Operation Arid Viper bypassing Israel's Iron Dome
US President Barack Obama and Israeli Prime Minister Benjamin Netanyahu pose with members of Israel's defence force at an Iron Dome Battery at Ben Gurion International Airport Airport in Tel Aviv. Reuters/Jason Reed

A group of hackers linked to Gaza is actively targeting high-profile individuals in the Israeli government and military as part of an on-going and sophisticated cyberattack dubbed Operation Arid Viper.

The attacks have targeted high-profile individuals in the Israeli government as well as officials in a number of other sectors including transport service/infrastructure providers, a military organisation, and an academic institution in Israel.

The campaign was discovered by security company Trend Micro who detailed its deployment in a report entitled Operation Arid Viper: Bypassing the Iron Dome, saying it has been up-and-running since 2013.

Trend Micro believes that "Palestinian cyber-threat actors" based in Gaza are behind the attack and has named a number of individuals in its report which it says "have some apparent connection" with Operation Arid Viper but points out "they may or may not be involved with cybercrime."

"There may be an overarching organisation or underground community that helps support Arab hackers fight back against perceived enemies of Islam."
- Trend Micro

Pornographic video

The malware is delivered through a highly-tailored phishing email which is written specifically for each target to look as if it came from an authentic source. In a bid to distract victims, the attackers bundled the malware with a pornographic video in the hope that those who downloaded it will be too embarrassed to report the incident.

As well as downloading the porn film, victims download what looks like the Skype application but which is in fact a piece of malware.

Once infected the malware searches the infected system for documents of interest, including Word documents, Excel spreadsheets, PowerPoint presentations and other text files. It then sends the list to a command-and-control (C&C) server which analyses the list against a hard-coded blacklist of files that filters out irrelevant documents; before packaging up the interesting ones and uploading them to the C&C server.

Underground hacker community

The attack leverages servers based in Germany, and it was while analysing this network infrastructure that Trend Micro's researchers came across a related, although much less sophisticated attack dubbed Advtravel.

Advtravel targets a much wider range of individuals, and aims to steal incriminating images or video from the infected system for use in blackmail campaigns. This campaign is being carried out by people based in Egypt and against people in the North African country.

While on the face of it the two attacks appear to have no link, Trend Micro has uncovered three major links between them.

As well as being hosted on the same servers in Germany, the domains for both Advtravel and Arid Viper have been registered by the same individuals and both campaigns can be tied back to activity from Gaza according to Trend Micro.

Trend Micro concludes that while there doesn't appear to be a link between these two campaigns on the surface, its research points to an underground campaign by Arab hackers:

"Our working theory (and subject of continuing investigation) is that there may be an overarching organisation or underground community that helps support Arab hackers fight back against perceived enemies of Islam. They may do this by helping set up infrastructures, suggest targets and so on."