SAS 2019: Gaza Cybergang Blends Sophistication Levels in Highly Effective Spy Effort

sneakypastes gaza cybergang

The SneakyPastes campaign was highly effective but hardly advanced.

SINGAPORE — Around 240 high-profile victims in 39 countries worldwide have become victims of an APT cyber-espionage attack, led by an organization dubbed the Gaza Cybergang that comprises several groups of varying sophistication.

The victims, who were all targeted last year, include political, diplomatic, media and activist entities, according to Kaspersky Lab research presented at the Security Analyst Summit (SAS) 2019 this week in Singapore. They all shared one thing in common: An interest in Middle-Eastern politics.

“The Gaza Cybergang is an Arabic speaking, politically motivated collective of interrelated threat groups actively targeting the Middle East and North Africa, with a particular focus on the Palestinian Territories,” the firm said in an analysis shared with Threatpost ahead of a presentation on it at the show. “Kaspersky Lab has identified at least three groups within the gang, with similar aims and targets – cyberespionage related to Middle Eastern political interests – but very different tools, techniques and levels of sophistication. There is an element of sharing and overlap between them.”

The groups involved include the more advanced Operation Parliament (first seen last year) and Desert Falcons; as well as a less complex group known as MoleRats that’s been around since at least 2012. Kaspersky Lab said that the discovery of Desert Falcons in 2015 marked a turning point in the threat landscape as it was then the first known fully Arabic speaking APT.

“We now know that its parent, Gaza Cybergang has been actively targeting Middle Eastern interests since 2012, initially relying most on the activities of a fairly unsophisticated but relentless team,” said Amin Hasbini, head of Middle East Research Center at the Global Research and Analysis Team (GReAT) at Kaspersky Lab, in the report.

Kaspersky Lab researchers, who named the campaign SneakyPastes, said that it commenced last spring, making use of disposable email addresses to spread the infection through politically themed phishing messages. The mails had malicious links or attachments. Interestingly, in order to avoid detection and hide the location of the command-and-control server (C2), SneakyPastes also employed a low-cost but effective approach that involved downloading spyware in chained stages using multiple free sites like Pastebin and Github – giving the operation its name. It gradually “sneaks” the malware onto the targeted computer using these types of paste sites.

“The various malicious implants used PowerShell, VBS, JS, and dotnet to secure resilience and persistence within infected systems,” researchers said in the analysis. “The final stage of intrusion was a remote access trojan (RAT), which made contact with the command-and-control server and then gathered, compressed, encrypted and uploaded a wide range of stolen documents and spreadsheets to it.”

The SneakyPastes operation was at its most active between April and mid-November 2018, focusing on a specific list of targets. The majority of the victims are located in the Palestinian territories (211 of them), with other clusters in Jordan, Israel and Lebanon. Political parties and politician as well as research centers made up the majority of the targets.

“Victims included embassies, government entities, media outlets and journalists, activists, political parties and individuals, as well as education, banking, healthcare and contracting organizations,” according to Kaspersky Lab.

The research was shared with law enforcement and has resulted in the take-down of a significant part of the attack infrastructure, according to the analysis. But the SneakyPastes danger is far from over, in the opinion of the researchers.

“This operation shows that lack of infrastructure and advanced tools is no impediment to success. We expect the damage exerted by all three Gaza Cybergang groups to intensify and the attacks to extend into other regions that are also linked to Palestinian issues,” said Hasbini.

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.


Suggested articles