Reports of the Israel Police using the infamous Pegasus spyware developed by the NSO Group have exposed the threat of malicious software infecting our phones and siphoning user’s personal information. NSO’s Pegasus is only one of a number of such spywares and this scandal has exposed the need to secure our mobile devices from attacks by other less sophisticated hackers.
Such attacks have been around for years. Before the Pegasus affair, Israeli mobile phones had suffered dozens of attempted hacking campaigns. Some attackers aimed to extort money; others were political attacks launched by state actors like Iran and Egypt or organizations like Hamas.
Not all attacks are at a Pegasus technical level; considerably less sophisticated attacks can also inflict serious damage.
The software sold to the likes of the police and regime across the world are undoubtedly advanced. Pegasus can hack the phones of targets with “zero-clicks” in some cases, taking advantage of technology, and not human weaknesses (many spywares require some form of social engineering to get victims to click on a seemingly innocent link that infects their phones). It is even more sophisticated since the weaknesses Pegasus exploited were part of systems that were considered very secure, like the Apple iOS operating system.
An iPhone displays the Facebook appJenny Kane / AP
Investigators from both the cyber community and academia examine the attacker’s power according to their technical sophistication level. They check how unique the technology is, how original it is and how difficult it is to detect. However, sometimes you don’t need these super advanced tools.
Bunker hack
Cyber experts provide an example: You can set up a fortified bunker with a single entrance. The entrance’s door can only be opened from outside with the right form of identification. At the entrance we installed a camera that combs all the activity outside the bunker and records every movement on a computer. If we analyze the potential threats around us, it appears nobody can breach the entrance.
Palestinian hackers launch advanced cyberspying operation, Israeli firm says
Israel appoints new cyber czar – here are the challenges he faces
Israel’s cyber capabilities are superior to Iran’s, but it has a soft underbelly
An attacker planning to breach the bunker cannot hack their way in – at least not with the means we know. But one day an attacker finds a loophole: if the camera sees a certain text, it copies it into the system. If the text is an order, the system also carries it out.
The attacker conducts an experiment. They come with a sign that says “open the door” and stand in front of the camera. Instead of recording the person approaching the bunker with the sign, the system reads the sign instead and documents the instruction it. It then proceeds to carry it out – opening the door, though no proper identification was provided. The bunker was completely fortified, but an unsophisticated attacker used a simple technological weakness to get in.
This is not a hypothetical scenario but the logic of a real breach that took place recently – Log4j.
Log4j is the name given to the code library that housed this loophole discovered in December 2021. The weakness enabled the attacker to operate the “camera” remotely: the specific library on which the weakness was operated was supposed to document acts carried out in a Minecraft game, but instead of documenting, the loophole allowed attackers to do several actions, like downloading files remotely to the victim’s computer. This was done by feeding a short, specific code section, whose technology was discovered years ago.
Most attackers don’t use only technological weaknesses, like Pegasus or Log4shell. The most common weaknesses are human ones.
Therefore, the strength of the interface between the attacker’s intentions and their abilities to carry them out, not only the attacker’s technological sophistication, must be taken into account. The way power is used is more important than the power itself.
One of the most active cyber organizations targeting Israel is Hamas – through its cyber branches called APT-C-23, AridViper and MoleRATs. Mostly these groups don’t use technologically sophisticated means at all, but they did succeed in compromising dozens of targets over the years.
How do they do it?
The Hamas attackers do not score highly on the power index. The reason for their success is their ability to take advantage of the psychological weaknesses of their targets. For example, in the 2018 round of hostilities between Hamas and Israel they used software posing as an air siren alert application, which warns of incoming rockets. A considerable number of the targets who received the application, which was being spread by AridViper, downloaded it into their phones without thinking twice. A month later the same group distributed applications of two kinds – one with the results of the FIFA World Cup games and the other a dating app for youngsters called GlanceLove.
The group distributed the applications by means of fake profiles in the guise of beautiful women and targeted lower-rank soldiers. This gave the attacker a better chance to compromise their phones, because the chances they’d secure their information are lower than those of experienced officers. A soldier texting his friends about going out on a mission could be a more valuable surveillance target than a sophisticated target who wouldn’t reveal this kind of information over the phone.
Another group identified with Hamas, which could in fact also be AridViper, was exposed in November last year as the distributor of an application to update Android systems via a nefarious text message. After installation, the application asks for special permissions for the phone – to record sound, to update the application etc. How many of us don’t actually read the fine print when installing a new app, but rather allow such actions automatically?
These examples show that while attackers sometimes use a technological weakness that doesn’t depend on us, in most cases “non-sophisticated” attackers can land impressive achievements using social engineering. Taking advantage of our human weaknesses, misleading us psychologically and exploiting our stress over a geopolitical issue like a military operation or the corona pandemic; or the human desire to meet a partner and even our will to catch up on game results.
This article is about cell phones, but phishing attacks are carried out on other devices as well. We must understand that we could be an intelligence target even if it seems to us we are not a valuable target. There may be someone interested in taking over our computer, phone or even an asset like an email, instagram account or credit card number.
Even a non-sophisticated attacker can fool us and gain access to our smartphone by simple means. The public must be more skeptical, especially when someone is trying to get us to download something like an application or click on some link. Members of the public must check themselves, pay attention to what applications they give permission to and what those permissions entail. We won’t always be able to stop all the attacks, but we can reduce the risk of compromising our devices.
