Cyber Incident Victim: Israel Defense Forces
Date:
Feb 2020
Location:
Israel
Summary
A hacking group associated with Hamas, identified as APT-C-23, compromised mobile devices of Israeli soldiers through social engineering tactics using fake female personas on messaging platforms. The attackers lured victims with deceptive profiles and directed them to download malicious apps disguised as chat tools, which installed a mobile remote access trojan capable of harvesting sensitive data including GPS locations, SMS messages, and device storage contents, while also enabling camera access and file execution. The Israel Defense Forces confirmed infections on several hundred devices but disrupted the operation's infrastructure in collaboration with domestic intelligence agencies, mitigating potential security impacts through device disinfection and infrastructure takedown efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2020, the Israel Defense Forces (IDF) identified a cyberespionage campaign targeting its soldiers through social engineering tactics. The threat actor APT-C-23, linked to the Hamas militant group and known for Middle Eastern operations, created six fictitious female personas—Sarah Orlova, Maria Jacobova, Eden Ben Ezra, Noa Danon, Yael Azoulay, and Rebecca Aboxis—using altered images to obscure their origins. These profiles posed as young women, often presented as new immigrants to Israel, and initiated contact with soldiers across Facebook, WhatsApp, Telegram, and Instagram. After establishing rapport, the attackers directed victims to download one of three malicious applications ("GrixyApp," "ZatuApp," or "Catch&See") from unofficial sources, falsely marketed as secure chat platforms akin to Snapchat. Upon installation, the apps displayed a fake error message claiming device incompatibility and purportedly uninstalling themselves, while covertly deploying a mobile remote access trojan (MRAT). The malware established communication with command-and-control (C2) servers via the MQTT protocol, enabling data theft including phone numbers, GPS locations, SMS messages, stored files, and contact lists. It could also capture photos, download additional files, and execute remote commands. The IDF estimated "a few hundred" soldiers installed the malware, though no operational security breaches were confirmed.
The IDF and Israel Security Agency (ISA/Shin Bet) detected the campaign and launched Operation "Rebound" to neutralize the threat. Affected soldiers were summoned for questioning, and their devices underwent disinfection procedures. Israeli intelligence traced the malware’s infrastructure and successfully disrupted APT-C-23’s C2 servers, preventing further data exfiltration. The attackers had bolstered their credibility by creating dedicated websites for the fake apps, complete with descriptions and branding, to appear legitimate. Despite the malware’s extensive capabilities, the IDF contained the incident rapidly, emphasizing that no critical systems were compromised. The operation highlighted APT-C-23’s persistent focus on social engineering as a means to infiltrate military targets, though the coordinated response mitigated potential damage.