Detailing its findings in a blog post on Monday, researchers at FireEye Labs say that it observed attacks from the group between April 29 and May 27 of this year, and add that targets included Palestinian and Israeli surveillance targets, government departments in UK, US, Israel, Turkey, Slovenia, Macedonia and Latvia, as well as the British Broadcasting Corporation (BBC). The Office of the Quartet Representative – which comprises the United Nations, the European Union, the United States and Russia which is working to mediate Middle East peace negotiations – was also hit.
"Cyber criminals are targeting UK (and other European) Governments(s) by sending spear phishing emails with malicious attachments," Ned Moran, senior malware researcher at FireEye, told SCMagazineUK.com.
FireEye – which purchased Mandiant for US$1 billion (approximately £597 million) at the start of the year – said that it believes that this cyber espionage campaign was initiated by spear phishing emails containing an attachment laden with malware. On clicking a shortened URL link, recipients were asked to download a .ZIP file, which in one case held a decoy Microsoft Word document, “rotab.doc”, that had images negatively depicting former Egyptian military chief Abdel Fattah el-Sisi. One of the URL links had been clicked on 225 times.
FireEye was keen to distance itself from saying that Chinese APT threat actors were involved (despite Chinese language in some of the documents), instead pointing to increasing activity from threat actors from other nation states. As one example, it noted the Iranian-based threat actor “Ajax Security Team”, said to be behind attacks against US defence organisations.
“Although amany attacks against our customers appear to originate from China, we are tracking lesser-known actors also targeting the same firms. Molerats campaigns seem to be limited to only using freely available malware; however, their growing list of targets and increasingly evolving techniques in subsequent campaigns are certainly noteworthy,” read the company's blog post.
Adding to this, one of the files contained in the .ZIP file was a decoy “Arabic language decoy document” on Microsoft Word, which contained excerpts from Egyptian Major General Hossam Sweilem on the Muslim Brotherhood and military strategy.
“The title of the document appears to have several Chinese characters, yet the entire body of the document is written in Arabic,” explained Dahms. “As noted in our August 2013 blog post, this could possibly be a poor attempt to frame China-based threat actors for these attacks.”
MWR InfoSecurity director Alex Figden said that the method of attack may be traditional, but it works with increasing regularity.
"Molerats is the name of an operation that has been tied by FireEye to a group known as "Gaza Hackers Team". This campaign was notable in the fact that it made use of Poison Ivy, a Remote Administration Tool (RAT) almost always attributed to China,” he told SCMagazineUK.com.
“The attacks have continued, but FireEye has managed to link the attacks through the use of three-forged certificates which they used to tie the disparate attacks together. The method of attack is the traditional attempt to email a lure document to the victim which contains a malicious payload.
“We would recommend that users be aware of the sectors targeted by this campaign, and ensure that they are familiar with their organisation's standard security policies, which should already warn against opening suspicious or unknown attachments."
This isn't the first time the Molerats group has struck. FireEye says that it has previously used the off-the-shelf Poison Ivy RAT for attacks dating back to October 2011 and on everybody from the UK and US governments to Tony Blair, the former British prime minister and current Middle East peace envoy.