Blog
Back to Newsroom

Cybereason’s Nocturnus Researchers Discover New, Targeted Cyber Espionage Campaigns in the Middle East

Feb 13, 2020

Cybereason, creators of the leading Cyber Defense Platform, today released an investigative research report from its Nocturnus Research Group titled ‘New Cyber Espionage Campaigns Targeting Palestinians’ looking at the MoleRATs cybercrime group and two new campaigns happening simultaneously targeting organizations and individuals in the Palestinian territories of the West Bank and Gaza Strip. In the past few years, this group attacked Israel and other countries in the region.

The two new campaigns differ in tools, server infrastructure and nuances in decoy content and intended targets. Cybereason is attributing The Spark and Pierogi Campaigns to MoleRATs (aka The Gaza Cybergang), an Arabic-speaking, politically motivated group that has operated in the Middle East since 2012.

“We suspect MoleRATs are carrying out these campaigns to obtain sensitive information from its victims to leverage for political purposes. The malicious files relate to political affairs in the Middle East, with specific references to the Israeli-Palestinian conflict, tension between Hamas and Fatah, and other political entities in the region. There are indications that suggest that Pierogi backdoor was authored by Ukrainian-speaking malware developers,” said one of Cybereason’s Nocturnus researchers.

About The Spark Campaign
This campaign uses social engineering to infect victims, mainly from the Palestinian territories, with the Spark backdoor. This backdoor first emerged in January 2019 and the threat actors are taking advantage of recent geopolitical events, espeically the Israeli-Palestinian conflict, the assassination of Qasem Soleimani, and the ongoing conflict between Hamas and Fatah Palestinian movements to lure victims into opening tainted files or documents.

About The Pierogi Campaign
This campaign uses social engineering attacks to infect victims with a new, undocumented backdoor dubbed Pierogi. This backdoor first emerged in December 2019, and was discovered by Cybereason. In this campaign, the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsi a and Kaperagent malware. Cybereason suspects that the Pierogi backdoor may have been created by Ukrainian-speaking hackers, rather than by the MoleRATs group, based on Ukrainian language found in the code of the backdoor.

About Cybereason
Cybereason, creators of the leading Cyber Defense Platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint prevention, detection and response and active monitoring. The solution delivers multi-layered endpoint prevention by leveraging signature and signatureless techniques to prevent known and unknown threats in conjunction with behavioral and deception techniques to prevent ransomware and fileless attacks. Cybereason is privately held and is headquartered in Boston, with offices in London, Sydney, Tel Aviv, Tokyo, Asia-Pacific and continental Europe.

Learn more: https://www.cybereason.com/

Media Contact:
Bill Keeler
Senior Director, Global Public Relations
Cybereason
bill.keeler@cybereason.com
(929) 259-3261