While investigating a late-October cyberattack that forced Israel to take its police force offline, Norwegian security researchers found evidence of an extensive spy network aimed at both Israeli and Palestinian targets.
This latest attack, according to Norman ASA, the Oslo-based security software firm behind the discovery, placed a remote access Trojan (RAT) onto a government network with a malicious email that appeared to come from Israel Defense Force chief of staff Benny Gantz.
The malware used in this attack, known as Xtreme RAT, has the potential to receive remote commands, transmit data, steal passwords stored in Web browsers and tap into a machine's camera or microphone.
Senior Norman researcher Snorre Fagerland told security writer Brian Krebs that a fake certificate, spoofed to appear as if it came from Microsoft, helped them connect the dots.
"These malwares are set up to use the same framework, talk to same control servers, and have same spoofed digital certificate," Fagerland told Krebs. "In my view, they are the same attackers."
The faked certificates would fail under Microsoft's strict scrutiny, but this particular method of infection has actually served as a path for Fagerland to follow as he untangles a growing web of control servers and malware being used in targeted phishing email campaigns.
The oldest files with the fake Microsoft certificate, according to Fagerland, date back to October 2011, when spies tempted victims with news tailored to Palestinians, operating servers in Gaza and the West Bank.
Less than a year later the same attackers began targeting Israelis, but this time they used control servers in the U.S.
Based on metadata left, perhaps inadvertently, on malicious Word documents in the attack emails, Fagerland told Krebs he was able to lift several usernames that corresponded to handles on the forum gaza-hacker.net.
Hitham and Aert, two of the hackers, say they are in Algeria on their Gaza-hacker profiles, Krebs reported. Aert also appears to be affiliated with the Gaza Hackers Team, a group that vandalized an Israeli government website with calls of "Death to Israel."
As Krebs notes, sophisticated Internet attacks and electronic espionage operations on this scale have been thought to only be possible with state-backing. This latest evidence, however, makes a strong case for an independent hacking group capable of keeping pace with its state-sponsored counterparts.
Fagerland declined to speculate as to who these hackers might be. Someone "with intelligence needs against both Israelis and Palestinians,” he said. "But I think it’s almost unheard of in a cyberwar context that two parties involved in a conflict get spied on by the same entity.”
Follow Ben on Twitter.