Hackers leverage Facebook, Dropbox to spy on Egypt, Palestinians

Written by

An Arabic-speaking hacking group that’s used phishing emails laden with sensational headlines focused on the Middle East to spy on government officials is leveraging recent diplomatic activity to conduct espionage.

Operatives with the group, known as MoleRATs, used mainstream technology services like Facebook and Dropbox to obscure their malicious activity and exfiltrate data, according Cybereason, the security company that published details on the activity on Wednesday.  It’s the latest example of a savvy hacking group turning to popular technology platforms to dupe their targets, or cover their tracks.

This MoleRATs espionage campaign, which occurred in October and November, was aimed at political and government officials in Egypt, the Palestinian territories, the United Arab Emirates and Turkey, according to Cybereason. Its phishing emails referenced a reported secret meeting between Saudi Crown Prince Mohammed bin Salman, Israeli Prime Minister Benjamin Netanyahu and U.S. Secretary of State Mike Pompeo.

Hackers used Facebook accounts to coordinate their activity, and Dropbox to store their espionage tools and exfiltrate stolen data, according to the findings.

It’s “a clever way of hiding in plain sight, enabling the attackers to go unnoticed by traditional network security solutions,” noted a Cybereason researcher who investigated the activity. They asked to remain anonymous because of the sensitivity of their work.

One of two new “backdoors,” or malicious code for retaining access to a target, relies on fake Facebook accounts to communicate with the MoleRATs operators, according to Cybereason. The researchers said they informed Dropbox and Facebook of their findings. Neither company responded to CyberScoop’s requests for comment.

MoleRATs isn’t alone in this regard. A hacking campaign linked with the Chinese government, uncovered by security firm Trend Micro in February, used Dropbox to store commands and stolen files.

“The primary benefit is that it evades network-level surveillance,” said Ben Read, senior manager of analysis at Mandiant Threat Intelligence. “It looks like what is otherwise benign traffic.”

The research is a reminder that MoleRATs, which is sometimes referred to as the Gaza Cyber Gang, is a persistent set of spies in a region not short of them. Although sometimes overshadowed by larger regional players, including hackers affiliated with Iran, MoleRATs typically relies on exploiting current events to collect intelligence.

In the wake of the U.S. killing of Iranian general Qassem Soleimani in January, for example, the group embarked on a hacking campaign using Soleimani-themed email lures against entities affiliated with the Palestinian government in the West Bank.

Researchers at Israeli firm ClearSky have linked MoleRATs to Hamas, the militant group that controls the Gaza Strip. But few other researchers have made such public attribution. The Gaza Cyber Gang itself is an umbrella term for an array of activity.

The latest findings seem to indicate the group is developing more mature capabilities.

“The group invests time and resources to try to keep the activity under the radar and evade detection,” the Cybereason researcher said. “They are doing a good job with evading automatic sandbox analysis, by checking for Arabic language settings, otherwise the malware won’t run.”