{ "id": "c11d57cd-6816-4443-bfbd-34674acf1e5e", "created_at": "2026-04-06T00:15:39.919053Z", "updated_at": "2026-04-10T03:38:03.479566Z", "deleted_at": null, "sha1_hash": "72ae9a7fd1f730bd86326b53e3565a82be29e9ac", "title": "Operation Electric Powder – Who is targeting Israel Electric Company? – ClearSky Cyber Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 100152, "plain_text": "Operation Electric Powder – Who is targeting Israel Electric\r\nCompany? – ClearSky Cyber Security\r\nPublished: 2017-03-14 · Archived: 2026-04-05 12:58:48 UTC\r\nAttackers have been trying to breach IEC (Israel Electric Company) in a year-long campaign.\r\nFrom April 2016 until at least February 2017,  attackers have been spreading malware via fake Facebook profiles\r\nand pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target\r\nof this campaign is IEC – Israel Electric Company. These include domains, file names, Java package names,  and\r\nFacebook activity. We dubbed this campaign “Operation Electric Powder“.\r\nIsrael Electric Company (also known as Israel Electric Corporation) “is the largest supplier of electrical power in\r\nIsrael. The IEC builds, maintains, and operates power generation stations, sub-stations, as well as transmission and\r\ndistribution networks. The company is the sole integrated electric utility in the State of Israel. It installed\r\ngenerating capacity represents about 75% of the total electricity production capacity in the country.”\r\nIt is notable that the operational level and the technological sophistication of the attackers are not high. Also, they\r\nare having hard time preparing decoy documents and websites in Hebrew and English. Therefore, in most cases a\r\nvigilant target should be able to notice the attack and avoid infection. We do not have indication that the attacks\r\nsucceeded in infecting IEC related computers or stealing information.\r\nCurrently we do not know who is behind Operation Electric Powder or what its objectives are. See further\r\ndiscussion in the Attribution section.\r\nImpersonating Israeli news site\r\nThe attackers registered and used in multiple attacks the domain ynetnewes[.]com (note the extra e). This domain\r\nimpersonates ynetnews.com, the English version of ynet.co.il – one of Israel’s most popular news sites.\r\nCertain pages within the domain would load the legitimate Ynet website:\r\nhttps://www.clearskysec.com/iec/\r\nPage 1 of 13\n\nOthers, which are opened as decoy during malware infection, had copied content from a different news site:\r\nThe URL ynetnewes[.]com/video/Newfilm.html contained an article about Brad Pitt and Marion Cotillard copied\r\nfrom another site. At the bottom was a link saying “Here For Watch It !”:\r\nhttps://www.clearskysec.com/iec/\r\nPage 2 of 13\n\nThe link pointed to goo[.]gl/zxhJxu (Google’s URL shortening service). According to the statistics page, it had\r\nbeen created on September 25, 2016 and have been clicked only 11 times. When clicked, it would redirect to\r\niecr[.]co/info/index_info.php .\r\nWe do not know what was the content in the final URL. We estimate that it served malware. The domain iecr[.]co\r\nwas used as a command and control server for other malware in this campaign.\r\nAnother URL,   http://ynetnewes[.]com/resources/assets/downloads/svchost.exe\r\nhosted a malware file called program_stream_film_for_watch.exe.\r\n(d020b08f5a6aef1f1072133d11f919f8)\r\nFake Facebook profile – Linda Santos\r\nOne of the above mentioned malicious URLs was spread via comments by a fake Facebook profile – Linda Santos\r\n(no longer available):\r\nIn September 2016, the fake profile commented to posts by Israel Electric Company:\r\nhttps://www.clearskysec.com/iec/\r\nPage 3 of 13\n\nhttps://www.clearskysec.com/iec/\r\nPage 4 of 13\n\nThe profile had dozens of friends, almost all were IEC employees:\r\nhttps://www.clearskysec.com/iec/\r\nPage 5 of 13\n\nThe fake profile was following only three pages, one of which was the IEC official page:\r\nPokemon Go Facebook page\r\nIn July 2016, when mobile game “Pokemon Go” was at the peak of its popularity, the attackers created a\r\nFacebook page impersonating the official Pokemon Go page:\r\nThe page, which is no longer available, had about one hundred followers – most were Arab Israelis and some were\r\nJewish Israelis.