Facebook has uncovered two hacking groups targeting a range of officials on opposite sides of the political divide in Palestinian politics.
On Wednesday, Facebook’s security team announced that it had disrupted a hacking effort linked to the Palestinian Authority-controlled intelligence agency, the Preventive Security Service (PSS), and a campaign targeting the Palestinian Authority linked to a shadowy hacking group known as “Arid Viper.”
According to Facebook, the PSS-linked hackers targeted non-governmental journalists and human-rights activists as well as government targets across the region, including in the Palestinian territories, Syria, Libya, Lebanon, and Turkey.
The PSS-linked hackers used sock-puppet accounts which posed “primarily as young women” in an effort to tempt targets into engaging with the personas and installing malicious Android and Windows applications.
In a somewhat more sophisticated effort, Facebook said Wednesday that it found a separate group of hackers linked to a group known to security researchers alternately as “Arid Viper” and “Desert Falcon” attempting to target officials from the Palestinian National Authority, Special Police, Ministries of Interior and Education, as well as the Palestinian political party, Fatah.
Arid Viper is linked to a 2017 campaign in which fake Facebook profiles populated with thirst trap photos of attractive women sent malicious Android apps to Israeli Defense Force members. The IDF blamed Hamas for the social engineering effort and at least one cybersecurity firm linked the effort to Arid Viper.
Facebook, however, said that it “cannot conclusively confirm this connection based on our evidence.”
In what Facebook called a “tactical shift,” Arid Viper hackers moved away from a primarily Android-based approach to hacking adversaries and developed its own custom malware to break the iPhone operating system, iOS.
Starting in 2019, Facebook’s security team “observed a spike in Arid Viper’s activity involving the creation of dozens of fake Facebook and Instagram profiles.”
In particular, Arid Viper hackers began attempting to post links to the malicious iOS malware, as well as a similarly malicious Android application, on its platform and blocked the sites, leading the hackers to try and host the poisoned apps at off-platform websites.
The iOS malware used by Arid Viper appears to be less sophisticated than other malware found attacking the iPhone and iPad operating system. While some of the most notorious iOS malware can infect a device with a single errant click on a malicious link (or, in some cases, without one), Arid Viper hackers’ iOS malware was more rudimentary. In order to infect their targets, the hacker had to trick victims into weakening their phone’s security settings and installing a malicious application. Facebook characterizes the malware and the methods to deploy it, which rely heavily on targets making a series of unwise security mistakes, as having “low-sophistication.”
Once installed, the malicious software could gain access to a user’s photos, camera, microphone text messages, WhatsApp messages, and other sensitive data.
Facebook says it alerted affected users, blocked links to known phishing sites hosting the malware, and warned industry partners about the hackers' abuse of an Apple developer certificate which allowed the malicious software to appear legitimate.
The malicious iPhone hacking attempts, according to Facebook, suggest that the Apple platform is increasingly a target for hackers even beyond elite cyber powers. “Arid Viper’s use of custom iOS surveillance-ware shows that this capability is becoming increasingly attainable by adversaries believed to be of lower sophistication,” the company said.