Molerats/APT-C-37: AT&T Security has found that many reports outlining events in 2019 identified Molerats and APT-C-37 being behind a number of attacks, but because of similarity in their Tactics, Techniques, and Procedures (TTP’s) researchers believe some attacks were attributed incorrectly. Both of these groups target the Middle East and North African region through the use of phishing emails that contain decoy documents in Arabic. Primarily, the documents related to the current political situation in the specific region that was targeted. APT-C-37 is known as the Syrian Electronic Army and has been active since 2015. Molerats has been seen carrying out attacks since 2012 and is believed to be part of the Gaza Hacker Team, specifically Cybergang Group 1. APT-C-37 was attributed to multiple attacks in 2019 as was Molerats. However, the analysis by AT&T speculates that there are enough differences in the attacks that they do not believe either group is behind them at this time.
Analyst Notes
These two groups have similar attack patterns and targets, which makes it harder to attribute specific attacks to either group. In the past, Molerats has been a more active group than APT-C-37 and used more technically advanced attacks that are harder to defend against. Both of these groups are politically motivated and carry out attacks to steal information and work to gain persistence in a network. Groups operating in the same area and having similar attack styles make it harder for researchers to be accurate with their attribution. With a race between researchers to attribute attacks, it is possible we will see more controversy and confusion in the future by attributing threat actors with specific attacks or campaigns.
The full comparison from AT&T can be found here: https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37