\r\nOnly one post was published, with text in English and Hebrew.  Grammatical mistakes indicate the attackers\r\nare not native to both languages:\r\nhttps://www.clearskysec.com/iec/\r\nPage 6 of 13\n\nThe post linked to a malicious website hosted in yolasite.com (which is a legitimate website building and hosting\r\nplatform):\r\npokemonisrael.yolasite[.]com\r\nThe button – “ומחשב טלפון להורדה) “literal translation – “To download phone and computer”) linked to a zip file\r\nin another website:\r\nhttps://www.clearskysec.com/iec/\r\nPage 7 of 13\n\nhttp://iec-co-il[.]com/iec/electricity/Pokemon-PC.zip\r\nNote that the domain being impersonated is that of Israel Electric Company’s website (iec.co.il).\r\nPokemon-PC.zip (40303cd6abe7004659ca3447767e4eb7) contained Pokemon-PC.exe\r\n(e45119a72677ed15ee0f04ef936a9803), which at run time drops monitar.exe\r\n (d3e0b129bad263e6c0dcb1a9da55978b):\r\nAndroid phone malware\r\nThe attackers also distributed a malicious app for Android devices – pokemon.apk\r\n(3137448e0cb7ad83c433a27b6dbfb090). This malware also had characteristics that impersonate IEC, such as the\r\npackage name:\r\nThe application is a dropper that extracts and installs a spyware. The dropper does not ask for any permission\r\nduring installation:\r\nHowever, when the spyware is installed,  it asks for multiple sensitive permissions:\r\nhttps://www.clearskysec.com/iec/\r\nPage 8 of 13\n\nThe victim ends up with two applications installed on their device. The Dropper, pretending to be a Pokemon Go\r\napp, adds an icon to the phone dashboard. However, it does not have any functionality, and when clicked, this\r\nerror message is displayed:\r\nError 505\r\nSorry, this version is not compatible with your android version.\r\nThe dropper does not really check what android version is installed:\r\nhttps://www.clearskysec.com/iec/\r\nPage 9 of 13\n\nThe message is intended to make the victim believe that the Pokemon game does not work because of\r\ncompatibility issues.\r\nThe victim is likely to uninstall the application at this point. However, because a second application was installed,\r\nthe phone would stay infected unless it is uninstalled as well.\r\nWebsites for Malware distribution\r\nMalware was also hosted in legitimate breached Israeli websites, such as this educational website:\r\nhttp://www.bagrut3.org[.]il/upload/edu_shlishit/passwordlist.exe (defc340825cf56f18b5ba688e6695e68)\r\nand a small law firm’s website:\r\nhttp://sheinin[.]co.il/MyPhoto.zip (650fcd25a917b37485c48616f6e17712)\r\nIn journey-in-israel[.]com, the attackers inserted an exploit code for CVE-2014-6332 – a Windows code execution\r\nvulnerability. The exploit was copied from an online source, likely from here, as the code included the same\r\ncomments. The website also hosted this malware: afd5288d9aeb0c3ef7b37becb7ed4d5c.\r\nIn other cases, the attackers registered and built malicious websites: users-management[.]com\r\nand sourcefarge[.]net (similar to legitimate software website sourceforge.net). The latter was redirecting\r\nto journey-in-israel[.]com and iec-co-il[.]com in May and July 2016, according to PassiveTotal:\r\nhttps://www.clearskysec.com/iec/\r\nPage 10 of 13\n\nSample 24befa319fd96dea587f82eb945f5d2a, potentially only a test file, is a self-extracting archive (SFX) that\r\ncontains two files: a legitimate Putty installation and link.html: \r\nWhen run, while putty is installed, the html file is opened in a browser and redirects to http://tinyurl[.]com/jerhz2a\r\nand then to http://users-management[.]com/info/index_info.php?id=9775. The last page 302 redirects to the\r\nwebsite of an Israeli office supply company Mafil:\r\nSample f6d5b8d58079c5a008f7629bdd77ba7f , also a self-extracting archive, contained a decoy PDF document\r\nand a backdoor:\r\nThe PDF, named IEC.pdf, is a warranty document taken from Mafil’s public website. It is displayed to the victim\r\nwhile the malware (6aeb71d05a2f9b7c52ec06d65d838e82) is infecting its computer:\r\nhttps://www.clearskysec.com/iec/\r\nPage 11 of 13\n\nWindows Malware\r\nThe attackers developed three malware types for Windows based computers:\r\nDropper – self-extracting archives that extract and run the backdoor, sometimes while opening a decoy\r\nPDF document or website.