A wave of cyberattacks against Israeli and Middle Eastern targets this summer was the work of a highly active but shadowy hacktivist group that has started using Remote Access Trojans (RATs) previously favoured by Chinese cyber-actors, security firm FireEye has warned.
Dubbed ‘Molerats’ by FireEye, the politically-motivated group launched its latest attacks in June and July using the Poison Ivy (PIVY) RAT, analysed earlier this week in a separate piece of research by the firm that studied its extensive use over many years by Chinese groups.
The campaign was originally believed to have focused on Israeli and Palestinian organisations but now appears to have had a wider target list, including other Arabic countries and the US.
Significantly, the latest wave of attacks were almost certainly linked to a wave of cyber-attacks last October and November on Middle Eastern targets using the XtremeRAT backdoor, including one on the Israeli Police, FireEye said.
The Molerats group’s signatures included spearphishing attacks using malicious RAR archives, and a command and control infrastructure using and re-using known domains. The targeting also showed a consistent theme.
FireEye’s conclusions are twofold; the sudden popularity of Poison Ivy suggests that this particular RAT is now being used beyond China and defenders should be more wary about attribution. Second, the Middle East has another hacktivist group - that might or might not have a connection with the better known ‘Gaza Hackers Team’ - a development that needs to be watched.
“We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective, publicly-available RAT to its arsenal,” said FireEye’s researchers in a blog note.
“But this development should raise a warning flag for anyone tempted to automatically attribute all PIVY attacks to threat actors based in China. The ubiquity of off-the-shelf RATs makes determining those responsible an increasing challenge.”
The Middle East now has a clutch of little-understood 'nuisance' hacking groups, the best known of which is the Syrian Electronic Army (SEA), a group notable for focusing on Western targets such as US media and dissidents opposing the country’s Assad regime.
A second group are the Iranian Izz ad-Din al-Qassam Cyber Fighters, blamed for a series of huge DDoS attacks on US banks in the last year. What distinguishes all of these groups from Western anti-establishment organisations such as the apparently extinct Anonymous Group is the level of resources, state backing and staffing they must have to sustain such large campaigns.
Although Molerats appears small by comparison with the other groups, the fact it wields RAT-based tools is significant. Such malware requires manual control, something that is anathema to conventional crime groups interested in profit at the minimum outlay. Its appearance is just another symptom of the gradual spread of cyberwar tactics to every corner of the globe.