The attack began with a pornographic video playing at work—just the kind of embarrassing moment the hackers were counting on.
An Israeli government employee at a research facility received an email fashioned just so that they would open the attachment it came with. The lie worked.
Suddenly, the porn video started playing, and the employee shut the video down. Confused, he hoped no one saw what happened on his screen.
The employee’s computer was thoroughly infected and sensitive files were then sent to the attacker. The sharp little heist was complete.
Another contemporaneous cyberattack campaign aimed at Israel affected over 500 victims in Egypt, Trend Micro reports, infecting laptops and stealing data for hackers to view.
The attacks are being called “evidence of a budding generation of Arab hackers” by security analysts who warn of of cyber-guerilla war directed at Israel from its Arab neighbors.
One hypothesis floated by Trend Micro researchers is that “a supra-organization that provides means for Arab parties to commit acts of cyberviolence exists.” If that’s the case, they warn, expect more violence soon.
The two campaigns (dubbed Operation Arid Viper and Operation Advtravel) share a lot in common: They were both run from servers in Germany, both had domains registered by the same person, and both can be tied to Gaza.
However, they also have quite a few differences. Arid Viper was elegant, targeted, and tightly wrapped up. Advtravel was broad and amateurish.
The first campaign targeted a variety of victims in Israel including a government office, infrastructure providers, the military, and academia.
“Operation Arid Viper was unusual in that it had a pornographic component in hopes of taking user focus away from the infection or the fact that something strange is happening,” the report explains. “It targeted professionals who might be receiving very inappropriate content at work and so would hesitate to report the incident.”
Without reporting the incident, the malware could carry on its work. The porn-distraction is a clever ploy that hadn’t been seen in the wild before the Israeli attacks.
The Advtravel campaign, on the other hand, targeted mostly the personal laptops of Arabs in Egypt. The hackers stole images from the victims’ computers, possibly for blackmail.
Trend Micro also identified individuals whose names were used to register the command-and-control servers behind the attacks. One individual in particular lives in Gaza and sports pro-Palestine and anti-Israel imagery across his social media accounts.
Image via Free Grunge Textures/Flickr (CC BY 2.0)