\r\n(For example: 6fa869f17b703a1282b8f386d0d87bd4)\r\nTrojan backdoor / downloader –  malware that collects information about the system and can download\r\nand execute other files. (909125d1de7ac584c15f81a34262846f)\r\nSome samples had two hardcoded command and control servers: iecrs[.]co and iecr[.]co (note once again\r\nthe use of IEC in the domain name).\r\nKeylogger / screen grabber – records keystrokes and takes screenshots. The malware file is compiled\r\nPython code. (d3e0b129bad263e6c0dcb1a9da55978b)\r\nAn analysis of the malware and other parts of the campaign was published by Mcafee in on November 11, 2016.\r\nThe latest known sample in this campaign (7ceac3389a5c97a3008aae9a270c706a) has compilation timestamp of\r\nFebruary 12, 2017.  It is dropped when “pdf file products israel electric.exe”\r\n(c13c566b079258bf0782d9fb64612529) is executed.\r\nAttribution\r\nIn a report that covers other parts of the campaign, Mcafee attribute it to Gaza Cybergang (AKA Gaza Hacker\r\nTeam AKA  Molerats). However, the report does not present strong evidence to support this conclusion.\r\nWhile initially we thought the same, currently we cannot relate Operation Electric Powder to any known group.\r\nMoreover, besides Mohamad potentially being the name of the malware developer (based on PDB string found in\r\nmultiple\r\nsamples:  C:\\Users\\Mohammed.MU\\Desktop\\AM\\programming\\C\\tsDownloader\\Release\\tsDownloader.pdb\r\n), we do not have evidence that the attackers are Arabs.\r\nIndicators of compromise\r\nhttps://www.clearskysec.com/iec/\r\nPage 12 of 13\n\nIndicators file:  Operation-Electric-Powder-indicators.csv (also available on PassiveTotal).\r\nNotably, all but one of the IP addresses in use by the attackers belong to German IT services provider\r\n“Accelerated IT Services GmbH” (AS31400):\r\n84.200.32.211\r\n84.200.2.76\r\n84.200.17.123\r\n84.200.68.97\r\n82.211.30.212\r\n82.211.30.186\r\n82.211.30.192\r\nFlorian Roth shared a Yara rule to detect the downloader: Operation-Electric-Powder-yara.txt\r\nThe graph below depicts the campaign infrastructure (click the image to see the full graph):\r\nLive samples can be downloaded from the following link:\r\nhttps://ln.sync[.]com/dl/30e722bf0#f72zgiwk-zxcp3e9t-fa9jyakr-zpbf5hgg\r\n(Please email info@clearskysec.com to get the password.)\r\nAcknowledgments\r\nThis research was facilitated by PassiveTotal for threat infrastructure analysis, and by MalNet for malware\r\nresearch.\r\nSource: https://www.clearskysec.com/iec/\r\nhttps://www.clearskysec.com/iec/\r\nPage 13 of 13\n\n https://www.clearskysec.com/iec/ \nOthers, which are opened as decoy during malware infection, had copied content from a different news site:\nThe URL ynetnewes[.]com/video/Newfilm.html contained an article about Brad Pitt and Marion Cotillard copied\nfrom another site. At the bottom was a link saying “Here For Watch It !”: \n Page 2 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.clearskysec.com/iec/" ], "report_names": [ "iec" ], "threat_actors": [ { "id": "cd402658-d63c-40bc-b6ce-bb3d742904c5", "created_at": "2023-12-01T02:02:33.960041Z", "updated_at": "2026-04-10T02:00:04.804676Z", "deleted_at": null, "main_name": "Operation Electric Powder", "aliases": [], "source_name": "ETDA:Operation Electric Powder", "tools": [ "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434539, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/72ae9a7fd1f730bd86326b53e3565a82be29e9ac.pdf", "text": "https://archive.orkl.eu/72ae9a7fd1f730bd86326b53e3565a82be29e9ac.txt", "img": "https://archive.orkl.eu/72ae9a7fd1f730bd86326b53e3565a82be29e9ac.jpg" } }