"I can not comment on the details, but I can confirm that BIS has played a significant role in identifying and uncovering the hackers' system," said Michal Koudelka, BIS Director.
"We identified the victims and traced the attack to its source facilities," Koudelka added. "Hacker servers have been shut down."
BIS said the servers were located in the Czech Republic, and the agency was "almost certain" they were operated by Hezbollah, an Islamist political party and militant group based in Lebanon, which the US and fellow NATO countries have labeled as a terrorist organization.
The Czech intelligence agency said the servers and the malware distribution campaign appears to have been going on since the start of 2017.
Hezbollah operatives operated by creating Facebook profiles, posing as attractive women, and reaching out to selected targets. The goal of the operation was to engage the target in private discussions and convince it to install a third-party instant messaging application to continue the conversation via this second, malware-infested app.
Targets were advised to download the app from a third-party server. The app was infected with spyware that allowed Hezbollah operatives to retrieve content from the victim's phone.
The servers hosting the malware were located in the Czech Republic, but also other parts of the EU and the US. The campaign's targets were men located in the Middle East, but also Central and Eastern Europe.
Middle Eastern intelligence/terrorist organizations have used this same tactic before. In January 2017, the Israeli Defence Force warned that Hamas (Palestine) agents were using Facebook profiles posing as women to trick soldiers into installing malware on their devices. In some cases, Hamas agents had also set up meetings with Israeli military personnel and ambushed, kidnapped, and sometimes killed targeted soldiers.
In July, this year, Hamas agents used the same tactic again, hiding malware in dating and World Cup-themed Android apps, according to reports from ClearSky, McAfee, and Check Point.
In June, Facebook and Twitter have removed a large number of Hezbollah-operated accounts from their networks.
How to discover and destroy spyware on your smartphone (in pictures)