Hamas Affiliates Attacking Israel

Uploaded on 2024-11-21 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

A cyber attacking group affiliated to Hamas has expanded their malicious cyber operations and is using disruptive attacks that focus on Israel. 

Groups thought to be associated with Hamas, Hezbollah and Iran have been active for years, running operations ranging from cyber espionage and data theft to hack-and-leak operations, as well as the attacking of industrial control facilities

And now the activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt according to analysis by Check Point

Check Point's researchers have been closely tracking a significant cyber campaign led by the WIRTE group, an Advanced Persistent Threat (APT) originating from the Middle East with connections to Gaza Cybergang, a cluster affiliated with Hamas. Active since at least 2018, the covert organisation has gained notoriety for its politically driven cyber-espionage activities, focusing on intelligence gathering that likely ties into the complexities of regional geopolitical conflicts.  "The Israel-Hamas conflict has not disrupted the WIRTE's activity, and they continue to leverage recent events in the region in their espionage operations," said Check Point. 

"In addition to espionage, the threat actor recently engaged in at least two waves of disruptive attacks against Israel."

WIRTE is the name assigned to a Middle Eastern Advanced Persistent Threat (APT) group that has been active since  2018, targeting a broad spectrum of entities across the region. It was first written about by the Spanish cyber security company S2 Grupo. The hacking group is assessed to be part of a politically motivated group called the Gaza Cyber Gang also known as TA402, which is known for using tools like BarbWire, IronWind, and Pierogi in its attack campaigns. "This cluster's activity has persisted throughout the war in Gaza," the Israeli company said. "On one hand, the group's ongoing activity strengthens its affiliation with Hamas; on the other hand, it complicates the geographical attribution of this activity specifically to Gaza."

WIRTE's activities in 2024 have been found to exploit the geopolitical tensions in the Middle East and the war to craft deceptive RAR archive lures that lead to the deployment of the Havoc post-exploitation framework. RAR is a proprietary archive file format that supports data compression, error correction and file spanning. Alternate chains observed prior to September 2024 have leveraged similar RAR archives to deliver the IronWind downloader.

These infection sequences employ a legitimate executable to sideload the malware-laced DLL and display to the victim the decoy PDF document.

Sideloading is the process of installing apps on a device that aren't from the official app store. This is typically done on a rooted Android device or a jailbroken iOS device.Sideloading can be used to customize applications beyond the limitations set by the official app store, and to install applications even without internet connectivity.

Check Point have also reported a phishing campaign which targeted several Israeli organisations, including hospitals and municipalities, in which emails were sent from a legitimate address belonging to cyber security company ESET's partner in Israel. "The email contained a newly created version of the SameCoin Wiper, which was deployed in attacks against Israel earlier this year," it said.  In addition to minor changes in the malware, the newer version introduces a unique encryption function that has only been found in a newer IronWind loader variant.

In addition to overwriting files with random bytes, the most recent version of the SameCoin wiper modifies the victim system's background to display an image bearing the name of Al-Qassam Brigades, the military wing of Hamas. 

SameCoin is a bespoke wiper that was uncovered in February 2024 as used by a Hamas-affiliated threat actor to sabotage Windows and Android devices. The malware was distributed under the guise of a security update.

CheckPoint   |   CheckPoint   |    Cloudflare   |   Hacker News   |    Lab52   |    Malware Insight   |   CyberScoop       

Image:  Michael Piepgras

You Might Also Read:

Israel-Hamas Conflict: The Escalation Of Cyberwarfare:   

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Using AI In Classrooms Is A Test Of Public Trust
The Importance Of Cyber Security In Safeguarding E-Commerce Businesses »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CERT Syria

CERT Syria

CERT Syria is the national Computer Emergency Response Team for Syria.

National Cyber-Forensics & Training Alliance (NCFTA) - USA

National Cyber-Forensics & Training Alliance (NCFTA) - USA

NCFTA is a trusted alliance of private industry and law enforcement partners dedicated to information sharing and disrupting cyber-related threats.

Thomas Miller Specialty

Thomas Miller Specialty

Thomas Miller Specialty is a commercial Managing General Agency providing specialty risks insurance including Cyber & e-crime insurance.

Gradcracker

Gradcracker

Gradcracker is THE careers website for Science, Technology (including Cybersecurity), Engineering and Maths university students in the UK.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

PreEmptive Solutions

PreEmptive Solutions

PreEmptive Protection hit the sweet spot between cost, convenience and functionality by helping you protect and secure your apps in a smarter way.

Security Weaver

Security Weaver

Security Weaver is a leading provider of governance, risk and compliance management (GRCM) software.

Urbane Security

Urbane Security

Urbane Security is a premier information security consultancy empowering the Fortune 500, small and medium enterprise, and high-tech startups.

Bechtle

Bechtle

Bechtle is one of Europe’s leading IT service providers offering a blend of direct IT product sales and extensive systems integration services.

KryptoKloud

KryptoKloud

KryptoKloud offer a suite of Managed Services including Security Monitoring and Incident Response as well as a full portfolio of Compliance, Governance and Audit solutions.

Ironblocks

Ironblocks

Ironblocks is a pioneering cybersecurity firm that specializes in delivering comprehensive, end-to-end security solutions for the rapidly evolving Web3 ecosystem.

Positka FSI Pte Ltd

Positka FSI Pte Ltd

Positka, being a Splunk Singapore partner, provides Splunk & Phantom Services, Cybersecurity & Risk Management, Analytics & Big Data, Lean Process Optimization, and Managed Security Services.

CyberKinetics

CyberKinetics

CyberKinetics specializes in cloud-based services and solutions for federal agencies and commercial clients with compliance mandates.

GlassHouse Technology

GlassHouse Technology

GlassHouse supports customers in their digitalization journey with our deep technical expertise in Managed Cloud and Security Services, SAP Infrastructure Service and Business Continuity Services.

ClearFocus Technologies

ClearFocus Technologies

ClearFocus Technologies provides advanced cybersecurity services that secure our nation’s most sensitive assets.

Krash Consulting

Krash Consulting

Krash Consulting is a premier provider of Cyber Security solutions, offering a range of services to safeguard businesses against cyber-attacks, minimize fraud, and protect brand reputation globally.