Newly revealed cyberspying campaign against Israeli and Palestinian targets demonstrates how the threat is no longer mostly a China thing.
A recently discovered targeted cyberespionage campaign targeting Israeli and Palestinian organizations in operation for more than a year serves as chilling evidence that cyberspying is a global phenomenon and no longer mostly the domain of massive nation-states like China.
While much of the attention has been trained on China as the source of cyberespionage, the discovery of this latest operation highlights just how popular and easy it has become to execute cyberspying. Thanks to ease of access and use of remote access Trojan (RAT) tools and reliability of social engineering, you don't need nation-state backing to conduct these types of targeted attacks. RATs traditionally had been associated with Chinese-based attackers, but that conventional wisdom is shifting as other nations and politically motivated attackers move to cyberspying via these tools to more efficiently gather intelligence on their marks.
Researchers at Norman Security today revealed that they recently analyzed malware used in phishing emails targeting Israeli and Palestinian targets and found that attackers used malware based on the widely available Xtreme RAT crimeware kit. The attacks, which first hit Palestinian targets, this year began going after Israeli targets, including Israeli law enforcement agencies and embassies around the world. Norman says the same attacker is behind the attacks because the attacks use the same command-and-control (C&C) infrastructure, as well as the same phony digital certificates.
This attack campaign just scratches the surface of the breadth and spread of these types of attacks around the world as more players have been turning to cyberspying. "We're just seeing the tip of the iceberg," says Einar Oftedal, deputy CTO at Norman.
[Turns out cyberespionage malware and activity is far more prolific than imagined. See Scope Of APTs More Widespread Than Thought.]
Oftedal says he has seen XTreme RAT used in all types of attacks. What was most striking about this campaign is that the same attacker used it to go after both Israelis and Palestinian interests. With only the malware and email samples to study, however, he says, Norman can't draw any conclusions on who is behind the attacks.
Aviv Raff, CTO of Seculert, which also has been studying the attacks, says there appears to be a political motive for the attacks, and that the perpetrators could be Hamas hacktivists or someone from their own cyberarmy, he says.
Cyberespionage attacks from various players will increase in the coming year, he says. "I believe that next year we'll see more actors from different nations" conducting cyberespionage, Raff says. "I think such efforts are already in place, and [we] saw that with last year's attacks. The way I see this is that next year, more of such attacks will be discovered -- meaning they are taking place as we speak but go under the radar."
Israeli police last month pulled all of their computers off the Internet after discovering a rogue file spreading around their systems. Seculert studied the attack and concluded that the attacks were based on the Xtreme RAT, a not-so advanced but highly persistent attack tool.
That assessment was confirmed by Norman's research today. "This was not too advanced," Norman's Oftedal says. "They were using off-the-shelf Trojans. The only advanced piece is the digital certificates," which were created to appear as Microsoft-signed, he says.
The attackers initially used C&C servers located in the Gaza Strip region, and later moved them to hosting firms in the U.S. and U.K., according to Norman's findings.
Other researchers, including Dell SecureWorks, have spotted related Xtreme RAT activity against Palestinian and Israeli targets. Joe Stewart, director of malware research at Dell SecureWorks, says he has also seen Chinese hackers using XTreme RAT for cyberespionage, too.
But the similarities between nation-state Chinese attackers and these Middle Eastern political attacks end there. "A lot of targeting that's going on lately are kind of ad-hoc programs being spun up in response to Arab Spring...and throwing up commodity [Trojans]," Stewart says. "There's no time to spin up the next Flame. They use what's out there and available."
And researchers and victim organizations are also getting more experienced at spotting possible targeted attacks, which is adding to the snowball effect of new cyberespionage players and victims.
"Now that people realize espionage is the focus in a lot of cases, they are not so quick to dismiss malware samples that come in that are new and not usual," Stewart says. "A few years ago, you'd think 'that was just a random hacker and I'll concentrate on Storm' or whatever threat was big at the time. Now you see samples that are not like any other samples...and stand on their own because they are such low volume, and you realize this could be the next big story, a Stuxnet you got your hands on there that's worth delving into more."
The full report from Norman is available here.