A hacker group from the Middle East known as Molerats attacked a wide range of major public sector organisations over April and May, including the BBC and a smattering of European governments, researchers revealed today.
The latest attacks, which sought to establish espionage operations on targets’ digital infrastructure, took place between 29 April and 27 May, according to security technology vendor FireEye. The Molerats’ actions have added weight to concerns around growing cyber capability stemming from the Middle East.
Yet researchers are somewhat perplexed as to the motivation of the perpetrators, whose targets included both Israel and Palestine, as well as Turkey, Slovenia, Macedonia, New Zealand and Latvia. The hackers also went after government bodies in the US and the UK.
Ned Moran, senior malware researcher at FireEye, told me he wasn’t happy guessing at what Molerats were up to. “I have no comments on the attackers’ motivations,” he said. One likely answer is that the collective is simply a criminal operation breaking into as many organisations as possible to sell on the information they acquire.
FireEye explained that employees at organisations on Molerats’ target list were sent emails containing links and attachments that led to downloads of a type of malware known as Xtreme RAT (remote access Trojan). The links would promise information likely to interest the targets and lure them into clicking through.
In one case, a European government body, which the researchers could not name due to confidentiality and non-disclosure agreements, was sent a link that would lead to documents containing three images, including a political cartoon and two edited photos, negatively depicting the President-elect of Egypt Abdel Fattah el-Sisi.
It’s unlikely the link was just used to target that one government organisation, as the researchers found the URL has been clicked 225 times by a variety of platforms and browser types. That would also indicate a decent level of success, although FireEye wouldn’t say whether the organisations covered by the research were breached. The BBC said it wouldn’t comment on matters of security.
Another attack saw emails containing a malicious decoy document also titled “Sisi.doc” sent to another European government. The attackers appeared to have just copied a Financial Times article and pasted it into the document, which, when clicked on, would also launch a malware download. They likely focused on el-Sisi to pique the interest of government officials watching the situation in Egypt.
The Molerats crew has also been connected with the Gaza Hackers Team, which was suspected of carrying out attacks on Israeli government bodies in 2012, which led to an internet ban for the entirety of the nation’s police force. While that might have indicated the Molerats hackers were of a pro-Palestinian, hacktivist bent, the attacks from April and May saw both Palestinian and Israeli groups targeted.
“I think it’s likely to be criminally led as they don’t seem to care which side of the political argument targets lie,” said Professor Alan Woodward, a security expert from the Department of Computing at the University of Surrey. “There is some evidence that criminals are speculatively firing out RATs to hook as many as possible with a view to selling Crime as a Service (CAAS). The reason they like RATs is that they can then sell the access to a wide variety of ‘clients’ once they have particular victims ensnared.”
This could mean groups who are particularly successful in hacking governments and NGOs would sell it to other nation states, Woodward said. They might also try to harvest financial information from their targets and sell that on to other criminals, he added.
Whatever the Molerats group is doing, it’s partly responsible for a notable rise in cyber-espionage activity stemming from the Middle East. “There appears to have been an increase in activity from the Middle East over the past 24 months,” said Moran.