Hamas-linked cyber threat actors appear to have ceased activity following the terrorist attack in Israel on October 7, confounding experts.
Combined warfare is old news in 2024. As Mandiant said in a newly released report, cyber operations have become a “tool of first resort” for any nation or nation-aligned group around the world engaged in a protracted conflict, be it political, economic, or warlike in nature. Russia’s invasion of Ukraine – preceded and supported by historic waves of cyber destruction, espionage and disinformation – is, of course, quintessential.
Not so in Gaza. If today’s strategy is to support resource-intensive kinetic warfare with low-risk, low-investment cyber warfare, Hamas has thrown out the book.
“What we saw throughout September 2023 was very typical Hamas-related cyber espionage activity — their activity was very consistent with what we had been seeing for years,” said Kristen Dennesen, threat intelligence analyst for the Threat Analysis Group (TAG ) by Google. a press conference this week. “That activity continued until just before October 7th – there was no type of change or increase prior to that point. And since that time, we have not seen any significant activity from these actors.”
Failure to escalate cyberattacks before October 7 could be interpreted as strategic. But as for why Hamas (regardless of its supporters) abandoned its cyber operations instead of using them to support its war effort, Dennesen admitted, “We offer no explanation as to why because we don’t know.”
Hamas before October 7: ‘BLACKATOM’
Typical cyber attacks linked to the Hamas nexus include “mass phishing campaigns to spread malware or steal email data,” Dennesen said, as well as mobile spyware via various Android backdoors released via phishing. “And finally, in terms of targets: very persistent attacks against Israel, Palestine, their regional neighbors in the Middle East, as well as attacks against the United States and Europe,” she explained.
For a case study on what this looks like, take BLACKATOM, one of three major Hamas-linked threat actors, along with BLACKSTEM (aka MOLERATS, Extreme Jackal) and DESERTVARNISH (aka UNC718, Renegade Jackal, Desert Falcons, Arid Viper).
In September, BLACKATOM launched a social engineering campaign targeting IT engineers in the Israel Defense Forces (IDF), as well as the Israeli defense and aerospace industries.
The ploy involved posing as company employees on LinkedIn and messaging targets with fake freelance job opportunities. After the initial contact, the fake recruiters sent a reminder document with instructions to participate in a coding assessment.
The fake coding assessment required recipients to download a Visual Studio project, disguised as an HR management app, from an attacker-controlled GitHub or Google Drive page. Recipients were then asked to add features to the project, to demonstrate their coding skills. Within the project, however, there was a function that secretly downloaded, extracted and executed a malicious ZIP file on the affected computer. Within the postcode: the SysJoker cross-platform backdoor.
“Nothing Like Russia”
It might seem counterintuitive that Hamas’ invasion was not accompanied by a shift in its cyber activity similar to Russia’s model. This may be due to his prioritization of operational security, the secrecy that made the October 7 terrorist attack so surprisingly effective.
Less explainable is why the most recent confirmed Hamas-linked cyber activity, according to Mandiant, occurred on October 4 (Gaza, meanwhile, has suffered significant internet outages in recent months).
“I think the key thing to note is that these are very different conflicts, with very different entities involved,” said Shane Huntley, senior director of Google TAG. “Hamas is nothing like Russia. Therefore it is not surprising that the use of cyber is very different [depending on] the nature of the conflict, between standing armies and some sort of attack like we saw on October 7.”
But Hamas has probably not completely withdrawn its cyber operations. “While the outlook for future cyber operations by Hamas-linked actors is uncertain in the near term, we expect Hamas cyber activity will eventually resume. It should focus on intelligence-gathering espionage on these intra-Palestinian affairs, Israel, the United States and other regional players in the Middle East,” Dennesen noted.