Cyber Incident Victim: ZooPark
Date:
May 2018
Location:
Egypt
Summary
A vigilante hacker breached a server associated with the ZooPark cyberespionage group, believed to be government-linked, stealing data that ZooPark had collected from victims primarily in Egypt and Iran. The compromised information included intercepted text messages, emails, GPS locations, audio recordings, and device details—all from Android devices infected via deceptive tactics such as fake voting apps and news-themed lures. The hacker criticized the group's operational security, highlighting code reuse vulnerabilities, while Kaspersky researchers noted ZooPark's targeting of entities including a United Nations agency and individuals accessing extremist content. The breach exposed infrastructure hosted in Tehran and revealed surveillance activities spanning multiple Middle Eastern countries, compromising victims' communications and account verification codes for platforms like Instagram and Telegram.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 10, 2018, a vigilante hacker breached a server associated with the ZooPark advanced persistent threat (APT) group, a cyberespionage operation first documented by Kaspersky researchers earlier that month. The hacker accessed data ZooPark had exfiltrated from victims across the Middle East, including text messages, emails, GPS coordinates, and audio recordings captured by compromised Android devices. The earliest infection timestamp in the stolen data was from 2016, consistent with Kaspersky’s assessment that this iteration of ZooPark’s malware originated that year. Kaspersky’s prior report identified victims in Egypt, Jordan, Morocco, Lebanon, and Iran, with GPS data from the breached server showing concentrated infections in Egypt and Iran. The malware was distributed through fake news applications and a fraudulent voting app tied to the Kurdistan independence referendum, with indications that United Nations Relief and Works Agency (UNRWA) personnel were targeted based on thematic lures.
The vigilante hacker exploited a server listed in Kaspersky’s research, defaced it with a message detailing the intrusion, and archived a copy on the Internet Archive as evidence. Analysis of the stolen data confirmed it originated from ZooPark’s operations, including device models consistent with Android targeting and SMS messages containing Instagram and Telegram verification codes. One infected device’s browsing history included visits to Islamic State-related websites, though the context remained unclear. The hacker claimed to have identified an additional ZooPark-associated server in Tehran, Iran, suggesting a potential link to Iranian actors, though Kaspersky stated it could not confirm the group’s affiliation at the time. The breach exposed operational vulnerabilities, with the hacker criticizing ZooPark’s code reuse and dismissing their sophistication despite Kaspersky’s characterization of the campaign as "sophisticated cyberespionage." No formal response actions from ZooPark or victim organizations were disclosed in the available data.