Researchers detect fresh wave of hacking attacks on Palestinian targets

An example of a decoy document used to bait Palestinian targets as part of Arid Viper hacking activity. (Cisco Talos)


Written by

A hacking group is targeting Palestinian people and organizations with a wave of years-old malware, according to research published Wednesday.

The findings, from Cisco’s Talos threat intelligence division, unpack a surge of attacks starting around October 2021 targeting Palestinians using malware known as Micropsia.

The attacks are part of a broader campaign dating back to 2017 connected to a group known as Arid Viper, an Arabic hacking group possibly associated with Hamas that first emerged in 2015. Also known as Desert Falcons or APT-C-23, — “APT” stands for “advanced persistent threat,” a kind of group often associated with nation-state hackers —Kaspersky researchers in 2015 named it the “first exclusively Arabic APT group.” Kaspersky estimated at the time that it numbered 30 or so attackers who employed homemade malware, social engineering and other techniques against targets all over the world.

The group’s main motivation is espionage and information theft, Talos noted in its research, and “has been attributed to malicious operators politically motivated toward the liberation of Palestine.” Although not a “technically evolved actor,” the group is known to target both mobile and desktop platforms, including Apple iOS. It develops Android malware as well.

The Talos research does not specifically identify the targets of the campaign. Cybersecurity firm Cybereason noted in 2020 that what might partially explain Hamas-linked cyber activity on Palestinian targets is the historic rivalry between Hamas its rival Fatah, whose members have been targeted by Arid Viper, according to researchers.

Talos covered a previous campaign tied to the group in 2017 which targeted Palestinian law enforcement agencies and other public-sector Palestinian agencies using the same Micropsia malware. The malware relies on a payload written in the Delphi coding language that contains multiple remote access trojans and information gathering abilities.

The new campaign uses the same tactics, techniques and procedures as researchers observed in 2017, typically associated with politically-themed lures. The number of lures reduced in 2018 and 2019, but the researchers observed a “definite increase” in 2020 and 2021.

The current wave of attacks continue the theme of using politically-charged themes to lure victims into opening malicious files, such as politically-relevant annual reports, an article about the reunification of Palestinian families and a patient’s report from the State of Palestine’s Ministry of Health.

The malware detailed in the latest research establishes a persistent foothold in the target’s system, deploys the remote access trojans and allows for other actions, such as capturing screenshots of target computers.

Meta, the parent company of Facebook, took action against the group in April 2021 for creating and using fake accounts in targeted cyber-espionage campaigns against Palestinian government officials, members of the Fatah political party, student groups and security forces. Meta reported observing the group “incorporating fully functional custom iOS surveillanceware, capable of stealing sensitive user data from iPhones without requiring devices be jailbroken prior to compromise.”

Talos’ findings note that Meta’s detailed takedown of the group “did not stop” it, and that all of the evidence shows a a group that “has the motivation and means to operate longstanding campaigns against the same targets. This level of motivation makes them particularly dangerous to organizations that may come into their crosshairs.”

The researchers wrote: “Arid Viper is a prime example of groups that aren’t very advanced technologically, however, with specific motivations, are becoming more dangerous as they evolve over time and test their tools and procedures on their targets.”

-In this Story-

Cisco Talos, Facebook, Hamas, Meta, Palestine