Facebook has described a campaign in which two Palestinian groups of hackers have been running cyber espionage campaigns against government officials, from both rivaling political parties Fatah and Hamas, and also student groups and security forces. Hackers have been using social engineering techniques to trick victims into installing surveillanceware.
Facebook says hackers from the two groups tricked victims into installing malicious software. For this, they established a network of fake and compromised social media accounts posing primarily as young women, but also as Fatah or Hamas supporters, various military groups, journalists, and activists.
In a recently published threat report [PDF], Facebook said the threat actor used custom-built iOS surveillanceware capable of stealing user data from iPhones. As the attackers used legitimate developer certificates, they didn’t have to jailbreak the devices to compromise them.
Facebook linked one group, Arid Viper, to the cyber arm of Hamas and the other one – to the Palestinian Preventive Security Service (PSS), one of the security arms of Palestine.
The surveillanceware, called Phenakite, was injected in trojanized chat applications based on the open-source RealtimeChat code.
The malware also directed victims to phishing pages that mimicked Facebook and iCloud in order to steal credentials for these platforms.
To circumvent regular OS security controls that prevent access to sensitive information from unauthorized applications, Phenakite used known tools like Osiris jailbreak and the Sock Port exploit.
Upon successful jailbreaking, Phenakite could steal camera roll photos and contacts, take images with the camera, silently record audio, read documents and text messages, and exfiltrate WhatsApp data.
To compromise Android devices, Arid Viper had to get victims to install apps from third-party sources. For this, the group used hundreds of fake sites and social media accounts to build trust and convince victims into installing the apps.
Facebook noted that custom surveillanceware is becoming increasingly attainable by less technologically sophisticated adversaries.
“As the technological sophistication of Arid Viper can be considered to be low to medium, this expansion in capability should signal to defenders that other low-tier adversaries may already possess, or can quickly develop similar tooling,” Facebook said.
PSS used similar social engineering tactics to compel targets to install Android and Microsoft malware. PSS’ malware exfiltrated such information as device metadata, call logs, location, contacts, text messages, and keylogger data.
Facebook’s report on cyber espionage activity by PSS is the first one to be published. Facebook has released a set of indicators of compromise to help users detect such activity.