Lab today announced its research on the Gaza Cybergang
cyberespionage operation, SneakyPastes,
which targeted individuals and organizations with Middle-Eastern
political interest in 39 countries worldwide. In 2018, the
campaign made use of disposable email addresses to spread the infection
through phishing attacks, before downloading the malware in chained
stages using multiple free sites. Kaspersky Lab’s research was shared
with law enforcement and has resulted in the takedown of a significant
part of the attack infrastructure.
This press release features multimedia. View the full release here:
Countries targeted by Arabic-speaking Gaza Cybergang for its SneakyPastes operation in 2018, according to Kaspersky Lab detection data. (Graphic: Business Wire)
The Gaza Cybergang is an Arabic speaking, politically motivated
collective of interrelated threat groups actively targeting the Middle
East and North Africa, with a particular focus on the Palestinian
Territories. Kaspersky Lab has identified at least three groups within
the gang, with similar aims and targets – cyberespionage related to
Middle Eastern political interests – but very different tools,
techniques and levels of sophistication.
The groups include the more advanced Operation
Parliament and Desert
Falcons, known since 2018 and 2015 respectively, and an
underpinning, less complex group, also known as MoleRats that has been
active since at least 2012. In the spring of 2018, this basic group
launched operation SneakyPastes.
SneakyPastes began with politically themed phishing attacks, spread
using disposable email addresses and domains. Malicious links or
attachments that were either clicked or downloaded then installed the
infection on the victim device.
In order to avoid detection and hide the location of the command and
control server, additional malware was downloaded to victim devices in
chained stages using a number of free sites including Pastebin and
Github. The various malicious implants used PowerShell, VBS, JS, and
dotnet to secure resilience and persistence within infected systems. The
final stage of intrusion was a Remote Access Trojan, which made contact
with the command and control server and then gathered, compressed,
encrypted and uploaded a wide range of stolen documents and spreadsheets
to it. The name SneakyPastes derives from the attackers’ heavy use of
paste sites to gradually sneak the RAT onto victim systems.
Kaspersky Lab researchers worked with law enforcement to uncover the
full cycle of attack and intrusion for the SneakyPastes operation. These
efforts have resulted not just in a detailed understanding of the tools,
techniques, targets and more, but also in the actual takedown of a
significant part of the infrastructure.
The SneakyPastes operation was at its most active between April and
mid-November 2018, focusing on a small list of targets that comprised
diplomatic and government entities, NGOs and media outlets. Using
Kaspersky Lab telemetry and other sources, there appear to be around 240
high profile individual and corporate victims, in 39 countries
worldwide, with the majority located in the Palestinian Territories,
Jordan, Israel and Lebanon. Victims included embassies, government
entities, media outlets and journalists, activists, political parties
and individuals, as well as education, banking, healthcare and
“The discovery of Desert Falcons in 2015 marked a turning point in the
threat landscape as it was then the first known fully Arabic speaking
APT,” said Amin Hasbini, head of Middle East Research Center, Global
Research and Analysis Team (GReAT) at Kaspersky Lab. “We now know that
its parent, Gaza Cybergang, has been actively targeting Middle Eastern
interests since 2012, initially relying most on the activities of a
fairly unsophisticated but relentless team – the team that in 2018
launched operation SneakyPastes. It shows that lack of infrastructure
and advanced tools is no impediment to success. We expect the damage
exerted by all three Gaza Cybergang groups to intensify and the attacks
to extend into other regions that are also linked to Palestinian issues.”
In order to avoid falling victim to a targeted attack by a known or
unknown threat actor, Kaspersky Lab researchers recommend implementing
the following measures:
Use advanced security tools like Kaspersky
Anti Targeted Attack Platform (KATA) and make sure your security
team has access to the most recent cyber threat intelligence.
Make sure you update all software used in your organization on a
regular basis, particularly whenever a new security patch is released.
Security products with Vulnerability Assessment and Patch Management
capabilities may help to automate these processes.
Choose a proven security solution such as Kaspersky
Endpoint Security that is equipped with behavior-based detection
capabilities for effective protection against known and unknown
threats, including exploits.
Ensure your staff understand basic cybersecurity hygiene, as many
targeted attacks start with phishing or other social engineering
All Kaspersky Lab products successfully detect and block this threat.
A report on the Gaza Cybergang’s operation SneakyPastes can be found on Securelist.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity
company, which has been operating in the market for over 21 years.
Kaspersky Lab’s deep threat intelligence and security expertise is
constantly transforming into next-generation security solutions and
services to protect businesses, critical infrastructure, governments and
consumers around the globe. The company’s comprehensive security
portfolio includes leading endpoint protection and a number of
specialized security solutions and services to fight sophisticated and
evolving digital threats. Over 400 million users are protected by
Kaspersky Lab technologies and we help 270,000 corporate clients protect
what matters most to them. Learn more at www.kaspersky.com