Cyber Incident Victim: Israel Security Agency
Date:
Feb 2020
Location:
Israel
Summary
A hacking group associated with Hamas, identified as APT-C-23, compromised mobile devices of Israeli soldiers by posing as young women on social media platforms and directing targets to download malicious chat applications. The malware, disguised as legitimate apps like GrixyApp and Catch&See, installed a remote access trojan that harvested sensitive data including GPS locations, SMS messages, contact lists, and device storage contents while enabling camera access and remote file execution. Though the attack affected several hundred soldiers, Israeli defense and security agencies disrupted the operation by dismantling the command infrastructure in a joint counter-operation. No significant security breaches resulted from the incident, with compromised devices undergoing disinfection procedures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-February 2020, the Israel Defense Forces (IDF) identified a cyberespionage campaign targeting its soldiers through coordinated social engineering tactics. APT-C-23, a threat actor linked to Hamas and known for Middle Eastern operations, created six fictitious female personas—Sarah Orlova, Maria Jacobova, Eden Ben Ezra, Noa Danon, Yael Azoulay, and Rebecca Aboxis—using altered photographs to obscure their origins. These profiles, portraying attractive young women claiming to be new immigrants to Israel, contacted soldiers across Facebook, WhatsApp, Telegram, and Instagram, initiating text and voice conversations to build trust. After establishing rapport, the attackers directed victims to download one of three malicious applications ("GrixyApp," "ZatuApp," or "Catch&See") from unofficial sources, falsely presenting them as chat platforms akin to Snapchat. Upon installation, the apps displayed an error message indicating device incompatibility and purportedly initiated uninstallation, while covertly deploying a mobile remote access trojan (MRAT). The malware established communication with command-and-control (C2) servers via the MQTT protocol, enabling data exfiltration including phone numbers, GPS coordinates, stored files, SMS messages, and contact lists. Additional functionalities allowed surreptitious photo capture, file downloads, and arbitrary command execution as directed by the C2 infrastructure. IDF assessments indicated several hundred soldiers installed the malware, though the operational impact remained unclear.
The IDF and Israel Security Agency (ISA/Shin Bet) launched Operation "Rebound" to neutralize the threat, tracking the malware’s network activity and dismantling APT-C-23’s infrastructure. Affected soldiers were summoned for device disinfection and debriefing, with no confirmed security breaches reported despite the malware’s extensive data-collection capabilities. Analysis revealed the attackers maintained fraudulent websites for their malicious apps, complete with descriptive content and imagery to enhance legitimacy. While the campaign demonstrated sophisticated tradecraft in social engineering and malware deployment, rapid detection and coordinated response mitigated potential damage. The incident underscored the persistent targeting of military personnel through psychological manipulation and mobile attack vectors in regional conflicts.