Hackers backed by Iran and Hezbollah staged cyberattacks designed to undermine public support for the war between Israel and Hamas after October 2023.
This includes destructive attacks against key Israeli organizations, hack-and-leak operations against entities in Israel and the United States, phishing campaigns designed to steal information, and information operations to turn public opinion against Israel.
Iran accounted for nearly 80% of all government-backed phishing activity against Israel in the six months before the October 7 attacks, Google said in a new report.
“Hack-and-leak and intelligence operations remain a key component in the efforts of these and other threat actors to convey intent and capabilities during wartime, both to their adversaries and other audiences they seek to influence,” he said. established technology giant.
But what is also noteworthy in the Israel-Hamas conflict is that cyber operations appear to be executed independently of kinetic and battlefield actions, unlike what was observed in the case of the Russian-Ukrainian war.
Such cyber capabilities can be rapidly deployed at a lower cost to engage with regional rivals without direct military confrontation, the company added.
One of the Iran-affiliated groups, nicknamed GREATRIFT (also known as UNC4453 or Plaid Rain), is said to have spread malware via a fake “missing persons” site targeting visitors seeking updates on kidnapped Israelis. The threat actor also used blood donation-themed decoy documents as a distribution vector.
At least two hacktivist figures called Karma and Handala Hack have exploited wiper malware strains such as BiBi-Windows Wiper, BiBi-Linux Wiper, ChiLLWIPE and COOLWIPE to stage destructive attacks against Israel and delete files from Windows and Linux systems, respectively.
Another Iranian hacking group called Charming Kitten (also known as APT42 or CALANQUE) targeted media and non-governmental organizations (NGOs) with a PowerShell backdoor known as POWERPUG as part of a phishing campaign observed between late October and November 2023 .
POWERPUG is also the latest addition to the adversary’s long list of backdoors, which includes PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), NokNok, and BASICSTAR.
Hamas-linked groups, on the other hand, targeted Israeli computer engineers with code-bait baits in an attempt to trick them into downloading the SysJoker malware weeks before the October 7 attacks. The campaign was attributed to a malicious actor named BLACKATOM.
“The attackers […] they presented themselves as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for freelance opportunities in software development,” Google said. “Targets included software engineers in the Israeli military, as well as in the aerospace industry and Israeli defense.”
The tech giant described the tactics employed by Hamas cyber actors as simple but effective, highlighting their use of social engineering to deliver remote access trojans and backdoors such as MAGNIFI to target users in both Palestine and Israel, who has been linked to BLACKSTEM (aka Molerats) .
Adding another dimension to these campaigns is the use of spyware targeting Android phones that can collect sensitive information and exfiltrate the data into attacker-controlled infrastructure.
The malware strains, called MOAAZDROID and LOVELYDROID, are the work of Hamas-affiliated actor DESERTVARNISH, also known as Arid Viper, Desert Falcons, Renegade Jackal and UNC718. Details about the spyware were previously documented by Cisco Talos in October 2023.
Iranian state-sponsored groups, such as MYSTICDOME (aka UNC1530), have also been observed targeting mobile devices in Israel with the MYTHDROID (aka AhMyth) Android remote access trojan and a tailor-made intelligence-gathering spyware called SOLODROID.
“MYSTICDOME distributed SOLODROID using Firebase projects that redirected 302 users to the Play Store, where they were prompted to install the spyware,” said Google, which has since removed the apps from the digital market.
Google also highlighted Android malware called REDRUSE – a Trojanized version of the legitimate Red Alert app used in Israel to warn of incoming missile attacks – that exfiltrates contacts, messaging and location data. It was propagated via phishing SMS messages impersonating the police.
The ongoing war has also impacted Iran, with its critical infrastructure disrupted by an actor named Gonjeshke Darande (meaning Predatory Sparrow in Persian) in December 2023. The character is believed to be linked to the Intelligence Directorate Israeli military.
The findings come as Microsoft revealed that actors aligned with the Iranian government have “launched a series of cyberattacks and influence operations (IOs) intended to help Hamas cause and weaken Israel and its political allies and trading partners.”
Redmond described their early-stage cyber and influence operations as reactive and opportunistic, also confirming Google’s assessment that attacks have become “increasingly targeted and destructive, and IO campaigns have become increasingly sophisticated and inauthentic” since the the outbreak of war.
In addition to escalating and expanding its attack focus beyond Israel to include countries that Iran perceives as aiding Israel, including Albania, Bahrain and the United States, Microsoft said it has observed collaboration between Iran-affiliated groups such as Pink Sandstorm (aka Agrius) and Hezbollah cyber. unit.
“Collaboration lowers the barrier to entry by allowing each group to contribute existing capabilities and eliminates the need for a single group to develop a full spectrum of tools or businesses,” said Clint Watts, general manager of Microsoft Threat Analysis Center (MTAC). .
Last week, NBC News reported that the United States recently launched a cyberattack against an Iranian naval vessel called the MV Behshad that was gathering intelligence on merchant ships in the Red Sea and Gulf of Aden.
An analysis by Recorded Future last month details how hackers and front groups in Iran are managed and managed through a number of contracting companies in Iran, which carry out intelligence and information gathering operations to “foment instability in targeted countries”.
“While Iranian groups rushed to conduct, or simply fabricate, operations in the early days of the war, Iranian groups have slowed their recent operations allowing them more time to gain desired access or develop more elaborate influence operations.” , Microsoft concluded.