Gaza hackers target IT teams in political attacks

The Gaza cybercriminal gang is launching malware in targeted attacks against embassies and government agencies.


A Middle Eastern group is targeting IT and incident response teams to steal valuable data and compromise government entities.

The Gaza cybergang is a "politically motivated" Arabic group operating in the MENA (Middle East North Africa) region, specifically in Egypt, United Arab Emirates and Yemen. In a blog post, Kaspersky researchers said the group has been in operation since 2012 but recently the team has noticed a surge in activity.

Kaspersky says that Gaza is actively sending malware files to IT and incident response staff related to political entities. By targeting employees who are likely to possess higher credentials than standard staff -- in order to monitor and fix system infrastructure and tamper with software -- the group's focus on IT makes sense.

If an employee falls for a phishing campaign and their devices are compromised, this potentially gives Gaza the option to develop backdoors into systems as well as privileged access to sensitive data.

Without being limited to standard credentials, Gaza's time is well spent trying to compromise those with higher privilege levels. In addition, by also launching campaigns against incident response teams, the cyberattackers are attempting to capitalise on a group of employees who will not only have special access levels and permissions but sensitive data at their fingertips -- a necessary allowance for them to monitor networks for suspicious activity.

The researchers say the main infection modules used by these groups are common remote access Trojans (RATs), XtremeRAT and PoisonIvy. These malware strains compromise a system to allow the installation of backdoors, remote shell code execution, file upload and download and manipulation of running processes and PC registries.

Gaza takes a particular interest in government entities and embassies, and often use file names and domains -- for example, -- to refine their social engineering techniques and have a higher chance of duping victims.

The group also tailor their malware files names to look like legitimate software, which includes file names WinRAR.exe, Microsoft Log.exe, WindowsUpdate.exe, Kaspersky.exe and Skype.exe.

The Gaza criminal group first surfaced in 2012. In a FireEye analysis, the campaign -- dubbed Molerats -- targeted Israeli government and Palestinian targets, as well as the US and UK. Malicious .RAR files were used in phishing campaigns to drop malware onto victim machines with the overall aim of compromising systems and stealing data.

Read on: Top picks