data that caused the target change."

It's difficult to say who is behind the attacks, Fagerland said. It might be a government organization, a political group or a group of independent hackers, he said.

The attacks are not sophisticated in nature and did not require a lot of resources to pull off. The attackers used free hostnames instead of buying domain names, used cheap hosting solutions for their C&C infrastructure and used Xtreme RAT instead of building their own malware. Xtreme RAT is one the cheapest remote access Trojan programs available; a standard set-up costs around $40, Fagerland said.

The attackers forgot to scrub the metadata from their bait documents, which revealed the names or aliases of the people who created the files: Hitham, anar, Ayman, Tohan, ahmed, aert or HinT.

Some configuration strings found in the RAR archive that was used in the attack against the Israeli police suggest that the file's author was using the Arabic language on his computer when creating it, Jaime Blasco, head of the research lab at security firm AlienVault, said Monday via email.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question