Facebook announced on Wednesday that it had disabled accounts it said were being used by the Palestinian Authority’s Preventative Security Service (PSS), its internal intelligence organization, to spy on political opponents, journalists and human-rights activists.
“Today, we’re sharing actions we took against two separate groups of hackers in Palestine—a network linked to the Preventive Security Service (PSS) and a threat actor known as Arid Viper—removing their ability to use their infrastructure to abuse our platform, distribute malware and hack people’s accounts across the internet,” said Facebook’s Mike Dvilyanski, head of Cyber Espionage Investigations, and David Agranovich, director of Threat Disruption, in a statement.
The PSS-linked accounts “targeted primarily domestic audiences in Palestine,” the statement said, with the activity originating in the West Bank. These accounts also targeted, to a lesser extent, users in Turkey, Iraq, Lebanon and Libya.
“It relied on social engineering to trick people into clicking on malicious links and installing malware on their devices. Our investigation found links to the Preventive Security Service—the Palestinian Authority’s internal intelligence organization,” said the statement. “This persistent threat actor focused on a wide range of targets, including journalists, people opposing the Fatah-led government, human rights activists and military groups including the Syrian opposition and Iraqi military. They used their own low-sophistication malware disguised as secure chat applications, in addition to malware tools openly available on the Internet.”
In its statement, Facebook did not name Hamas directly, but said that the malicious activity “originated in Palestine and targeted individuals in the same region, including government officials, members of the Fatah political party, student groups and security forces.”
“Our investigation linked this campaign to Arid Viper, a known advanced persistent threat actor. It used sprawling infrastructure to support its operations, including over a hundred websites that either hosted iOS and Android malware, attempted to steal credentials through phishing or acted as command and control servers,” said the statement.