Original URL: http://www.theregister.co.uk/2014/01/28/israel_defence_ministry_contractors_phished/

Israel defence ministry, contractors phished by mystery attacker

Security vendor: It was Palestine wot did it

By Richard Chirgwin

Posted in Security, 28th January 2014 01:59 GMT

Individuals in the Israeli Ministry of Defence are among the latest to fall victim to phishing attacks that gave attackers access to a number of the nation's government systems.

According to UPI, Israeli security vendor Seculert believes as many as 15 machines were compromised earlier this month.

The report quotes Seculert's CTO Aviv Raff as saying an infected e-mail was sent to “a number of companies” in Israel, as well as security organisations, and that one of the compromised computers “belonged to the Civil Administration”. The e-mail included an attachment containing a news story about the death of former prime minister Ariel Sharon.

Part of Defence, the Civil Administration is responsible for issuing permits for Palestinians who work in Israel, as well as overseeing goods travelling to the West Bank and Gaza Strip.

However, the attack doesn't seem to have reached machines containing classified data.

Seculert told the BBC the phishing message spoofed the Shin Bet security service, which tricked many of its targets into opening it. Raff said that based on a previous attack, he believed the message originated from Palestinian attackers.

Reuters quotes an anonymous source as saying that some of the compromised machines belonged to defence contractors in Israel.

The attack software was an Xtreme RAT (remote access trojan), similar to an attack used in 2012 to penetrate Israel's police force. In the 2012 attack, the trojan was embedded in a Word document; this time, a PDF was used.

In this blog post, Raff writes that the command and control server for the attack was located in the USA, and the trojan used HTTP over port 1863 to communicate with the C&C. ®