Israelis Uncover Cyber Security Threat

Israeli cybersecurity company Cybereason has today reported an espionage campaign they have discovered targeting the aerospace and telecommunications industries. Its focus is mostly the Middle East, but it also extends to the United States, Russia and Europe.

Referred to as ‘Operation GhostShell’ the campaign has sought to steal sensitive information about critical assets, organisational infrastructures and technologies. One of Cybereason’s teams uncovered a previously undocumented and stealthy Remote Access Trojan, that they have dubbed ‘ShellClient’, which was the primary tool used in the espionage.

Graphic of cyber espionageIllustration of cyber espionage (credit: Wikimedia Commons)

In seeking to identify the developers of ShellClient they have discovered a new Iranian group dubbed MalKamak that seems to have been operational since at least 2018.

Cybereason’s researchers say that the developers of ShellClient put a lot of effort into enabling it to evade detection by antivirus and other security tools. That was done using “multiple obfuscation techniques and recently implementing a Dropbox client for command and control, making it very hard to detect.”

One tactic was to use the Dropbox storage service as a command and control platform. By checking frequently through the Dropbox API, the malware is able to receive commands and transfer files without being detected by network monitoring tools.

Speaking to the Jerusalem Post, Assaf Dahan, head of the cyber threat research group at Cybereason, described the group’s investigation of one incident:

“Deep investigative work found that this is just one part of an entire Iranian intelligence campaign
that has been conducted in secret and under the radar for the past three years …
This is a sophisticated Iranian attacker who acted professionally according to a considered
and calculated strategy. The potential risk inherent in such an assault campaign
is large and significant for the State of Israel and may pose a real threat.”

He continued:

“The fact that they were able to stay under the radar for three years shows
their level of sophistication. We assess that they have been able to exfiltrate
large amounts of data over the years – gigabytes, or even terabytes.”

It seems there is much more to discover about the full implications of this threat.