Trend Micro uncovers unique cyberattacks against Israel and Egypt

Trend Micro’s Forward Threat Research team in conjunction with the United States Air Force has uncovered a new series of attacks against Israeli and Egyptian targets in a report coined “Operation Arid Viper: Bypassing the Iron Dome.” This attack is leveraging unusual tactics to perpetrate both targeted attacks and cybercrime—it’s being executed by what Trend Micro experts characterise as “CyberExtremists.” The attack is the latest of recent targeted attacks and data breaches the industry saw last year, including the high-profile Sony Pictures breach.

The investigation has revealed the possible identities of attackers from Gaza, Egypt and Morocco:

There has been an increase in such attacks in the recent months, with incidents from Russia and North Korea reflecting  higher sophistication and aggression. Organisations must be wary that their infrastructure may come under assault for other purposes beyond the typical accumulation of financial and privacy information.”

Trend Micro uncovers unique cyberattacks against Israel and Egypt

16 February 2015 – Today, Trend Micro published a research report on an ongoing malware campaign that targets Israeli victims and leverages network infrastructure in Germany. The campaign has strong attribution ties to Arab parties located in the Gaza Strip and elsewhere.

We have uncovered two separate, but heavily interconnected campaigns:

Operation Arid Viper: This is a highly-targeted attack on high-value Israeli targets that links back to attackers located in Gaza, Palestine. The campaign’s modus operandi involves using spear-phishing emails with an attachment containing malware disguised as a pornographic video. The attached malware carries out data exfiltration routines for a large cache of documents gathered from their victims’ machines in a sort of “smash-and-grab” attack. The first related malware sample was seen in the middle of 2013.

Operation Advtravel: This is a much less targeted attack with hundreds of victims in Egypt, whose infected systems appear to be personal laptops. This leads us to believe that the campaign is not as sophisticated as that of Operation Arid Viper. The attackers involved with Operation Advtravel can be traced back to Egypt.

However, what is perhaps even more interesting than either of the attacks on their own is that these two separate campaigns where so closely linked together:

On one hand, we have a sophisticated targeted attack, and on the other a less skilled attack that has all the hallmarks of beginner hackers. So why would these groups be working together?

Our working theory (and subject of continuing investigation) is that there may be an overarching organization or underground community that helps support Arab hackers fight back against perceived enemies of Islam. They may do this by helping set up infrastructures, suggest targets and so on.

We predict that there will be an increase of such “Cyber Militia activity” in the Arab world, where non-state actors fight against other organizations that would traditionally be considered enemies – similar to what we discussed about the Russian ties in the CyberBerkut attacks on Germany.

Our full paper on Operation Arid Viper gives more details on the victims, technical details and details we found on the possible attackers behind these campaigns.