Palestinian Hackers Launch Advanced Cyberspying Operation, Israeli Firm Says

Hackers linked to Hamas exploited Facebook, Dropbox and Google Drive to send out spyware targeting Arab leaders and states – using Netanyahu and MBS as bait

Omer Benjakob
Omer Benjakob
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
How the phishing PDF worked Credit: Omer Benjakob
Omer Benjakob
Omer Benjakob

Hackers affiliated with Hamas have launched a complex cyberespionage campaign targeting Arab officials and political leaders across the Middle East, an Israeli cybersecurity firm revealed Wednesday.

The attackers made use of legitimate platforms like Facebook, Dropbox and Google Docs to send out the spyware, in what the researchers claim is a show of new capabilities which have previously been attributed to state actors.

According to the report by Cybereason, which was vetted for Haaretz by two independent cybersecurity experts, the team behind the attack is “Molerats'', also known as “The Gaza Cybergang.” The group was first revealed in 2012 and has been linked to Hamas and previous attacks against Israel and the Palestinian Authority, according to the firm and one of the experts.


Last year, Israel targeted Hamas' offensive cyberheadquarters in Gaza, the Israeli army revealed in a tweet, in what many said was the first case of a physical military retaliation against a cyberoperation, though the army did not disclose the reason for the attack or its timing.

‘Political phishing’

Why Israel’s anti-Bibi left is so lost – and chasing yet another general as its Messiah. LISTEN

-- : --

The attack was a three-pronged offensive that used “phishing” emails to try to gain access to the computers of officials in Dubai, Egypt, Turkey and other Gulf states, the researchers behind the report told Haaretz. Emails with infected files were sent to the targets and those who opened them would have the spyware installed on their computer unbeknownst to them. The nefarious program, the researchers said, could then access and even operate every facet of their computer.

This attack, the research group said, began in September but peaked in October and November, in “clear correlation with the normalization talks between Israel and Gulf states.” It also made use of key political themes to try to entice its victims. In fact, this is part of what makes the attack so unique, the researchers say.

Hamas sent PDFs purporting to be the secret minutes of PM Benjamin Netanyau’s meeting with the Saudi Crown Prince Mohammed bin Salman in their cyberattack. Picture from October 24, 2018Credit: GIUSEPPE CACACE/AFP

Unlike previous attacks that sent suspect files to their victims, this attack deployed a much more complex system: Victims did not get files directly, but were rather sent a PDF being hosted on a legitimate website like Dropbox or Google Drive, and that would then lead them to the nefarious program. The PDFs sent out were politically themed, for example one purported to be the secret minutes of Prime Minister Benjamin Netanyau’s meeting with Saudi Crown Prince Mohammed Bin Salman, a topic with clear interest to Middle East political officials.

In a clear indication the target of the attack were Arab officials, the malware installed on the victim’s computer was programmed to check if the computer had an Arabic keyboard installed on it or made use of Arabic-language settings, researchers explained. If no Arabic language use was found, the program was to delete itself.

‘Hiding in plain sight’

By using platforms like Google Drive and Dropbox to send out the spyware, the researchers explain, the hackers were “hiding in plain sight” and de facto circumnavigating most anti-virus or cyberdefenses which search for suspected links but cannot check the contents of the documents being hosted by legitimate sites.

There were two uses of legitimate platforms in this specific attack, researchers say. Not only were the hackers using such websites to lure their victims in, but also made use of them to store and even operate the spyware itself, making their detection even harder.

One key aspect of this was Facebook, researchers add. Most spyware requires some operator, and that operating program usually sits on some server which can be found or linked back to the attack or attackers. However, in this case, the hackers took advantage of Facebook to remotely operate the malicious software, and thus further severed the link between them and the attack. The hackers set up dummy accounts on Facebook, users with no real friends or activity, that would post status with code or instructions that the spyware could then search Facebook for. In this manner, cryptic posts on Facebook that would make no sense to a human were used to orchestrate the attack, completely “under the radar of cyberdefenses,” the researchers said.

According to the researchers, what makes this attack so unique is threefold: Firstly, “it shows the correlation between offensive cyber and geopolitical events.” In this case, normalization between Israel and the Gulf states. Only two days ago, the United Arab Emirates announced it had been targeted in a cyberattack, however the researchers refused to comment on whether it was the same operation being revealed here today.

Secondly, they say it substantiates a concerning trend of hackers of all kinds exploiting “legitimate platforms for nefarious purposes.”

One of the fake Facebook profiles used by Hamas, December 10, 2020Credit: Omer Benjakob

“The use of fake Facebook profiles for command and control purposes is a rather rare technique that was previously used only by very advanced threat actors, for example the Turla group which is believed to be working in the interest of the Russian government,” the head of the research team said. This is also the third unique aspect of the attack: “We are seeing real spillover of advanced techniques previously associated with states now being used in other contexts, especially cybercrime."

This comes in the wake of a recent Haaretz report about the massive hack of the Israeli insurance firm. The attack straddled the border between offensive and criminal cyberattacks. Initially cast as a ransom attack, it was then reframed as politically motivated extortion, if not outright form of “cyberterrorism.”

As the head of Check Point cyberintelligence unit told Haaretz last week, “ransomware is immediately associated with cybercrime and money, and rightly so. However, ransomware serves more motivations rather than solely financial gains. We have seen, for example, hacktivists using ransomware to carry specific messages to the targeted organization, or to serve a certain idea,” said Lotem Finkelstein, citing a recent case in which Iranian hackers targeted Israeli companies called Pay2Key.

In September, an Iranian-linked hacker campaign called Operation Quicksand, which targeted “prominent Israeli organizations,” was also uncovered. The firms who revealed the alleged attack, Clearsky and Profero, said this indicated a “new phase” in Iranian attacks against Israel. The reason? The tools used had previously been deployed exclusively in criminal operations attributed to cybercriminals. However, these very same techniques were now being used to conceal a destructive offensive cyberattack that was motivated by geopolitics rather than financial gain, and may even have been orchestrated by the Iranian state itself.

Click the alert icon to follow topics: