On Wednesday, Facebook disclosed its efforts to dismantle cyber operations linked to two state-sponsored hacking groups based in Palestine that have exploited its platform for malware distribution. These activities primarily originated from the Preventive Security Service (PSS), a security entity of the Palestinian Authority, and a group identified as Arid Viper (also known as Desert Falcon) with ties to Hamas.
The cyber campaigns attributed to these entities were active in 2019 and 2020 and utilized multiple operating systems, including Android, iOS, and Windows, with PSS particularly targeting domestic users within Palestine. In contrast, Arid Viper expanded its reach to users in the Palestinian territories, Syria, and other regions such as Turkey, Iraq, Lebanon, and Libya.
Both groups have been known to employ social engineering strategies to lure individuals into clicking on harmful links. To counteract these threats, Facebook has taken significant measures, including disabling associated accounts, blocking relevant domains, and providing alerts to potential targets to enhance their account security.
Exploiting Applications for Espionage
The PSS group used custom Android malware disguised as secure chat applications. This malware enabled them to covertly collect device metadata, record keystrokes, and send sensitive data to Firebase. They also deployed SpyNote, another Android-based malware, capable of monitoring calls and providing remote access to compromised devices.
This group crafted fake personas, frequently pretending to be young women or supporters of various military factions, in order to forge relationships with targets. Their goal was primarily to direct these individuals to phishing pages and other malicious sites. This tactic encompassed a spectrum of victims, including journalists, activists opposing the Fatah-led government, and military personnel associated with the Syrian opposition.
Advanced Targeting by Arid Viper
On the other hand, Arid Viper has been utilizing a newly developed iOS surveillance tool named “Phenakite” in its targeted operations. This malware allows for the extraction of sensitive user data from iPhones without the need for jailbreaking. It was delivered through a legitimate-looking chat application referred to as MagicSmile, which stealthily operated in the background to collect user information.
Arid Viper’s infrastructure comprises a considerable network of 179 domains, serving as host locations for malware or acting as command-and-control (C2) servers. The group’s activities seem focused on individuals aligned with pro-Fatah organizations, Palestinian government bodies, and military figures. Facebook noted that the implementation of this iOS malware was limited, indicating a targeted approach against specific victims.
The group has added layers of complexity by masking malware updates as legitimate app updates for popular applications like WhatsApp. Once installed, these malicious applications prompted users to disable Google Play Protect and requested extensive device permissions to facilitate extensive surveillance activities.
In summary, the actions of Arid Viper have recently expanded to include iOS malware designed for targeted attacks against pro-Fatah cohorts and individuals. As Facebook’s researchers point out, the technological capabilities of this group may be classified as low to medium; however, their ability to enhance their toolkit should raise awareness among defenders that similar tactics may soon be adopted by other low-tier adversaries as well.
