Hacking activity in the Gaza Strip and West Bank has ramped up in recent years as rival Palestinian political parties spar with each other, the Israeli-Palestinian conflict continues, and Palestinian hackers increasingly establish themselves on the global stage. Now, Facebook has uncovered two digital espionage campaigns out of Palestine, active in 2019 and 2020, that exploited a range of devices and platforms, including unique spyware that targeted iOS.
The groups, which appear to be unconnected, seem to have been at cross-purposes. But both used social media platforms like Facebook as jumping off points to connect with targets and launch social engineering attacks to guide them toward phishing pages and other malicious websites.
The researchers link one set of attackers to Palestine's Preventive Security Service, an intelligence group under the West Bank's Fatah ruling party. In this campaign, the group primarily targeted the Palestinian territories and Syria, with some additional activity in Turkey, Iraq, Lebanon, and Libya. The hackers seemed largely focused on attacking human rights and anti-Fatah activists, journalists, and entities like the Iraqi military and Syrian opposition.
The other group, the longtime actor Arid Viper, which has been associated with Hamas, focused on targets within Palestine like Fatah political party members, government officials, security forces, and students. Arid Viper established an expansive attack infrastructure for its campaigns, including hundreds of websites that launched phishing attacks, hosted iOS and Android malware, or functioned as command and control servers for that malware.
“To disrupt both these operations, we took down their accounts, released malware hashes, blocked domains associated with their activity, and alerted people who we believe were targeted by these groups to help them secure their accounts,” Facebook's head of cyberespionage investigations, Mike Dvilyanski, and director of threat disruption, David Agranovich, wrote in a blog post on Wednesday. “We shared information with our industry partners including the anti-virus community so they too can detect and stop this activity.”
The Preventive Security Service–linked group was active on social media and used both fake and stolen accounts to create personas, often depicting young women. Some of the accounts claimed to support Hamas, Fatah, or other military groups and sometimes posed as activists or reporters with the goal of building relationships with targets and tricking them into downloading malware.
The group used both off-the-shelf malware and its own Android spyware masquerading as a secure chat app to target victims. The chat app collected call logs, location, contact information, SMS messages, and device metadata. It also sometimes included a keylogger. The attackers also used publicly available Android and Windows malware. And the researchers saw evidence that the attackers made a fake content management platform for Windows that targeted journalists who wanted to submit articles for publication. The app didn't actually work, but came bundled with Windows malware.
Arid Viper similarly used social engineering and phishing tactics in its campaign along with Android and Windows malware. But the group also developed custom iOS malware, dubbed Phenakite, that launched deep surveillance against its victims. Attackers would trick a victim into visiting a third-part app store or other site that distributed Phenakite and get them to accept and install a mobile configuration profile, an Apple mechanism that enables organizations like businesses to standardize and manage all of their devices. From there, the victim would install a working iOS chat app called Magic Smile that hid Phenakite within. After installation, the malware would remotely jailbreak the device using a publicly available jailbreak to escalate its system access.
The researchers found that Phenakite deployment was highly targeted, likely impacting a few dozen victims at most. When thy services repeatedly removed Magic Smile, the group switched to hosting the app on its own websites and attempting to lure victims there. The researchers note that Arid Viper may have developed Phenakite because a significant number of its desired targets use iPhones.
Phenakite may not be the easiest malware to trick someone into installing, but its creation reflects a broader trend in recent years of more experimentation and innovation outside major hacking powers like the United States, China, and Russia. And as targeted iOS attacks become more and more common, the lower the stakes become for attackers to simply put something out there and make the best—that is to say, the worst—of it.