Back to Newsroom

Cybereason Discovers ‘Operation Bearded Barbie;’ a New Cyber Espionage Campaign Targeting High-Ranking Defense and Law Enforcement Officials

Apr 6, 2022

Cybereason, the XDR company, today published findings from an investigation into a new, elaborate cyber espionage campaign titled Operation Bearded Barbie, targeting prominent individuals working for sensitive Israeli defense, law enforcement, and emergency services organizations. 

During the investigation, Cybereason discovered the campaign was operated by Molerats, a politically motivated group operating on behalf of the terrorist organization Hamas. The group used sophisticated social engineering techniques in their attempts to extract sensitive information from the victims' devices for espionage purposes. The attackers used fake Facebook profiles to trick individuals into downloading trojanized Android and PC direct message applications, granting them access to the victims’ devices. 

Interestingly, the fake Facebook profiles were maintained regularly and constantly interacting with Israeli citizens. The social engineering tactic used in this campaign relies primarily on classic catfishing, using fake identities of attractive young women to engage with mostly male individuals to gain their trust. 

“Cybereason has been tracking Molerats for several years and what stood out immediately during this investigation is how authentic the fake Facebook profiles looked. The threat actors spent considerable time maintaining the profiles, luring unsuspecting victims who believed they were joining popular Israeli groups. We were surprised with Molerats' ability to step up its game by deploying more sophisticated malware and maintaining their social engineering perfectly,” said Assaf Dahan, Senior Director, Head of Threat Research, Cybereason. 

Additional Key Findings:

–Upgraded Malware Arsenal: The new campaign consists of two previously undocumented malware dubbed Barb(ie) Downloader, and BarbWire Backdoor, which is a sophisticated backdoor both of which use an enhanced stealth mechanism to remain undetected. In addition, Cybereason observed an upgraded version of an Android implant dubbed VolatileVenom. 

–Molerats Steps Up their Game: Until recently, Molerats was still using known tools which served them for years, and were known for their relatively unsophisticated tools and techniques. The analysis of this recent campaign demonstrates that the group has revamped their toolset and playbook.

The full report can be downloaded here: https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials

About Cybereason                                                                                                                             Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.

Media contact: 

Bill Keeler 

Senior Director, Global Public Relations 



+1 (929) 259-3261