Molerats Hackers Hit US, EU GovernmentsMiddle Eastern Attackers Tap Cheap Crimeware
Hackers who previously targeted the Israeli and Palestinian governments have been tied to more recent online attacks against numerous European and U.S. government agencies, the British Broadcasting Corp. and a major U.S. financial services firm.
That warning was sounded June 2 by breach detection provider FireEye, which has tied a series of advanced persistent threat attacks launched between April 29 and May 27 to a long-running online espionage campaign it calls "Molerats." FireEye also released "indicators of compromise" to help organizations spot related attacks, which often combine news-referencing phishing e-mails with freely available remote-access tool malware. The decoy documents sometimes also include shortened links that download ZIP or RAR files containing disguised versions of the malware.
"We have seen them use English, Arabic and Hebrew in various decoy documents, and they appear to have a wide target set," says FireEye security researcher Nart Villeneuve.
The attacks are a reminder that not all effective online espionage campaigns are run by large countries investing in custom-created malware. "With so much public attention focused on APT threat actors based in China, it's easy to lose track of targeted attacks carried out by other threat actor groups based elsewhere," says Timothy Dahms, a researcher at FireEye, in a blog post.
Latest Campaign: 200+ Victims
Ned Moran, a senior malware researcher at FireEye, told the Financial Times that the latest Molerats campaign netted at least 200 victims, all by using e-mailed news stories, cartoons or speeches as lures. The newspaper reported that the campaign's prior victims have included not only various U.S. and European government agencies, and an unnamed U.S. financial institution, but also former British Prime Minister Tony Blair, who now serves as a Middle East peace envoy.
A FireEye spokesman declined to provide the identity of the U.S. financial institution that was targeted.
The Molerats campaign is distinguished from many other types of APT attacks by virtue of its thriftiness. Rather than investing heavily in customized attack tools, the group employs commercial, off-the-shelf crimeware tools, as well as free backdoor software such as Bifrost and CyberGate.
The attackers' thrifty approach shouldn't be surprising, says Snorre Fagerland, the senior principal security researcher at Blue Coat Norway, who's been tracking the Molerats campaign for some time. "It's actually quite smart; smarter than a lot of the Chinese groups who make their own stuff," he says. "Free tools are not only cheap, but also much harder to track than the reuse of self-made malware. The important attacks [get drowned out] in all sorts of script kiddie shenanigans."
Fagerland began a close study of the Molerats campaign in 2012, after the Israeli police force temporarily took its computers offline and instituted a ban on removable media following a series of online attacks. Digging a bit deeper, he found press descriptions of the malware used against the Israeli police force matched up with in-the-wild malware he found, based on the widely used and commercially available XtremeRAT backdoor Trojan.
The malware also phoned home to a command-and-control network and was signed with a digital certificate in Microsoft's name that was forged. Tracing the serial number attached to the fake certificate, Fagerland found that attackers had first attacked Palestinian targets via a malicious infrastructure based in Gaza. But attackers then switched to predominantly targeting Israeli targets, using malicious infrastructure based in the United States. "The attacker is unknown at this point, but the purpose is assumed to be espionage/surveillance," Fagerland said in a related report at the time.
Shortly thereafter, however, FireEye's Villeneuve found evidence that the attack group was e-mailing malware, signed with another bogus Microsoft digital certificate, to the U.S. State Department, Senate and House of Representatives, as well as to the BBC and various government addresses in Latvia, Macedonia, New Zealand, Slovenia, Turkey and the United Kingdom. Villeneuve said that the e-mails included the malicious executable as a RAR-encrypted attachment that was disguised as a document about Middle Eastern news. If the malware was installed on the recipient's PC, it included the ability to capture desktop images, as well as steal passwords from browsers.
Security blogger Brian Krebs found similarities between metadata contained in the decoy document used by attackers and Twitter postings from a group calling itself the Gaza Hackers Team, which previously claimed responsibility for hacking Israeli government websites. In particular, he said two nicknames used by group members - Aert and Hitham - appeared to trace to men located in Algeria.
"In this case you find [the] username Aert floating about on the forums, talking about using XtremeRAT, etc., and referring to domain names sounding like Molerats C&C domains," says Blue Coat's Fagerland. "Evidence? No. Interesting? Yes."
In August 2013, meanwhile, Villeneuve and other researchers spotted Poison Ivy malware infections phoning home to the same command-and-control network. They surmised that the malware, which was signed by a forged Microsoft digital certificate - with a different serial number than the ones used in previous attacks - was being delivered via phishing attacks as e-mail attachments, as well as via e-mails that linked to RAR files hosted on Dropbox. And they discovered that samples of the malware were in circulation as early as September 2012. FireEye declined to name the attackers' targets, except to say they were located in the Middle East and United States.
Since then, of course, the group behind the Molerats campaign appears to have continued its attacks, and Fagerland said there's no reason to expect they'll stop anytime soon. "As long as social engineering continues to work, there is little need to move such operations to higher cost levels," he says.
"This is the Asda of surveillance," he adds, referring to the discount British supermarket chain owned by Walmart. "You get the basics, which often is enough."