23 April 2021

Facebook disrupts cyber-espionage campaign run by Palestinian hackers


Facebook disrupts cyber-espionage campaign run by Palestinian hackers

Facebook says it disrupted activities of two separate Palestine-linked hacker groups that abused its platform to conduct cyber-espionage and distribute malware.

One of the hacker groups is believed to have ties to the Preventive Security Service (PSS), the Palestinian Authority’s internal intelligence organization. It mainly targeted victims primarily in the Palestinian territories and Syria, to a lesser degree, they targeted Turkey, Iraq, Lebanon and Libya, Facebook said.

The group used a variety of malicious tools, including custom-build Android malware, the SpyNote Android RAT, as well as Windows malware (NJRat and HWorm) to spy on users. The hackers also used social engineering techniques to trick targets into clicking on malicious links and installing malware on their devices.

“This group used fake and compromised accounts to create fictitious personas posing primarily as young women, and also as supporters of Hamas, Fatah, various military groups, journalists and activists to build trust with people they targeted and trick them into installing malicious software. Some of their Pages were designed to lure particular followers for later social engineering and malware targeting,” Facebook said.

The other hacker group, Arid Viper, targeted primarily domestic audiences in Palestine, including government officials, members of the Fatah political party, student groups and security forces.

“It used sprawling infrastructure to support its operations, including over a hundred websites that either hosted iOS and Android malware, attempted to steal credentials through phishing or acted as command and control servers, according to Facebook.

In addition to Windows and Android malware, the group used a custom-built iOS espionage tool, dubbed Phenakite, which was capable of stealing sensitive user data from iPhones without jailbreaking the devices prior to the compromise. The malware was delivered via a trojanized chat application that used the open-source RealtimeChat code for legitimate app functionality. Phenakite could also direct people to phishing pages for Facebook and iCloud to steal their credentials for those services.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021