Kaspersky Lab published its findings on the a cyber espionage operation known as SneakyPastes, which targeted individuals and organizations with Middle-Eastern political interests across 39 countries worldwide. In 2018, the campaign made use of disposable email addresses to spread the virus through phishing attacks before downloading the malware in chained stages using multiple free sites. Since Kaspersky shared its findings with law enforcement, a significant portion of the attack infrastructure has been taken down.
The Arabic-speaking Gaza Cybergang responsible for the campaign is a politically motivated collective of interrelated groups actively targeting the Middle East and North Africa, with a particular focus on the Palestinian territories. Kaspersky Lab has identified at least three groups within the gang. Although these groups share similar aims and targets – cyberespionage related to Middle Eastern political interests, the methods they employed vary in sophistication.
The groups include the more advanced Operation Parliament and Desert Falcons as well as the less sophisticated MoleRats, which was responsible for launching SneakyPastes in the spring of 2018.
SneakyPastes began with politically themed phishing attacks. In order to avoid detection and hide the location of the command and control server, additional malware was downloaded to victim devices in chained stages using a number of free sites including Pastebin and Github. The various malicious implants used PowerShell, VBS, JS and dotnet to secure resilience and persistence within infected systems. The final stage of intrusion was a Remote Access Trojan, which made contact with the command and control server and then gathered, compressed, encrypted and uploaded a wide range of stolen documents and spreadsheets to the server. The name SneakyPastes derives from the attackers' heavy use of paste sites to gradually sneak the RAT onto victim systems.
The SneakyPastes operation was at its most active between April and Nov. 2018, focusing on a small list of targets that comprised diplomatic and government entities, nongovernmental organizations and media outlets. Around 240 high-profile individuals and corporations across 39 countries appear to have fallen victim to the operation, with the majority situated in the Palestinian territories, Jordan, Israel and Lebanon. Victims included embassies, government entities, media outlets, journalists, activists and political parties, as well as organizations in the education, banking, healthcare sectors.
"The discovery of Desert Falcons in 2015 marked a turning point in the threat landscape as it was then the first known fully Arabic speaking APT," said Amin Hasbini, head of Kaspersky's Middle East Research Center global research and analysis team.
"We now know that its parent, Gaza Cybergang, has been actively targeting Middle Eastern interests since 2012, initially relying most on the activities of a fairly unsophisticated but relentless team. … It shows that lack of infrastructure and advanced tools are no impediment to success. We expect the damage exerted by all three Gaza Cybergang groups to intensify and the attacks to extend into other regions that are also linked to Palestinian issues," he said.
