Facebook Disrupts Palestinian APT ActivitiesSocial Media Giant Says 2 Groups Were Conducting Cyberespionage
Facebook says it has disrupted the activities of two Palestinian advanced persistent threat groups that targeted victims across the Middle East as part of cyberespionage campaigns.
Facebook threat intelligence analysts say they discovered campaigns linked to AridViper, an espionage group that has been active since 2015, and Preventive Security Service, which is linked to Palestinian President Mahmoud Abbas’ intelligence services.
The groups used Android and Windows malware and advanced social engineering tactics to target journalists, human rights activists and military groups in Palestine, Syria, Turkey, Iraq, Lebanon and Libya for cyberespionage, Facebook says.
David Agranovich, Facebook's director for threat disruption, told the Independent newspaper that Facebook accounts associated with the hacking networks had been canceled and it had notified targets and shared the findings with other tech companies to prevent distribution of malware.
Although Facebook disrupted the APTs' infrastructures, it warns the groups could revive their activities soon.
"To disrupt both these operations, we took down their accounts, released malware hashes, blocked domains associated with their activity and alerted people who we believe were targeted by these groups to help them secure their (Facebook) accounts," Facebook says. "The groups behind these operations are persistent adversaries, and we know they will evolve their tactics in response to our enforcement."
Preventive Security Service
Preventive Security Service mainly used social engineering tactics to trick Facebook users into clicking links to install malicious chat applications.
The group used custom-built malware disguised as secure chat applications, which, when installed, collected device metadata, call logs, location, contacts and text messages. Attackers uploaded stolen data to Firebase, a mobile app development platform. The group also used SpyNote Android malware for remote access and call monitoring.
In addition, the group used Windows malware, including NJRat and HWorm.
The APT group used fake and compromised Facebook accounts to build trust with journalists and activists and trick them into installing malicious software. Some of these pages posted memes criticizing Russian foreign policy in the Middle East and Russia's involvement in Syria and Libya, Facebook says.
AridViper, which is also known as DesertFalcon and APT-C-23, was first reported conducting cyberespionage campaigns in the Middle East by Kaspersky Lab in 2015.
The APT group used more than 100 websites that hosted iOS and Android malware used for credential theft.
Among the malware hosted, the researchers uncovered a never-before-seen, custom-built iOS malware strain dubbed Phenakite. "Installation of Phenakite required that people be tricked into installing a mobile configuration profile," the report notes. "Post-installation, a jailbreak was necessary for the malware to elevate its privileges to retrieve sensitive user information not accessible via standard iOS permission requests. This was achieved with the publicly available Osiris jailbreak that made use of the Sock Port exploit, both of which were bundled in the malicious iOS app store packages."
The group used an Android malware known as AridViper strain that is similar to FrozenCell and VAMP, Facebook notes. This malware was spread through attacker-controlled phishing sites, which are fake pages that look like the Facebook login page.