Facebook has announced that it managed to take down two significant groups of hackers based in Palestine that were working to compromise Windows, Android, and Apple devices by using all kinds of tricks, includes social engineering, malware, modified apps and much more.
Facebook’s security researchers took action against a couple of groups in Palestine, a network linked to the Preventive Security Service (PSS) and a threat actor known as Arid Viper. Facebook removed their ability to use the social media platform as means of spreading their influence, taking down much of the infrastructure.
Although both groups have been operating out of Palestine, they weren’t connected. Their targets were very different, one looking to compromises victims in Palestine, and the other was focusing on the Palestinian territories and Syria and, to a lesser extent Turkey, Iraq, Lebanon and Libya.
The first group, targeting people in Palestine, seems to be connected to Preventive Security Service — the Palestinian Authority’s internal intelligence organization – according to Facebook.
“This persistent threat actor focused on a wide range of targets, including journalists, people opposing the Fatah-led government, human rights activists and military groups including the Syrian opposition and Iraqi military,” said the security researchers. “They used their own low-sophistication malware disguised as secure chat applications, in addition to malware tools openly available on the internet.”
The group used a custom-build Android malware that posed as secure chat applications, but that allowed attackers to gather private data and metadata. Windows was also a target, but the hackers used existing threats such as NJRat and HWorm. Furthermore, the hackers compromised several social media accounts or used fake names to gain the victims’ trust.
Arid Viper
The other group, named Arid Viper, is a well-known advanced persistent threat that also goes by the name Desert Falcon and APT-C-23. Their way of operating is different and much more in line with other hacking groups.
“It used sprawling infrastructure to support its operations, including over a hundred websites that either hosted iOS and Android malware, attempted to steal credentials through phishing or acted as command and control servers,” says Facebook. “They appear to operate across multiple internet services, using a combination of social engineering, phishing websites and continually evolving Windows and Android malware in targeted cyber espionage campaigns. “
In their efforts to curb the activities of these two groups, Facebook took down all their linked accounts, published all indicators of compromises, inclusive malware hashes, and shared them with the anti-virus community to make it easier to be discovered.