In 2018, the Gaza Cybergang, now known to comprise several groups of varying sophistication launched a cyberespionage operation targeting individuals and organizations with a Middle-Eastern political interest. The campaign, named SneakyPastes made use of disposable email addresses to spread the infection through phishing, before downloading the malware in chained stages using multiple free sites. This low cost but effective approach helped the group to hit around 240 high profile victims in 39 countries worldwide, including political, diplomatic, media and activist entities, among others. Kaspersky Lab’s research was shared with law enforcement and has resulted in the takedown of a significant part of the attack infrastructure.
The Gaza Cybergang is an Arabic speaking, politically motivated collective of interrelated threat groups actively targeting the Middle East and North Africa, with a particular focus on the Palestinian Territories. Kaspersky Lab has identified at least three groups within the gang, with similar aims and targets – cyberespionage related to Middle Eastern political interests – but very different tools, techniques and levels of sophistication. There is an element of sharing and overlap between them.
The groups include the more advanced Operation Parliament and Desert Falcons, known since 2018 and 2015 respectively, and an underpinning, less complex group, also known as MoleRats that has been active since at least 2012. In the spring of 2018, this basic group launched operation SneakyPastes.
SneakyPastes began with politically themed phishing attacks, spread using disposable email addresses and domains. Malicious links or attachments that were either clicked or downloaded then installed the infection on the victim device.
In order to avoid detection and hide the location of the command and control server, additional malware was downloaded to victim devices in chained stages using a number of free sites including Pastebin and Github. The various malicious implants used PowerShell, VBS, JS, and dotnet to secure resilience and persistence within infected systems. The final stage of intrusion was a Remote Access Trojan, which made contact with the command and control server and then gathered, compressed, encrypted and uploaded a wide range of stolen documents and spreadsheets to it. The name SneakyPastes derives from the attackers’ heavy use of paste sites to gradually sneak the RAT onto victim systems.
Kaspersky Lab researchers worked with law enforcement to uncover the full cycle of attack and intrusion for the SneakyPastes operation. These efforts have resulted not just in a detailed understanding of the tools, techniques, targets and more, but in the actual takedown of a significant part of the infrastructure.
The SneakyPastes operation was at its most active between April and mid-November 2018, focusing on a small list of targets that comprised diplomatic and government entities, NGOs and media outlets. Using Kaspersky Lab telemetry and other sources, there appear to be around 240 high profile individual and corporate victims, in 39 countries worldwide, with the majority located in the Palestinian Territories, Jordan, Israel and Lebanon. Victims included embassies, government entities, media outlets and journalists, activists, political parties and individuals, as well as education, banking, healthcare and contracting organizations.
“The discovery of Desert Falcons in 2015 marked a turning point in the threat landscape as it was then the first known fully Arabic speaking APT. We now know that its parent, Gaza Cybergang has been actively targeting Middle Eastern interests since 2012, initially relying most on the activities of a fairly unsophisticated but relentless team – the team that in 2018 launched operation SneakyPastes. SneakyPastes shows that lack of infrastructure and advanced tools is no impediment to success. We expect the damage exerted by all three Gaza Cybergang groups to intensify and the attacks to extend into other regions that are also linked to Palestinian issues,” said Amin Hasbini, Head of Middle East Research Center, Global Research and Analysis Team (GReAT) at Kaspersky Lab.
All Kaspersky Lab products successfully detect and block this threat.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky Lab researchers recommend implementing the following measures:
- Use advanced security tools like Kaspersky Anti Targeted Attack Platform (KATA) and make sure your security team has access to the most recent cyber threat intelligence.
- Make sure you update all software used in your organization on a regular basis, particularly whenever a new security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.
- Choose a proven security solution such as Kaspersky Endpoint Security that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits.
- Ensure your staff understand basic cybersecurity hygiene, as many targeted attacks start with phishing or other social engineering technique.
A report on the Gaza Cybergang’s operation SneakyPastes can be found on Securelist.