At the end of October we learned that Israeli police were forced to disconnect all their computers from the Internet after finding a dangerous piece of malware on their networks. As it turns out, that’s only one of the many attacks launched against Israeli and Palestinian targets in the past period.
According to experts from security firm Norman, these cyberattacks – launched by an unknown actor – have been ongoing for at least one year.
One part of the cyber espionage campaign relies on documents and videos, in English and Hebrew, to trick Israeli users into opening a malicious attachment. These messages spread a Remote Access Trojan (RAT) called Xtreme RAT that’s perfect to sniff out sensitive information.
Another batch of malicious emails, aimed at Palestinian targets were found to contain the same RAT. Furthermore, they were all found to communicate with the same command and control servers.
This led researchers to believe that both the attacks on Palestinian and Israeli organizations were conducted by the same group.
In both cases, the attackers leveraged documents containing controversial political topics to get their targets to install the RAT on their computers.
Considering that the last bait document was created on October 31, 2012, it’s likely that the campaign is still ongoing. However, experts couldn’t determine why the attackers shifted their focus from Israeli targets to Palestinian ones.
“Maybe it was planned all along; or caused by changes in the political climate; or maybe the first half of the operation found data that caused the target change,” Norman researchers wrote in their report.
“The attacker is still unknown to us. There are probably several actors that could have an interest in the regional politics, as the various powerblocks in the region are manifold and conflicted. By using largely off-the-shelf malware, the cost of mounting such an operation is considerably lower than for those who do their own malware development,” they added.