Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

New Attacks on Palestine Linked to ‘Gaza Cybergang’

The Gaza Cybergang, an advanced persistent threat (APT) group linked to the Palestinian terrorist organization Hamas, apparently continues to target organizations in the Middle East, researchers at Check Point revealed last week.

The Gaza Cybergang, an advanced persistent threat (APT) group linked to the Palestinian terrorist organization Hamas, apparently continues to target organizations in the Middle East, researchers at Check Point revealed last week.

The attacks observed by the security firm started with a spear-phishing email carrying a self-extracting archive that stored a Word document and a malicious executable. The emails purported to come from the Palestinian Political and National Guidance Commission and the documents contained copies of media reports from various Palestinian news websites.

While the targeted user is busy looking at the document, a piece of malware is being installed on their system. The malware, an upgraded variant of Micropsia, a tool previously linked to the Gaza Cybergang, is capable of taking screenshots, stealing documents, rebooting the system, obtaining information about the compromised device, and killing itself.

These and other capabilities are provided by more than a dozen modules, each named after characters in the American TV show “The Big Bang Theory” and a popular Turkish TV series called “Resurrection: Ertugrul.” In a related malware sample, the modules are named after various BMW car models (e.g. BMW_x1, BMW_x8).

The main target of this campaign, which Check Point has dubbed “Big Bang,” appears to be the Palestinian Authority, the governing body of the emerging Palestinian autonomous regions of the West Bank and Gaza Strip.

Researchers believe the latest attacks started in March and evidence suggests that they could be the work of the Gaza Cybergang, which has been known to target the Palestinian Authority many times in the past years.

“Although the group behind it seems to be focused on carefully selecting their victims, using a custom-made info-stealer for intelligence gathering operations, due to its very nature it is difficult to assert what the ultimate goal of this campaign is. Indeed, the next stages of the attack may even still be in the works, not yet deployed or only deployed to selected few victims,” Check Point researchers wrote in a blog post.

Also known as Gaza Hackers Team and Molerats, the threat actor has been active since at least 2012. Its targets include Israel, Egypt, Saudi Arabia, the UAE, Iraq, the United States, and some European countries.

The group has occasionally suspended activity after security firms exposed its operations, but it has continued improving tools and techniques and expanding its list of targets.

One of the most recent reports on Gaza Cybergang was published in October 2017 by Kaspersky Lab. The security firm reported at the time that the group had been targeting organizations in the Middle East and North Africa (MENA) region, including an oil and gas company from which the hackers stole information for more than a year.

Cisco Talos also published a report on Gaza Cybergang last year, detailing attacks aimed at Palestinian law enforcement.

Related: Israel Accuses Hamas of Targeting Soldiers With World Cup App

Related: Cyberspies Target Middle East With Windows, Android Malware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...