The recently reported malicious software attacks against Israeli and Palestinian targets have expanded to hit other targets, including individuals working within the U.S. Congress, the UK government and government workers in countries ranging from Turkey to Slovenia and New Zealand, according to a report from security firm Trend Micro.Attacks on U.S. government sites resemble those recently observed targeting the Israeli and Palestinian governments.
In a blog post on Wednesday, Trend Senior Threat Researcher Nart Villenueve wrote on the company’s Security Intelligence blog that those attacks are ongoing and involve a much wider list of targets that initially reported.
The attacks first came to light after a Times of Israel report revealed on October 28 that computer systems used by that country’s police departments were taken offline following a virus infection. Subsequent analysis by Trend and others (PDF) revealed that the malware used in the attacks was a variant of the common Xtreme Remote Access Trojan (Xtreme RAT) – an information stealing program that can be remotely controlled and is known to have been used in attacks against Syrian government activists.
The malicious software arrived in e-mail messages, disguised as a .RAR-format archive in messages titled “Report & Photos: IDF operations in Gaza.” Analysis by the security firm Norman found that the malicious emails were sent to addresses mostly belonging to Israeli and Palestinian government officials.
But Trend claims that it received emails dated November 8 and November 11 that mixed Government of Israel targets with an expanded list that included e-mail addresses at the U.S. State Department (state.gov) and the U.S. Congress (house.gov and senate.gov), as well as the U.S. AID.
Trend said that it doesn’t have any information on how many (if any) of the malicious e-mails were received by the designated victims nor how many attachments were opened, infecting the recipient.
The origin of the emails is unclear. While the attacks appear, superficially, to be politically motivated, research on some components used in the attacks – including Internet domains linked to the Xtreme RAT installations, suggests that they may be opportunistic attacks aimed at gaining a foothold on sensitive government networks. As recent reports have made clear: cyber criminals can make money by selling access to high value systems, including those on corporate and government networks.