How the Cover Was Blown on Palestinian Hackers Spying Against Israel

Israeli cybersecurity company traced Gazan malware designer after he forgot to erase the properties on a Word document.

Gaza hackers
From the Clearsky report.

A group of Palestinian hackers uncovered in January resumed their work against Israel in April, an Israeli security firm has announced. ClearSky Cyber Security also revealed the main activist behind the group.

This was the second report on the group by ClearSky, which published in January that the group has operated since 2012 against Israel. The group is believed to be connected to what has been referred to as the “Benny Gantz virus,” which targeted several government offices in 2012 by using the name of the then-IDF chief of staff.

ClearSky representatives stressed then that the group was working against the Israeli defense industry, embassies, journalists, banks and financial organizations, public organizations and program developers. The new operation is very similar, including emails sent to officials in the Egyptian foreign ministry, an official in the Palestinian Authority government, a senior official at Birzeit University and banks and security companies in Israel.

The company discovered that the group, called Molerats, stopped hacking entirely for a short while after its activity was discovered in January. However, it renewed its operations 20 days later against various targets in the United States, Egypt, Saudi Arabia and the Palestinian Authority, among other places. The group only renewed its anti-Israel activity in April.

Its main weapon is the DustySky malware sent via email to hundreds of targets weekly. The emails, in Hebrew, English and Arabic, promise entirely differently things, mainly dealing with security or cybersecurity topics. However, there were other cases such as an email that posed as being from the Israeli Walla! news site advertising more successful content: Durex’s “big sex survey.”

The malware searches for specific information about passwords from leaked information from users’ computers that it penetrates, focusing on searches for passwords, security-related documents and keywords like collaborator, pilots, special units and the Shin Bet security service.

ClearSky reported that it revealed the identity of Moayyad Ayesh, which it asserts is the main activist behind the development of the DustySky malware.

ClearSky CEO Boaz Dolev said that the first hint of Ayesh’s identity was a Word document in which he forgot to erase details, including his email, from the document’s properties. The investigators used this email to discover his various accounts on social media, including Facebook and YouTube as well as the anonymous surfing service Tor, where he uploaded videos supporting Hamas.

After issuing its first report, in which the company stressed it held information about the attackers, Ayesh approached ClearSky to clarify details, posing as an Israel Defense Forces official and representatives of foreign countries, who were hurt by the attack and were trying to obtain additional details. According to the company, his attempt helped them gather more information.