Hamas Hackers Spy on Mideast Govts, Disrupt Israel

  /     /     /  
Publicated : 23/11/2024   Category : security

Hamas Hackers Spy on Mideast Govts, Disrupt Israel


APT Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.


A longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.
Wirte is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.
In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out
wiper attacks in Israel
. It shows that Hamas still has cyber capabilities, even with the ongoing war, says Sergey Shykevich, threat intelligence group manager at Check Point.
Wirte attacks are not particularly unique or sophisticated. A PDF in an email might contain a link directing targets to a file for download, named in some way to lend it legitimacy (e.g., Beirut — Developments of the War in Lebanon 2). The file will contain a lure document, one or more legitimate executables, and the malware.
To upgrade this infection chain, Wirte has sometimes made use of
the IronWind loader
, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.
In an espionage-focused attack, the end of this chain might bring the
open source penetration testing framework Havoc.
Havoc enables persistent access to a compromised machine, useful for establishing remote control, performing lateral movement, stealing data, and more.
In February and October 2024, by contrast, Wirte campaigns climaxed with the deployment of a wiper called SameCoin.
Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that Government-based attackers may be trying to compromise your device! and included a download link. The link first tried to connect to the website for Israels Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.
Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.
 
Wirte spying has crossed into Egypt and Saudi Arabia, but its favored targets appear to be from Jordan and the Palestinian Authority (PA), the government entity that oversees parts of the West Bank and is controlled by Fatah, Hamass primary political rival within Palestine. For the most part, this has remained consistent in its half-dozen-year history.
Wirte has evolved somewhat is in its approach to Israel. And in this way, it has also mirrored other Palestinian threat actors.
Before the war, it was focused mostly on espionage, and stealthy persistence in networks, Shykevich explains. This is in stark contrast to its latest wave of loud wiper attacks, for example, which were timed to begin on Oct. 7, the one-year anniversary of Hamass Operation Al-Aqsa Flood, the terror attack that killed more than 1,000 Israelis and led to the capture of nearly 250 more.
Now, it has become more and more about making [breaches] public, showing the data, the destruction. The focus is more and more on hack-and-leak operations, and how they can use cyber capabilities to try to shape a narrative.
Dont miss the upcoming free
Dark Reading Virtual Event
, Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors, Nov. 14 at 11 a.m. ET
.
Dont miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia.
Register now!

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Hamas Hackers Spy on Mideast Govts, Disrupt Israel