The Czech Security Intelligence Service (BIS) has intervened and taken down servers that have been used by Hezbollah operatives to target and infect users around the globe with mobile malware.
"I can not comment on the details, but I can confirm that BIS has played a significant role in identifying and uncovering the hackers' system," said Michal Koudelka, BIS Director.
"We identified the victims and traced the attack to its source facilities," Koudelka added. "Hacker servers have been shut down."
BIS said the servers were located in the Czech Republic, and the agency was "almost certain" they were operated by Hezbollah, an Islamist political party and militant group based in Lebanon, which the US and fellow NATO countries have labeled as a terrorist organization.
The Czech intelligence agency said the servers and the malware distribution campaign appears to have been going on since the start of 2017.
Hezbollah operatives operated by creating Facebook profiles, posing as attractive women, and reaching out to selected targets. The goal of the operation was to engage the target in private discussions and convince it to install a third-party instant messaging application to continue the conversation via this second, malware-infested app.
Targets were advised to download the app from a third-party server. The app was infected with spyware that allowed Hezbollah operatives to retrieve content from the victim's phone.
The servers hosting the malware were located in the Czech Republic, but also other parts of the EU and the US. The campaign's targets were men located in the Middle East, but also Central and Eastern Europe.
Middle Eastern intelligence/terrorist organizations have used this same tactic before. In January 2017, the Israeli Defence Force warned that Hamas (Palestine) agents were using Facebook profiles posing as women to trick soldiers into installing malware on their devices. In some cases, Hamas agents had also set up meetings with Israeli military personnel and ambushed, kidnapped, and sometimes killed targeted soldiers.
In June, Facebook and Twitter have removed a large number of Hezbollah-operated accounts from their networks.
- DOJ explains recent wave of cyber-espionage-related indictments
- Google forcibly enables G Suite alerts for government-backed attacks
- DHS aware of ongoing APT attacks on cloud service providers
- Twitter bans distribution of hacked materials ahead of US midterm elections
- Microsoft's efforts for a Digital Geneva Convention get underway
- UK Conservative Party conference app leaks MPs' personal details
- US government rolls out 2-step verification for .gov domain owners
- US voter records from 19 states sold on hacking forum
- Apple tells Congress it was never hacked by Chinese spy chips CNET
- North Korea is likely underwriting cyberattacks by mining Monero TechRepublic