The cyberespionage team going by the aliases Gaza Cybergang, Gaza Hackers Team or Molerats is making its comeback after shutting down all activities in January, when one of its active operations dubbed Operation DustSky was first exposed by security researchers. The group had temporarily gone dark; however researchers have uncovered that it resumed activities shortly afterward and began attacking Israeli, US, Palestinian, Egyptian and Saudi Arabian targets with renewed vigour.
According to security firm ClearSky, which first discovered the group's activities on Operation DustSky in January 2016, the hacker group has been active since 2012 and is also believed to have developed custom malware like DownExecute and others that they then used to launch malicious campaigns against specific targets. Operation DustSky is on a campaign that was found to target UAE, Iraq, Israel, Egypt, Saudi Arabia and others using a phishing campaign.
ClearSky said in its first report about Operation DustSky: "Based on dozens of known attacks and the vast infrastructure in use — we estimate that a wave of targeted malicious email messages has been sent on a weekly basis. These attacks are targeted, but not spear-phished. I.e., malicious email messages are sent to selected targets rather than random mass distribution, but are not tailored specifically to each and every target. Dozens of targets may receive the exact same message. The email message and the lure document are written in Hebrew, Arabic or English — depending on the target audience."
In another more recent report about the hacker group's resumed activities Clearsky said: "Attacks against all targets in the Middle East stopped at once, after we published our first report. However, the attacks against targets in the Middle East (except Israel) were renewed in less than 20 days. In the beginning of April 2016, we found evidence that the attacks against Israel have been renewed as well.
Based on the type of targets, on Gaza being the source of the attacks, and on the type of information the attackers are after — we estimate with medium-high certainty that the Hamas terrorist organization3 is behind these attacks."
ClearSky also mentioned that during its short period of inactivity, at least one suspected member of the Gaza Cybergang attempted to get in touch with the security firm, in efforts to ascertain how much and what kind of information it had against them. ClearSky also speculated that one of the reasons for the group having gone dark for a short while may have been to upgrade their malware. Researchers uncovered that their malware has been rewritten in C++ and that the group has switched targets from before in efforts to evade detection.
Among those being targeted as part of Operation DustSky are Saudi Arabia's Ministry of Foreign Affairs, banks in the UAE and Israel, former UK politicians, US State Department employees as well as various diplomats. The group was also discovered to have sent phishing emails to over 150 specific targets, focusing on attacking via private emails rather than professional ones.
ClearSky also indicated that the hacker group's more recent activities have not been as cautious as before, leaving more clues, which in turn has led the company to conclude fairly certainly that Hamas may have a hand behind the cyberespionage campaign.