Molerats Hackers Target BBC, European Governments

Security researchers have detected attacks by a hacker group designated Molerats that have targeted the BBC, European government organisations and at least one major US financial institution.

The attacks spotted by security firm FireEye in a recent study took place in late May, but the firm said these appear to be part of a campaign that goes back several years and which continues.

Series of attacks

“This was just one unique facet to a much broader series of related attacks dating back to as early as October 2011 and are still ongoing,” the firm stated.

FireEye last published details on the Molerats attacks in August of last year, linking the group to targets on the US and UK governments as well as Israeli and various Middle Eastern targets.

The group of hackers, identified by factors such as the type of file used to spread malware and the type of Remote Access Tools (RATs) typically used in the attacks, is now targeting a wider range of organisations, including Palestinian and Israeli surveillance targets, government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the US and the UK, the BBC, a major US financial institution and multiple European government organisations, FireEye said.

“Molerats activity has been tracked and expanded to a growing target list,” the company said in its study.

Commonly available tools

The group uses the same kind of commonly available RAT often employed by Chinese attackers, according to FireEye. Its decoy documents, which contain malicious files, are typically written in English or Arabic and focus on current events in the Near East. Molerats’ recent attacks all use the Xtreme RAT tool, FireEye said.

The group may be related to another known as the Gaza Hackers Team, FireEye said, adding that to date, there is no evidence of the involvement of a national government.

While the recent attacks don’t use any unknown or advanced malware or zero-day exploits, they have employed techniques such as varying the server ports used to communicate with the malware in order to make the attacks harder to spot.

“Molerats campaigns seem to be limited to only using freely available malware; however, their growing list of targets and increasingly evolving techniques in subsequent campaigns are certainly noteworthy,” FireEye stated.

Are you a security pro? Try our quiz!