‘Moonlight’ Hackers Coordinating Targeted Attacks Against Entities In The Middle East

Vectra Networks has uncovered a hacking group (code named Moonlight) conducting cyberespionage against targets in the Middle East. Vectra has identified over two hundred samples of malware generated by the group over the last two years.

 Key findings:

• The attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions
• These are not technically sophisticated attackers, however, they do deploy some novel tactics and the implications of these attacks could be significant
• Both the tools and targets of Moonlight are reminiscent of “Gaza Hacker Team” – a group of attackers that are said to be politically aligned to the Hamas
• Vectra refer to group of attackers as Moonlight, after the name the attackers chose for one of their command and control domains
• The earliest attacks appear to be non-targeted, opportunistically inviting victims to click links on YouTube videos and social media posts typical of Middle-Eastern “hacktivists”. Later attacks appear to target particular groups or individuals (politicians, activists and staff at NGOs)

Vectra worked with providers to sinkhole Moonlight’s command and control infrastructure. More details on the attack here. Gunter Ollmann, CSO, Vectra Networks commented below on the nature of the attacks.

Gunter Ollmann, CSO at Vectra Networks:

“Targeted attacks don’t need to be sophisticated to work, especially if the targets are highly localised. An appropriately targeted and sentiment driven attack tends to be more successful often because of the lack of technical sophistication.”

“The anti-botnet industry has increasingly focused on big-name malware families and criminal organisations. We’ve become accustomed to viewing a threat through the lens of hundreds of thousands of victims. As a consequence, we’ve become myopic to the smaller and much more targeted attacks that often impact their victims in ways considerably more severe than just identify theft.”

“Whether it’s freedom fighters or terrorists, the cyber-domain is increasingly an important theatre for propagating a cause. The tools necessary to target the opposition and gather valuable intelligence are in play by both small and large groups around the world. Cyber warfare isn’t just the domain of large nation state actors.”