Uncovering Unique Cyber Attacks against Israel and Egypt

Trend Micro’s Forward Threat Research team in conjunction with the United States Air Force has uncovered a series of attacks against Israeli and Egyptian targets in a report coined “Operation Arid Viper: Bypassing the Iron Dome.” This attack is leveraging unusual tactics to perpetrate both targeted attacks and cybercrime—it’s being executed by what we characterise as “CyberExtremists.”

We have uncovered two separate, but heavily interconnected campaigns:

Operation Arid Viper: This is a highly-targeted attack on high-value Israeli targets that links back to attackers located in Gaza, Palestine. The campaign’s modus operandi involves using spear-phishing emails with an attachment containing malware disguised as a pornographic video. The attached malware carries out data exfiltration routines for a large cache of documents gathered from their victims’ machines in a sort of “smash-and-grab” attack. The first related malware sample was seen in the middle of 2013.

Operation Advtravel: This is a much less targeted attack with hundreds of victims in Egypt, whose infected systems appear to be personal laptops. This leads us to believe that the campaign is not as sophisticated as that of Operation Arid Viper. The attackers involved with Operation Advtravel can be traced back to Egypt.

However, what is perhaps even more interesting than either of the attacks on their own is that these two separate campaigns where so closely linked together:

  • Both are hosted on the same servers in Germany
  • The domains for both campaigns have been registered by the same individuals
  • Both campaigns can be tied back to activity from Gaza, Palestine.

operation-arid-viper-advtravel_thumbOn one hand, we have a sophisticated targeted attack, and on the other a less skilled attack that has all the hallmarks of beginner hackers. So why would these groups be working together?

Our working theory (and subject of continuing investigation) is that there may be an overarching organization or underground community that helps support Arab hackers fight back against perceived enemies of Islam. They may do this by helping set up infrastructures, suggest targets and so on.

We predict that there will be an increase of such “Cyber Militia activity” in the Arab world, where non-state actors fight against other organizations that would traditionally be considered enemies – similar to what we discussed about the Russian ties in the CyberBerkut attacks on Germany.

Our full paper on Operation Arid Viper gives more details on the victims, technical details and details we found on the possible attackers behind these campaigns. You can download the paper from this link: Operation Arid Viper – Bypassing the Iron Dome.

Leave a Reply

Your email address will not be published. Required fields are marked *