Facebook on Wednesday detailed steps it took to counter two groups of alleged Palestinian hackers, one with suspected ties to the Palestinian state and another reportedly linked to the Hamas militant group.
The hackers linked to Preventive Security Service (PSS), the Palestinian Authority’s internal intelligence organization, targeted victims primarily in the Palestinian territories and Syria, Facebook said. To a lesser degree, they targeted Turkey, Iraq, Lebanon and Libya.
Those attackers went after groups and individuals seemingly viewed as a threat to the Fatah-led government, including journalists, dissidents and human rights activists. They also also aimed at military organizations such as the Syrian opposition and Iraqi military, Facebook said.
The alleged Hamas-linked hackers, dubbed Arid Viper, by contrast, targeted victims associated with the Palestinian Authority, government organizations and backers of the Fatah-led government, Facebook said.
Arid Viper received attention for pursuing Israeli targets when it burst into public view in 2015, and according to subsequent research. But Hamas and the Fatah party are frequently at odds, and some public reporting has pointed to its more recent targeting of Fatah.
The cat-and-mouse game between Facebook and Arid Viper stretched from early 2019 — when the social media giant began blocking links to malicious sites — to late 2020. Facebook recorded a spike in activity from the allegedly PSS-connected group in the second half of 2020.
“To disrupt both these operations, we took down their accounts, released malware hashes, blocked domains associated with their activity and alerted people who we believe were targeted by these groups to help them secure their accounts,” wrote Mike Dvilyanski, Facebook’s head of cyber espionage investigations, and David Agranovich, director of threat disruption. “We shared information with our industry partners including the anti-virus community so they too can detect and stop this activity, strengthening our collective response against these groups across the internet.”
A Facebook analysis found that the allegedly PSS-linked hacking group relied primarily on custom-built Android malware, occasionally using publicly-available Windows malware. Arid Viper — also known as Desert Falcon and APT-C-23 — used previously unreported, custom-built iOS spyware, as well as Android and Windows malware, Facebook said.