Hamas Affiliates Attacking Israel

Uploaded on 2024-11-21 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

A cyber attacking group affiliated to Hamas has expanded their malicious cyber operations and is using disruptive attacks that focus on Israel. 

Groups thought to be associated with Hamas, Hezbollah and Iran have been active for years, running operations ranging from cyber espionage and data theft to hack-and-leak operations, as well as the attacking of industrial control facilities

And now the activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt according to analysis by Check Point

Check Point's researchers have been closely tracking a significant cyber campaign led by the WIRTE group, an Advanced Persistent Threat (APT) originating from the Middle East with connections to Gaza Cybergang, a cluster affiliated with Hamas. Active since at least 2018, the covert organisation has gained notoriety for its politically driven cyber-espionage activities, focusing on intelligence gathering that likely ties into the complexities of regional geopolitical conflicts.  "The Israel-Hamas conflict has not disrupted the WIRTE's activity, and they continue to leverage recent events in the region in their espionage operations," said Check Point. 

"In addition to espionage, the threat actor recently engaged in at least two waves of disruptive attacks against Israel."

WIRTE is the name assigned to a Middle Eastern Advanced Persistent Threat (APT) group that has been active since  2018, targeting a broad spectrum of entities across the region. It was first written about by the Spanish cyber security company S2 Grupo. The hacking group is assessed to be part of a politically motivated group called the Gaza Cyber Gang also known as TA402, which is known for using tools like BarbWire, IronWind, and Pierogi in its attack campaigns. "This cluster's activity has persisted throughout the war in Gaza," the Israeli company said. "On one hand, the group's ongoing activity strengthens its affiliation with Hamas; on the other hand, it complicates the geographical attribution of this activity specifically to Gaza."

WIRTE's activities in 2024 have been found to exploit the geopolitical tensions in the Middle East and the war to craft deceptive RAR archive lures that lead to the deployment of the Havoc post-exploitation framework. RAR is a proprietary archive file format that supports data compression, error correction and file spanning. Alternate chains observed prior to September 2024 have leveraged similar RAR archives to deliver the IronWind downloader.

These infection sequences employ a legitimate executable to sideload the malware-laced DLL and display to the victim the decoy PDF document.

Sideloading is the process of installing apps on a device that aren't from the official app store. This is typically done on a rooted Android device or a jailbroken iOS device.Sideloading can be used to customize applications beyond the limitations set by the official app store, and to install applications even without internet connectivity.

Check Point have also reported a phishing campaign which targeted several Israeli organisations, including hospitals and municipalities, in which emails were sent from a legitimate address belonging to cyber security company ESET's partner in Israel. "The email contained a newly created version of the SameCoin Wiper, which was deployed in attacks against Israel earlier this year," it said.  In addition to minor changes in the malware, the newer version introduces a unique encryption function that has only been found in a newer IronWind loader variant.

In addition to overwriting files with random bytes, the most recent version of the SameCoin wiper modifies the victim system's background to display an image bearing the name of Al-Qassam Brigades, the military wing of Hamas. 

SameCoin is a bespoke wiper that was uncovered in February 2024 as used by a Hamas-affiliated threat actor to sabotage Windows and Android devices. The malware was distributed under the guise of a security update.

CheckPoint   |   CheckPoint   |    Cloudflare   |   Hacker News   |    Lab52   |    Malware Insight   |   CyberScoop       

Image:  Michael Piepgras

You Might Also Read:

Israel-Hamas Conflict: The Escalation Of Cyberwarfare:   

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Using AI In Classrooms Is A Test Of Public Trust
The Importance Of Cyber Security In Safeguarding E-Commerce Businesses »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The Hacker News (THN)

The Hacker News (THN)

THN is a leading source for Information Security, Hacking News, Cyber Security, Network Security with in-depth technical coverage of issues and events

Cavirin

Cavirin

Cavirin’s Automated Risk Analysis Platform reduces risk and automates security and compliance.

Flashpoint

Flashpoint

Flashpoint is a globally trusted leader in risk intelligence for organizations that demand the fastest, most comprehensive coverage of threatening activity on the internet.

SolutionsPT

SolutionsPT

SolutionsPT enables customers to strengthen their Operational Technology (OT) network to meet the ever increasing demand for performance, availability, connectivity and security.

IOTA Foundation

IOTA Foundation

The IOTA Foundation is a non-profit R&D organisation focused on developing the next generation of protocols for the connected world.

Johnson Controls International

Johnson Controls International

Johnson Controls is a global diversified technology company with a focus on smart cities, energy, infrastructure and transportation including the security of automation and control systems.

IPQualityScore (IPQS)

IPQualityScore (IPQS)

IPQS anti-fraud tools provide a real-time fraud score to analyze how likely a user or visitor is to engage in fraudulent behavior.

SecureStrux

SecureStrux

SecureStrux are a cybersecurity consulting firm providing specialized services in the areas of compliance, vulnerability assessment, computer network defense, and cybersecurity strategies.

World Cyber Security Summit

World Cyber Security Summit

World Cyber Security Summit, by Trescon, is a thought-leadership driven platform for CISOs who are looking to explore new-age threats and the technologies/strategies that can help mitigate them.

Drumz

Drumz

Drumz plc is an investment company whose investing policy is to invest principally but not exclusively in the technology sector within Europe.

OSC Edge

OSC Edge

OSC was founded with the vision of providing expert solutions in IT to government and businesses. OSC Edge empowers organizations with solutions that prepare them for today and tomorrow.

ASPIA InfoTech

ASPIA InfoTech

ASPIA Infotech is a leading Information and cybersecurity organization focused on innovative approaches to avert targeted attacks.

NexGen Cyber

NexGen Cyber

NexGen Cyber helps customers in commercial SMB markets with IT security, security integration, service management, outsourced service transition, and transformative security solutions.

Ever Nimble

Ever Nimble

Ever Nimble are award-winning experts in IT support, cybersecurity, and cloud technology. Our proactive approach will enhance your security and protect you from cyber security threats.

WeVerify

WeVerify

WeVerify is a platform for collaborative, decentralised content verification, tracking, and debunking.

Black Duck Software

Black Duck Software

Black Duck (formerly the Synopsys Software Integrity Group) is the market leader in application security testing (AST).