2012-01
Defacement of Israel fire service website
Hackers claiming to be from the Gaza Strip defaced the website of the Israel Fire and Rescue services, posting a message saying “Death to Israel,” a spokesman said on Friday.
https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website
2012-10
Operation “Molerats”
In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well — and as discovered later, even the U.S. and UK governments.
https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
2013-06
We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control (CnC) infrastructure used by the Molerats attackers.
https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
2014-04
Between 29 April and 27 May, FireEye Labs identified several new Molerats attacks targeting at least one major U.S. financial institution and multiple, European government organizations.
https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html
2014 Summer
Attacks against Israeli & Palestinian interests
The decoy documents and filenames used in the attacks suggest the intended targets include organizations with political interests or influence in Israel and Palestine.
https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html
2014
Operation “Moonlight”
Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.
https://blog.vectra.ai/blog/moonlight-middle-east-targeted-attacks
2015-05
One interesting new fact about Gaza Cybergang activities is that they are actively sending malware files to IT (Information Technology) and IR (Incident Response) staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyberattack investigations.
https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/
2015-09
Operation “DustySky”
These attacks are targeted, but not spear-phished. I.e., malicious email messages are sent to selected targets rather than random mass distribution, but are not tailored specifically to each and every target. Dozens of targets may receive the exact same message. The email message and the lure document are written in Hebrew, Arabic or English –depending on the target audience. Targeted sectors include governmental and diplomatic institutions, including embassies; companies from the aerospace and defense Industries; financial institutions; journalists; software developers. The attackers have been targeting software developers in general, using a fake website pretending to be a legitimate iOS management software, and linking to it in an online freelancing marketplace.
https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf
2015-12
Palo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe are part of a campaign linked to DustySky.
https://unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/
2016-04
Operation “DustySky” Part 2
Attacks against all targets in the Middle East stopped at once, after we published our first report. However, the attacks against targets in the Middle East (except Israel) were renewed in less than 20 days. In the beginning of April 2016, we found evidence that the attacks against Israel have been renewed as well. Based on the type of targets, on Gaza being the source of the attacks, and on the type of information the attackers are after –we estimate with medium-high certainty that the Hamas terrorist organization is behind these attacks.
https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf
2016-11
PwC analysts have been tracking the same malware campaign, which has seen a noticeable spike since at least April 2016. The attackers have targeted Arabic news websites, political figures and other targets that possess influence in the Palestinian territories and other neighbouring Arab countries.
Our investigation began by nalyzing around 20 executable files associated with the attacks. Several of these files opened decoy documents and audio files, which were exclusively in Arabic-language.
https://pwc.blogs.com/cyber_security_updates/2016/11/molerats-theres-more-to-the-naked-eye.html
2017 Mid
New targets, use of MS Access Macros and CVE 2017-0199, and possible mobile espionage
One of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in the MENA region, infiltrating systems and pilfering data, apparently for more than a year.
Another interesting finding is the use of the recently discovered CVE 2017-0199 vulnerability, and Microsoft Access files into which the download scripts were embedded to reduce the likelihood of their detection. Traces of mobile malware that started to appear from late April 2017, are also being investigated.
https://securelist.com/gaza-cybergang-updated-2017-activity/82765/
2017-09
Operation “TopHat”
In recent months, Palo Alto Networks Unit 42 observed a wave of attacks leveraging popular third-party services Google+, Pastebin, and bit.ly.
The attacks we found within the TopHat campaign began in early September 2017. In a few instances, original filenames of the identified samples were written in Arabic.
https://unit42.paloaltonetworks.com/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/
2019-01
“Spark” Campaign
This campaign uses social engineering to infect victims, mainly from the Palestinian territories, with the Spark backdoor. This backdoor first emerged in January 2019 and has been continuously active since then. The campaign’s lure content revolves around recent geopolitical events, espeically the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements.
https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one
2019-02
New Attack in the Middle East
Recently, 360 Threat Intelligence Center captured a bait document designed specifically for Arabic users. It is an Office Word document with malicious macros embedded to drop and execute a backdoor packed by Enigma Virtual Box. The backdoor program has a built-in keyword list containing names of people or opera movies to communicate with C2, distributes control commands to further control the victim’s computer device. After investigation, we suspect this attack is carried out by Molerats.
https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/
2019-04
Operation “SneakyPastes”
The campaign is multistage. It begins with phishing, using letters from one-time addresses and one-time domains. Sometimes the letters contain links to malware or infected attachments. If the victim executes the attached file (or follows the link), their device receives Stage One malware programmed to activate the infection chain.
https://www.kaspersky.com/blog/gaza-cybergang/26363/
2019-10
Between October 2019 through the beginning of December 2019, Unit 42 observed multiple instances of phishing attacks likely related to a threat group known as Molerats (AKA Gaza Hackers Team and Gaza Cybergang) targeting eight organizations in six different countries in the government, telecommunications, insurance and retail industries, of which the latter two were quite peculiar.
https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/
2019-12
“Pierogi” Campaign
This campaign uses social engineering attacks to infect victims with a new, undocumented backdoor dubbed Pierogi. This backdoor first emerged in December 2019, and was discovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware.
https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one
2020-03
Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations
https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/
https://www.bleepingcomputer.com/news/security/hackers-hide-malware-c2-communication-by-faking-news-site-traffic/
2020-10
New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
https://www.cybereason.com/blog/molerats-apt-new-malware-and-techniques-in-middle-east-espionage-campaign
2021 Early
New TA402 Molerats Malware Targets Governments in the Middle East
https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east
2021-04
Threat Group Uses Voice Changing Software in Espionage Attempt
https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt
2021-07
New espionage attack by Molerats APT targeting users in the Middle East
https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
2021-11
Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage
https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage
2023-07
TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities
https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government