Year-Long Cyber Espionage Campaign Targets Israel And Palestine

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Security researchers say they’ve spotted a cyber surveillance campaign against both Israeli and Palestine systems

Multiple malware attacks against both Israeli and Palestinian systems, likely to be coming from the same source, have been seen over the last year.

Security company Norman said it had seen malware communicating with the same command and control servers and were signed with the same digital certificate in many cases. It believes a lengthy cyber espionage campaign is under way.

The attackers were serving up the XtremeRat trojan, which was infamously used in surveillance campaigns against Syrian activists. Whilst that trojan has been in use for some time, the interesting thing about the versions sent to Israeli and Palestinian targets was that they were signed with what seemed to be a legitimate Microsoft certificate, Norman said.

Cyber espionage

Whilst the certificate chain of one sample ended in an untrusted root certificate, meaning it would not validate properly, Norman used its findings to locate other similar trojans. Looking at the history of those trojans, Norman found attacks initially targeted Palestine before moving over to Israel.

The attackers used bait, such as stories about Hamas allegedly planning to buy rockets from Iran or circumcision rites, to attract targets into clicking on links, which would launch an executable and write malware onto system memory.

Looking into the source of the attacks, Norman could find nothing definite. However, as it looked back in the timeline of the surveillance campaign, domains used resolved to an IP address which belonged to a provider located in Ramallah in the West Bank.

“What is behind these IP addresses is hard to establish. It is possible they are hacked boxes and as such [do] not give much valid information. If that were the case, one might have expected [a] greater IP range and geographical distribution, but nothing is certain,” the report read.

Norman was also at a loss as to why attacks shifted target from Palestine to Israel. “There are probably several actors that could have an interest in the regional politics, as the various powerblocks in the region are manifold and conflicted,” it added.

“By using largely off-the-shelf malware, the cost of mounting such an operation is considerably lower than for those who do their own malware development.”

Interested by tech and fascinating plots? Try our tech in the movies quiz!