04:22 PM
Connect Directly

The Globalization Of Cyberespionage

Newly revealed cyberspying campaign against Israeli and Palestinian targets demonstrates how the threat is no longer mostly a China thing

A recently discovered targeted cyberespionage campaign targeting Israeli and Palestinian organizations in operation for more than a year serves as chilling evidence that cyberspying is a global phenomenon and no longer mostly the domain of massive nation-states like China.

While much of the attention has been trained on China as the source of cyberespionage, the discovery of this latest operation highlights just how popular and easy it has become to execute cyberspying. Thanks to ease of access and use of remote access Trojan (RAT) tools and reliability of social engineering, you don't need nation-state backing to conduct these types of targeted attacks. RATs traditionally had been associated with Chinese-based attackers, but that conventional wisdom is shifting as other nations and politically motivated attackers move to cyberspying via these tools to more efficiently gather intelligence on their marks.

Researchers at Norman Security today revealed that they recently analyzed malware used in phishing emails targeting Israeli and Palestinian targets and found that attackers used malware based on the widely available Xtreme RAT crimeware kit. The attacks, which first hit Palestinian targets, this year began going after Israeli targets, including Israeli law enforcement agencies and embassies around the world. Norman says the same attacker is behind the attacks because the attacks use the same command-and-control (C&C) infrastructure, as well as the same phony digital certificates.

This attack campaign just scratches the surface of the breadth and spread of these types of attacks around the world as more players have been turning to cyberspying. "We're just seeing the tip of the iceberg," says Einar Oftedal, deputy CTO at Norman.

[Turns out cyberespionage malware and activity is far more prolific than imagined. See Scope Of APTs More Widespread Than Thought. ]

Oftedal says he has seen XTreme RAT used in all types of attacks. What was most striking about this campaign is that the same attacker used it to go after both Israelis and Palestinian interests. With only the malware and email samples to study, however, he says, Norman can't draw any conclusions on who is behind the attacks.

Aviv Raff, CTO of Seculert, which also has been studying the attacks, says there appears to be a political motive for the attacks, and that the perpetrators could be Hamas hacktivists or someone from their own cyberarmy, he says.

Cyberespionage attacks from various players will increase in the coming year, he says. "I believe that next year we'll see more actors from different nations" conducting cyberespionage, Raff says. "I think such efforts are already in place, and [we] saw that with last year's attacks. The way I see this is that next year, more of such attacks will be discovered -- meaning they are taking place as we speak but go under the radar."

Israeli police last month pulled all of their computers off the Internet after discovering a rogue file spreading around their systems. Seculert studied the attack and concluded that the attacks were based on the Xtreme RAT, a not-so advanced but highly persistent attack tool.

That assessment was confirmed by Norman's research today. "This was not too advanced," Norman's Oftedal says. "They were using off-the-shelf Trojans. The only advanced piece is the digital certificates," which were created to appear as Microsoft-signed, he says.

The attackers initially used C&C servers located in the Gaza Strip region, and later moved them to hosting firms in the U.S. and U.K., according to Norman's findings.

Other researchers, including Dell SecureWorks, have spotted related Xtreme RAT activity against Palestinian and Israeli targets. Joe Stewart, director of malware research at Dell SecureWorks, says he has also seen Chinese hackers using XTreme RAT for cyberespionage, too.

But the similarities between nation-state Chinese attackers and these Middle Eastern political attacks end there. "A lot of targeting that's going on lately are kind of ad-hoc programs being spun up in response to Arab Spring ... and throwing up commodity [Trojans]," Stewart says. "There's no time to spin up the next Flame. They use what's out there and available."

And researchers and victim organizations are also getting more experienced at spotting possible targeted attacks, which is adding to the snowball effect of new cyberespionage players and victims.

"Now that people realize espionage is the focus in a lot of cases, they are not so quick to dismiss malware samples that come in that are new and not usual," Stewart says. "A few years ago, you'd think 'that was just a random hacker and I'll concentrate on Storm' or whatever threat was big at the time. Now you see samples that are not like any other samples ... and stand on their own because they are such low volume, and you realize this could be the next big story, a Stuxnet you got your hands on there that's worth delving into more."

The full report from Norman is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.