Hackers leverage Facebook, Dropbox to spy on Egypt, Palestinians

It's a twist on the Arabic-speaking hacking group's tradecraft.
Al-kramah neighborhood
A neighborhood in Gaza City is pictured. An Arabic-speaking group that some researchers have linked to Hamas has targeted government officials in the Middle East according to new, research (Getty Images)

An Arabic-speaking hacking group that’s used phishing emails laden with sensational headlines focused on the Middle East to spy on government officials is leveraging recent diplomatic activity to conduct espionage.

Operatives with the group, known as MoleRATs, used mainstream technology services like Facebook and Dropbox to obscure their malicious activity and exfiltrate data, according Cybereason, the security company that published details on the activity on Wednesday.  It’s the latest example of a savvy hacking group turning to popular technology platforms to dupe their targets, or cover their tracks.

This MoleRATs espionage campaign, which occurred in October and November, was aimed at political and government officials in Egypt, the Palestinian territories, the United Arab Emirates and Turkey, according to Cybereason. Its phishing emails referenced a reported secret meeting between Saudi Crown Prince Mohammed bin Salman, Israeli Prime Minister Benjamin Netanyahu and U.S. Secretary of State Mike Pompeo.

Hackers used Facebook accounts to coordinate their activity, and Dropbox to store their espionage tools and exfiltrate stolen data, according to the findings.


It’s “a clever way of hiding in plain sight, enabling the attackers to go unnoticed by traditional network security solutions,” noted a Cybereason researcher who investigated the activity. They asked to remain anonymous because of the sensitivity of their work.

One of two new “backdoors,” or malicious code for retaining access to a target, relies on fake Facebook accounts to communicate with the MoleRATs operators, according to Cybereason. The researchers said they informed Dropbox and Facebook of their findings. Neither company responded to CyberScoop’s requests for comment.

MoleRATs isn’t alone in this regard. A hacking campaign linked with the Chinese government, uncovered by security firm Trend Micro in February, used Dropbox to store commands and stolen files.

“The primary benefit is that it evades network-level surveillance,” said Ben Read, senior manager of analysis at Mandiant Threat Intelligence. “It looks like what is otherwise benign traffic.”

The research is a reminder that MoleRATs, which is sometimes referred to as the Gaza Cyber Gang, is a persistent set of spies in a region not short of them. Although sometimes overshadowed by larger regional players, including hackers affiliated with Iran, MoleRATs typically relies on exploiting current events to collect intelligence.


In the wake of the U.S. killing of Iranian general Qassem Soleimani in January, for example, the group embarked on a hacking campaign using Soleimani-themed email lures against entities affiliated with the Palestinian government in the West Bank.

Researchers at Israeli firm ClearSky have linked MoleRATs to Hamas, the militant group that controls the Gaza Strip. But few other researchers have made such public attribution. The Gaza Cyber Gang itself is an umbrella term for an array of activity.

The latest findings seem to indicate the group is developing more mature capabilities.

“The group invests time and resources to try to keep the activity under the radar and evade detection,” the Cybereason researcher said. “They are doing a good job with evading automatic sandbox analysis, by checking for Arabic language settings, otherwise the malware won’t run.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts