Researchers in Norway have uncovered evidence of a vast Middle Eastern espionage network that for the past year has deployed malicious software to spy on Israeli and Palestinian targets.
The discovery, by Oslo-based antivirus and security firm Norman ASA, is the latest in a series of revelations involving digital surveillance activity of unknown origin that appears designed to gather intelligence from specific targets in the Middle East.
Norman’s experts say the true extent of the spy network came into focus after news of a cyber attack in late October 2012 that caused Israeli authorities to shut down Internet access for its police force. According to press reports, that incursion was spearheaded by a booby-trapped email that was made to look as if it was sent by Benny Gantz, the chief of general staff of the Israel Defense Forces.
Security vendor Trend Micro suggested that the initial target of that attack were systems within the Israeli Customs agency, and said the malware deployed was a version of Xtreme RAT, a Remote Access Trojan that can be used to steal information and receive commands from a remote attacker. According to Trend, the latest iterations of Xtreme Rat have Windows 8 compatibility, improved Chrome and Firefox password grabbing, and improved audio and desktop capture capabilities features.
Snorre Fagerland, a senior virus researcher at Norman, said he examined a sample of the Trojan used to deploy the malware in that attack, and found that it included a rather telltale trait: It was signed with a digital certificate that was spoofed to appear as though it had been digitally signed by Microsoft.
The faked digital certificate would not stand up to validation by Windows— or anyone who cared to verify it with the trusted root certificates shipped with Windows PCs. But it proved to be a convenient marker for Fagerland, who’s been scouring malware databases for other samples that used the same phony certificate ever since. So far, he’s mapped out an expanding network of malware and control servers that have been used in dozens of targeted email attacks (see graphic below).
“These malwares are set up to use the same framework, talk to same control servers, and have same spoofed digital certificate,” Fagerland said in an interview with KrebsOnSecurity. “In my view, they are same attackers.”
Fagerland found that the oldest of the malicious files bearing the forged Microsoft certificate were created back in October 2011, and that the Arabic language email lures used in tandem with those samples highlighted Palestinian news issues. He observed that the attackers used dynamic DNS providers to periodically shift the Internet addresses of their control networks, but that those addresses nearly always traced back to networks in Gaza assigned to a hosting provider in Ramallah in the West Bank.
After about eight months of this activity, the focus of the malware operation pivoted to attacking Israeli targets, Fagerland discovered. When that happened, the attackers shifted the location of their control servers to networks in the United States.
Until recently, much of the discussion about espionage attacks has centered around activity thought to emanate from state-sponsored hacking groups within China. But espionage campaigns such as this one highlight activity from a growing movement of apparently independent hacker groups that may not enjoy state backing but which nevertheless can be effective at gathering useful intelligence and surveillance.
While Chinese espionage attackers use many of the same tactics and techniques (a heavy reliance on dynamic DNS providers and targeted, contextual email lures), these actors tend to use locally-made malware and homegrown lures (although they’ve shown a remarkable fondness for the freely available Poison Ivy RAT), Fagerland said.
“When it comes to the Middle East hackers, they have obviously expended less effort in making their own stuff, and tend to rely on off-the-shelf tools, such as Blackshades, XtremeRAT and Dark Comet,” he said. Indeed, researchers have documented numerous examples of these commercial tools being used in espionage attacks against activists in other countries of the region, most notably Syria.
Fagerland declined to speculate about who might be responsible for the attacks, suggesting only that it was “an entity with intelligence needs against both Israelis and Palestinians.”
“But I think it’s almost unheard of in a cyberwar context that two parties involved in a conflict get spied on by the same entity,” he said.
Fagerland noted that the attackers failed to scrub the metadata included in most of the email bait files. Those files, mostly booby-trapped Microsof Word documents, appear to have been created and saved by handful of users, including “Hitham,” “Tohan,” Aert,” and “Ayman.” I spent a short while searching hacker forums popular in the Middle East, and found several accounts matching those nicknames at a forum called Gaza-Hacker.net. The profiles of both Hitham (pictured below) and Aert suggest they are young men from Algeria. Hitham’s signature suggests he is a member of a group calling itself the Gaza Hackers Team, which claimed responsibility for defacing Israeli government sites earlier this year with messages calling for “Death to Israel.”