A story about hacking members of the Palestinian Authority has turned into another story about how the Palestinian Authority tries to control the news media.
Two apparently politically motivated backdoor campaigns have been observed operating in the Middle East, targeting influential Palestinians. The aggressors are most likely the MoleRATs APT (aka The Gaza Cybergang, Extreme Jackal, Moonlight, and DustySky). MoleRATs operates out of Gaza and is believed to be associated with Hamas.
The two campaigns are primarily differentiated by the backdoor malware used: Spark and Pierogi — and have been named as the Spark Campaign and the Pierogi Campaign respectively by researchers at Cybereason’s Nocturnus group. Spark is the older of the two malwares, and has been known since January 2019. Nocturnus believes it was developed by MoleRATs themselves. Pierogi is a new undocumented RAT, discovered by Cybereason in December 2019.
Pierogi is thought to have been developed by Ukrainians rather than MoleRATs themselves. There are numerous Ukrainian words within the code, including, for example, C2 commands. These include ‘ekspertyza’ (‘examine’, for requesting commands from the C2), ‘zavantazhyty’ (‘download’, for exfiltration), and ‘vydaly’ (‘delete’, for deleting certain requests). The Ukrainian connection is the reason for the Pierogi (a popular East European dish) name.
Both campaigns use email social engineering as the initial attack vector. Spark delivers a weaponized document or a malicious link. The lure is political, including themes based on the Hamas/Fatah conflict, the Israel/Palestine conflict, tensions based on the killing of Qasem Soleimani, and tensions between Hamas and the Egyptian government.
The Spark Campaign, concludes Cybereason, suggests the social engineering element is “specifically meant to lure and appeal to victims from the Middle East, especially towards individuals and entities in the Palestinian territories likely related to the Palestinian government or the Fatah movement.”
The second campaign, Pierogi, is slightly different but also tied to MoleRATs. It is similarly targeted against Palestinian individuals and entities that are likely related to the Palestinian government. ….
The infrastructure for the Pierogi campaign seems to have been created specifically for the campaign. The domains were registered in November 2019 and operationalized shortly afterward. “The Pierogi backdoor discovered by Cybereason during this investigation seems to be undocumented and gives the threat actors espionage capabilities over their victims.” Cybereason suggests it may have been obtained through underground communities rather than developed in-house by MoleRATs.
It is interesting that Gaza (and possibly Hamas) hacking abilities are this sophisticated.
But the Palestinian Authority doesn’t want this information to be published.
The Ministry of Communications and Information Technology said that what the Israeli websites claim from the occurrence of cyber attacks and attempts to penetrate Palestine is only a description of the general situation that Palestine and other countries of the world are subjected to from attempts to infiltrate and cyber attacks through multiple sides.
The ministry confirmed in a statement issued today, Friday, that all attempts of this type are dealt with immediately by our specialized teams, which are the information security team and the competent security authorities.
The Ministry called on citizens not to deal with such news, inviting them to go to the competent authorities in the event of any citizen being exposed to attempts or operations of this type of targeting and others.
The Ministry released a statement: “We deplored the nature and timing of this news, which was published through the occupation…we confirm that its aim is an attempt to reinforce the division between our people who created a great image of unity with the decision rejecting the deal of the century.”
The Ministry called on all Palestinian and Arab news websites and media platforms to be vigilant and cautious, not to circulate unreliable news and reports, and to check their accuracy before publication.
The news of course came from an Israeli cybersecurity company, not the Israeli government. A new backdoor in Android is always news. This is what cybersecurity researchers do. The PA yet again is warning its new media not to publish reports that make them look bad. The idea that the timing was to somehow hurt Palestinian unity is paranoia.
And the attempt to stifle free speech is at least as big a story as the hacking.
We have lots of ideas, but we need more resources to be even more effective. Please donate today to help get the message out and to help defend Israel.