04:22 PM
Connect Directly

The Globalization Of Cyberespionage

Newly revealed cyberspying campaign against Israeli and Palestinian targets demonstrates how the threat is no longer mostly a China thing

A recently discovered targeted cyberespionage campaign targeting Israeli and Palestinian organizations in operation for more than a year serves as chilling evidence that cyberspying is a global phenomenon and no longer mostly the domain of massive nation-states like China.

While much of the attention has been trained on China as the source of cyberespionage, the discovery of this latest operation highlights just how popular and easy it has become to execute cyberspying. Thanks to ease of access and use of remote access Trojan (RAT) tools and reliability of social engineering, you don't need nation-state backing to conduct these types of targeted attacks. RATs traditionally had been associated with Chinese-based attackers, but that conventional wisdom is shifting as other nations and politically motivated attackers move to cyberspying via these tools to more efficiently gather intelligence on their marks.

Researchers at Norman Security today revealed that they recently analyzed malware used in phishing emails targeting Israeli and Palestinian targets and found that attackers used malware based on the widely available Xtreme RAT crimeware kit. The attacks, which first hit Palestinian targets, this year began going after Israeli targets, including Israeli law enforcement agencies and embassies around the world. Norman says the same attacker is behind the attacks because the attacks use the same command-and-control (C&C) infrastructure, as well as the same phony digital certificates.

This attack campaign just scratches the surface of the breadth and spread of these types of attacks around the world as more players have been turning to cyberspying. "We're just seeing the tip of the iceberg," says Einar Oftedal, deputy CTO at Norman.

[Turns out cyberespionage malware and activity is far more prolific than imagined. See Scope Of APTs More Widespread Than Thought. ]

Oftedal says he has seen XTreme RAT used in all types of attacks. What was most striking about this campaign is that the same attacker used it to go after both Israelis and Palestinian interests. With only the malware and email samples to study, however, he says, Norman can't draw any conclusions on who is behind the attacks.

Aviv Raff, CTO of Seculert, which also has been studying the attacks, says there appears to be a political motive for the attacks, and that the perpetrators could be Hamas hacktivists or someone from their own cyberarmy, he says.

Cyberespionage attacks from various players will increase in the coming year, he says. "I believe that next year we'll see more actors from different nations" conducting cyberespionage, Raff says. "I think such efforts are already in place, and [we] saw that with last year's attacks. The way I see this is that next year, more of such attacks will be discovered -- meaning they are taking place as we speak but go under the radar."

Israeli police last month pulled all of their computers off the Internet after discovering a rogue file spreading around their systems. Seculert studied the attack and concluded that the attacks were based on the Xtreme RAT, a not-so advanced but highly persistent attack tool.

That assessment was confirmed by Norman's research today. "This was not too advanced," Norman's Oftedal says. "They were using off-the-shelf Trojans. The only advanced piece is the digital certificates," which were created to appear as Microsoft-signed, he says.

The attackers initially used C&C servers located in the Gaza Strip region, and later moved them to hosting firms in the U.S. and U.K., according to Norman's findings.

Other researchers, including Dell SecureWorks, have spotted related Xtreme RAT activity against Palestinian and Israeli targets. Joe Stewart, director of malware research at Dell SecureWorks, says he has also seen Chinese hackers using XTreme RAT for cyberespionage, too.

But the similarities between nation-state Chinese attackers and these Middle Eastern political attacks end there. "A lot of targeting that's going on lately are kind of ad-hoc programs being spun up in response to Arab Spring ... and throwing up commodity [Trojans]," Stewart says. "There's no time to spin up the next Flame. They use what's out there and available."

And researchers and victim organizations are also getting more experienced at spotting possible targeted attacks, which is adding to the snowball effect of new cyberespionage players and victims.

"Now that people realize espionage is the focus in a lot of cases, they are not so quick to dismiss malware samples that come in that are new and not usual," Stewart says. "A few years ago, you'd think 'that was just a random hacker and I'll concentrate on Storm' or whatever threat was big at the time. Now you see samples that are not like any other samples ... and stand on their own because they are such low volume, and you realize this could be the next big story, a Stuxnet you got your hands on there that's worth delving into more."

The full report from Norman is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.