Hacking activity in the Gaza Strip and West Bank has ramped up in recent years as rival Palestinian political parties spar with each other, the Israeli-Palestinian conflict continues, and Palestinian hackers increasingly establish themselves on the global stage. Now, Facebook has uncovered two digital espionage campaigns out of Palestine, active in 2019 and 2020, that exploited a range of devices and platforms, including unique spyware that targeted iOS.
The groups, which appear to be unconnected, seem to have been at cross-purposes. But both used social media platforms like Facebook as jumping off points to connect with targets and launch social engineering attacks to guide them toward phishing pages and other malicious websites.
The researchers link one set of attackers to Palestine’s Preventive Security Service, an intelligence group under the West Bank’s Fatah ruling party. In this campaign, the group primarily targeted the Palestinian territories and Syria, with some additional activity in Turkey, Iraq, Lebanon, and Libya. The hackers seemed largely focused on attacking human rights and anti-Fatah activists, journalists, and entities like the Iraqi military and Syrian opposition.
The other group, the longtime actor Arid Viper, which has been associated with Hamas, focused on targets within Palestine like Fatah political party members, government officials, security forces, and students. Arid Viper established an expansive attack infrastructure for its campaigns, including hundreds of websites that launched phishing attacks, hosted iOS and Android malware, or functioned as command and control servers for that malware.
“To disrupt both these operations, we took down their accounts, released malware hashes, blocked domains associated with their activity, and alerted people who we believe were targeted by these groups to help them secure their accounts,” Facebook’s head of cyberespionage investigations, Mike Dvilyanski, and director of threat disruption, David Agranovich, wrote in a blog post on Wednesday. “We shared information with our industry partners including the anti-virus community so they too can detect and stop this activity.”
The Preventive Security Service–linked group was active on social media and used both fake and stolen accounts to create personas, often depicting young women. Some of the accounts claimed to support Hamas, Fatah, or other military groups and sometimes posed as activists or reporters with the goal of building relationships with targets and tricking them into downloading malware.
The group used both off-the-shelf malware and its own Android spyware masquerading as a secure chat app to target victims. The chat app collected call logs, location, contact information, SMS messages, and device metadata. It also sometimes included a keylogger. The attackers also used publicly available Android and Windows malware. And the researchers saw evidence that the attackers made a fake content management platform for Windows that targeted journalists who wanted to submit articles for publication. The app didn’t actually work, but came bundled with Windows malware.