Czechs Shut Down Servers That Hezbollah Used for Espionage

Operators of fake profiles would persuade victims via Facebook to download ‘more secure’ apps for continuing their conversations, the website ZDNet reports

A fake Facebook profile that Hezbollah allegedly used to lure cyberespionage victims.
BIS/ZDNet

The Czech counterintelligence agency has identified and shut down servers that Hezbollah was using for cyberespionage, the website ZDNet reported Tuesday.

A statement issued by the agency last week said the servers were discovered through an operation by the Czech Republic’s Security Intelligence Service, known as BIS, and unidentified partners.

BIS said the servers were “almost certainly” operated by Hezbollah.

“I cannot comment on the details, but I can confirm that BIS has played a significant role in identifying and uncovering the hackers’ system,” said Michal Koudelka, the agency’s director. “We identified the victims and traced the attack to its source facilities. Hacker servers have been shut down.”

The agency said only some of the servers were in the Czech Republic. Others were in other European Union countries and the United States.

According to a Czech media report, the hackers were based in the Middle East, which is presumably why the command-and-control facilities were also in that region. Many of the targets were Middle Eastern as well, though the statement did not mention Israel specifically. But some of the targets were in other places, including eastern and central Europe.

Researchers from the Israeli cybersecurity firm Check Point reported in 2015 that Hezbollah had carried out a successful cyberespionage operation, even if it was not very sophisticated. That attack, nicknamed Volatile Cedar, targeted the computers of companies with ties to defense agencies.

The Czech agency’s description of the latest operation sounds very similar to a Hamas operation that the Israel Defense Forces and Shin Bet security service uncovered last year, and which cybersecurity firms discovered additional cases of this July.

The alleged Hezbollah operation, like the one reported in July, began in 2017. The Czech servers were used to download apps that contained spyware.

The apps were distributed via fake Facebook profiles, most of them of attractive young women. The operators of these profiles would contact the victims via Facebook and persuade them to download “more secure” apps for continuing their conversations.

The spyware in these apps, like the spyware employed by Hamas, gave the operators complete access to the victim’s smartphone including GPS data, private messages, phone calls and contact lists, and the ability to make secret recordings.