Hamas Affiliates Attacking Israel

Uploaded on 2024-11-21 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

A cyber attacking group affiliated to Hamas has expanded their malicious cyber operations and is using disruptive attacks that focus on Israel. 

Groups thought to be associated with Hamas, Hezbollah and Iran have been active for years, running operations ranging from cyber espionage and data theft to hack-and-leak operations, as well as the attacking of industrial control facilities

And now the activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt according to analysis by Check Point

Check Point's researchers have been closely tracking a significant cyber campaign led by the WIRTE group, an Advanced Persistent Threat (APT) originating from the Middle East with connections to Gaza Cybergang, a cluster affiliated with Hamas. Active since at least 2018, the covert organisation has gained notoriety for its politically driven cyber-espionage activities, focusing on intelligence gathering that likely ties into the complexities of regional geopolitical conflicts.  "The Israel-Hamas conflict has not disrupted the WIRTE's activity, and they continue to leverage recent events in the region in their espionage operations," said Check Point. 

"In addition to espionage, the threat actor recently engaged in at least two waves of disruptive attacks against Israel."

WIRTE is the name assigned to a Middle Eastern Advanced Persistent Threat (APT) group that has been active since  2018, targeting a broad spectrum of entities across the region. It was first written about by the Spanish cyber security company S2 Grupo. The hacking group is assessed to be part of a politically motivated group called the Gaza Cyber Gang also known as TA402, which is known for using tools like BarbWire, IronWind, and Pierogi in its attack campaigns. "This cluster's activity has persisted throughout the war in Gaza," the Israeli company said. "On one hand, the group's ongoing activity strengthens its affiliation with Hamas; on the other hand, it complicates the geographical attribution of this activity specifically to Gaza."

WIRTE's activities in 2024 have been found to exploit the geopolitical tensions in the Middle East and the war to craft deceptive RAR archive lures that lead to the deployment of the Havoc post-exploitation framework. RAR is a proprietary archive file format that supports data compression, error correction and file spanning. Alternate chains observed prior to September 2024 have leveraged similar RAR archives to deliver the IronWind downloader.

These infection sequences employ a legitimate executable to sideload the malware-laced DLL and display to the victim the decoy PDF document.

Sideloading is the process of installing apps on a device that aren't from the official app store. This is typically done on a rooted Android device or a jailbroken iOS device.Sideloading can be used to customize applications beyond the limitations set by the official app store, and to install applications even without internet connectivity.

Check Point have also reported a phishing campaign which targeted several Israeli organisations, including hospitals and municipalities, in which emails were sent from a legitimate address belonging to cyber security company ESET's partner in Israel. "The email contained a newly created version of the SameCoin Wiper, which was deployed in attacks against Israel earlier this year," it said.  In addition to minor changes in the malware, the newer version introduces a unique encryption function that has only been found in a newer IronWind loader variant.

In addition to overwriting files with random bytes, the most recent version of the SameCoin wiper modifies the victim system's background to display an image bearing the name of Al-Qassam Brigades, the military wing of Hamas. 

SameCoin is a bespoke wiper that was uncovered in February 2024 as used by a Hamas-affiliated threat actor to sabotage Windows and Android devices. The malware was distributed under the guise of a security update.

CheckPoint   |   CheckPoint   |    Cloudflare   |   Hacker News   |    Lab52   |    Malware Insight   |   CyberScoop       

Image:  Michael Piepgras

You Might Also Read:

Israel-Hamas Conflict: The Escalation Of Cyberwarfare:   

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Using AI In Classrooms Is A Test Of Public Trust
The Importance Of Cyber Security In Safeguarding E-Commerce Businesses »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

InfoSec World

InfoSec World

InfoSec World conference and expo covers all aspects of information security with a broad agenda of sessions on key security issues.

MBL Technologies

MBL Technologies

MBL Technologies specializes in information assurance, enterprise security, privacy, and program/project management.

J2 Software

J2 Software

J2 Software is a leading African Information Security and ICT business providing information security, governance, risk and compliance solutions.

Information Systems Security Partners (ISSP)

Information Systems Security Partners (ISSP)

ISSP is a specialized system integrator focused on the information security needs of its corporate clients and providing best in class products and services for securing organizational information.

Open Connectivity Foundation (OCF)

Open Connectivity Foundation (OCF)

OCF is dedicated to ensuring secure interoperability ensuring secure interoperability of IoT for consumers, businesses and industries.

SlowMist

SlowMist

SlowMist is a blockchain ecosystem security company providing cybersecurity audits and protection for leading digital asset exchanges, crypto wallets, public chains, and smart contracts.

German Israeli Partnership Accelerator (GIPA)

German Israeli Partnership Accelerator (GIPA)

GIPA is based on two pillars: it is an incubator aimed at young academics and a program to transfer cybersecurity expertise to corporate partners.

CYDES

CYDES

CYDES is the first event in Malaysia to showcase advanced solutions and technologies to address cyber defence and cyber security challenges for the public and private sectors.

Secura B.V.

Secura B.V.

Secura is an independent specialized cybersecurity expert, providing insights to protect valuable assets and data.

Securosys

Securosys

Securosys is a technology company dedicated to securing data and communications. We develop, produce, and distribute hardware, software and services that protect and verify data and their transmission

3i Infotech

3i Infotech

3i Infotech offers consulting & professional services to assess, design and build next gen IT infrastructure, and managed services to operate, optimize and continuously improve.

Oxford Internet Institute - University of Oxford

Oxford Internet Institute - University of Oxford

The Oxford Internet Institute is a multidisciplinary research and teaching department of the University of Oxford, dedicated to the social science of the Internet.

GoPro Consultants

GoPro Consultants

GoPro Consultants is an IT Consultancy and IT Managed services provider Globally with immeasurable expertise of IT professionals in Hardware/Support & Consultancy and Project Planning.

Conceal

Conceal

Conceal’s mission is to stop ransomware and credential theft for companies of all sizes by developing innovative solutions that provide social engineering protection in any browser.

Canadian Cyber Threat Exchange (CCTX)

Canadian Cyber Threat Exchange (CCTX)

The CCTX is Canada’s not-for-profit, private-sector cyber threat sharing hub and collaboration centre.

Blue Goat Cyber

Blue Goat Cyber

Blue Goat stands at the forefront of cybersecurity, particularly in medical device security and penetration testing.