Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks , Endpoint Security

Facebook Disrupts Palestinian APT Activities

Social Media Giant Says 2 Groups Were Conducting Cyberespionage
Facebook Disrupts Palestinian APT Activities

Facebook says it has disrupted the activities of two Palestinian advanced persistent threat groups that targeted victims across the Middle East as part of cyberespionage campaigns.

See Also: Enabling Government for Modernized IT

Facebook threat intelligence analysts say they discovered campaigns linked to AridViper, an espionage group that has been active since 2015, and Preventive Security Service, which is linked to Palestinian President Mahmoud Abbas’ intelligence services.

The groups used Android and Windows malware and advanced social engineering tactics to target journalists, human rights activists and military groups in Palestine, Syria, Turkey, Iraq, Lebanon and Libya for cyberespionage, Facebook says.

David Agranovich, Facebook's director for threat disruption, told the Independent newspaper that Facebook accounts associated with the hacking networks had been canceled and it had notified targets and shared the findings with other tech companies to prevent distribution of malware.

Although Facebook disrupted the APTs' infrastructures, it warns the groups could revive their activities soon.

"To disrupt both these operations, we took down their accounts, released malware hashes, blocked domains associated with their activity and alerted people who we believe were targeted by these groups to help them secure their (Facebook) accounts," Facebook says. "The groups behind these operations are persistent adversaries, and we know they will evolve their tactics in response to our enforcement."

Preventive Security Service

Preventive Security Service mainly used social engineering tactics to trick Facebook users into clicking links to install malicious chat applications.

The group used custom-built malware disguised as secure chat applications, which, when installed, collected device metadata, call logs, location, contacts and text messages. Attackers uploaded stolen data to Firebase, a mobile app development platform. The group also used SpyNote Android malware for remote access and call monitoring.

In addition, the group used Windows malware, including NJRat and HWorm.

The APT group used fake and compromised Facebook accounts to build trust with journalists and activists and trick them into installing malicious software. Some of these pages posted memes criticizing Russian foreign policy in the Middle East and Russia's involvement in Syria and Libya, Facebook says.

AridViper

AridViper, which is also known as DesertFalcon and APT-C-23, was first reported conducting cyberespionage campaigns in the Middle East by Kaspersky Lab in 2015.

The APT group used more than 100 websites that hosted iOS and Android malware used for credential theft.

Among the malware hosted, the researchers uncovered a never-before-seen, custom-built iOS malware strain dubbed Phenakite. "Installation of Phenakite required that people be tricked into installing a mobile configuration profile," the report notes. "Post-installation, a jailbreak was necessary for the malware to elevate its privileges to retrieve sensitive user information not accessible via standard iOS permission requests. This was achieved with the publicly available Osiris jailbreak that made use of the Sock Port exploit, both of which were bundled in the malicious iOS app store packages."

The group used an Android malware known as AridViper strain that is similar to FrozenCell and VAMP, Facebook notes. This malware was spread through attacker-controlled phishing sites, which are fake pages that look like the Facebook login page.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.