Estimative Analysis of State-Sponsored Cyber Activity Surrounding the Israel-Hamas War
- Mayan Stegmann
- Oct 25, 2023
- 7 min read
Background
In the modern age, warfare has transcended the physical battlefield, seeping into the intricate, shadowy world of cyberspace. The Israel-Hamas conflict, one of the most enduring and volatile geopolitical disputes of our time, is no exception. While the clash between these two nations has played out in the physical realm for decades, it has also given birth to a clandestine digital arena where over a hundred cyber groups wage an entirely different kind of war.
With over 100 cyber actors currently engaging in politically-driven hacktivist activity surrounding the Israeli flashpoint, there is still the possibility of cyber activity from APT groups affiliated with the entities involved in the conflict.
Key Judgement 1: Hamas-affiliated APT groups will engage in offensive cyber operations and cyber espionage campaigns against Israel.
Key Judgement 2: Hezbollah-affiliated cyber actors will likely conduct cyber espionage operations targeting Israel and Western allies at the behest of the Iranian Ministry of Intelligence and Security (MOIS) and Intelligence Organization of the Islamic Revolutionary Guard Corp (IRGC-IO).
Key Judgement 3: APT groups will conduct state-sponsored operations under the guise of hacktivism surrounding the conflict.
KJ-1: Hamas-affiliated APT groups will engage in offensive cyber operations and cyber espionage campaigns against Israel.
Hamas' cyber wing comprises of two prolific subgroups: AridViper and Molerats. At the time of writing, there have been no reported APT activities surrounding the Israel-Hamas conflict; however, given the prevalence of offensive cyber operations and cyber espionage in recent conflicts, it is estimated - with moderate confidence - that Hamas will target Israel and its allies on the cyber frontlines.
A report published by Cybereason's Nocturnus team in April 2022 detailed how AridViper (a.k.a APT-C-23, Desert Falcon, Arid Viper, TAG-63) shifted their tactics from targeting predominantly Arabic-speaking individuals to targeting Israeli government officials in a cyber espionage campaign dubbed "Operation Bearded Barbie". The key findings of this report were AridViper's sudden upgrade of malware and attack tactics. Previously, the group was seen as fairly unsophisticated; utilising common attack vectors and older tools. The APT was seen deploying the Barb(ie) Downloader and BarbWire Backdoor once they've gained initial access to a target through social engineering tactics. They would create fake Facebook profiles, posing as women, in an attempt to lure target Israeli government officials. This is a tactic commonly employed in espionage, called a Honeytrap, where a covert agent would utilise a romantic or sexual relationship to compromise a target for intelligence.
More recently, researchers from Recorded Future's Insikt Group identified an application, distributed by Hamas via Telegram, used for communication within Hamas' Izz ad-Din al-Qassam Brigade. Through infrastructure analysis, the researchers were able to identify a cluster of domains sharing traits with AridViper's domain registration tradecraft. Furthermore, the report speculates a possible nexus between the Hamas-affiliated group and Iranian IRGC cyber actors. This came after the identification of a subdomain sharing name links to Iran, including the use of the Farsi words for "attendant" and "director". Current evidence is not sufficient enough to suggest that AridViper is receiving direct technological support from Iran.
Molerats (a.k.a Gaza Hackers Team, Gaza cybergang, Gaza Cybergang, Operation Molerats, Extreme Jackal, Moonlight, ALUMINUM SARATOGA, G0021) is a Hamas-affiliated APT group known to have been active since at least 2012. Between 2020 and 2021, the group was seen conducting phishing campaigns surrounding geopolitical events in the Middle East at the time. Molerats have been known to target Middle Eastern states, predominantly including, but not limited to Israel and Palestine.
Cybereason's Nocturnus team has also revealed suspected ties between Molerats and AridViper through their similar targeting in their respective campaigns.
Given the state of conflict between Israeli forces and Hamas, it is highly likely that Hamas will engage in cyber espionage - and potential offensive cyber operations - against Israeli targets.
KJ-2: Iran will conduct cyber espionage through proxy of Hezbollah-affiliated APT groups
Given Hezbollah's public status within Iran's proxy network it is estimated - with low confidence - that Hezbollah-affiliated APT groups will engage in cyber espionage operations against Israel and its Western allies, surrounding the Israeli flashpoint, at the behest of Iran's Ministry of Intelligence and Security (MOIS) and Intelligence Organization of the Islamic Revolutionary Guard Corps (IRGC-IO).
The two most prominent groups Tehran will most likely use for such activity are Lebanese threat actors, POLONIUM and Lebanese Cedar.
POLONIUM - a group on which there is very scant public knowledge - was first detected by the Microsoft Threat Intelligence Center (MSTIC) in June 2022. MSTIC was tracking POLONIUM's cyber espionage campaign from February 2022, where the group targeted Israel's manufacturing, IT, and defence industries. During this campaign, the group was observed sharing TTPs employed by APT groups attributed to Iran's MOIS.
POLONIUM was seen targeting the same unique victims previously compromised by Iranian APT, MuddyWater (a.k.a MERCURY, Static Kitten, Seedworm, COBALT ULSTER, G0069). This suggests a potential convergence of mission requirements with the MOIS, where MuddyWater would likely provide POLONIUM with access to target organisations for further action.
POLONIUM's use of OneDrive for C2 is similar in nature to LYCEUM's use of cloud services (including OneDrive) for command & control and data exfiltration.
To further solidify the theory of POLONIUM's cooperation with the MOIS, the group was observed making use of AirVPN for their operational activity. AirVPN is also the VPN of choice for Iranian APT group, CopyKittens.
Of what little public information there is on POLONIUM, it is clear that this group either works in collaboration with Iranian APT groups, or directly carries out tasks at their behest. Thus making POLONIUM a prime contender for executing Iranian foreign policy on the cyber frontlines of the Israel-Palestine conflict.
Lebanese Cedar (a.k.a Volatile Cedar, DeftTorero) first appeared on the scene in 2015, in a report published by CheckPoint. Up until 2021 there has been no further intelligence on this group shared with the cyber security community. Most recently, the group embarked on a year-long intrusion campaign, between 2020 and 2021, targeting telecommunications companies and internet service providers based in Western nations. In a report published by Israeli cyber security firm, ClearSky, it was stated that at least 250 public-facing web servers were compromised by the group. Lebanese Cedar's trademark is the use of a custom version of the Explosive Remote Access Trojan (RAT).
It is evident that Lebanese Cedar is almost solely operating under the IRGC's mandate.
Intelligence reports[1][2] have detailed Tehran's influence in Lebanese cyber operations, with some reports revealing Iran's direct involvement in establishing Hezbollah's cyber units under the mandate of counterintelligence. By providing training and support for Hezbollah-affiliated cyber actors, Iran is further push their foreign policies by proxy and ensure that Hezbollah is kept on a tight leash. With Hezbollah conducting cyber operations on behalf of the MOIS and IRGC, Tehran has plausible deniability of any offensive action against foreign states or organisations. By distancing themselves from Hezbollah's cyber activities, foreign powers may not retaliate against Iran for cyber attacks initiated by the Lebanese.
KJ-3: APT groups will conduct state-sponsored operations under the guise of hacktivism surrounding the conflict.
Since the conflict erupted on the 7th of October, there have been over 100 cyber actors active in hacktivism campaigns; roughly 70% of which being pro-Palestine. The majority of these groups are not geographically attributable to Israel nor Palestine.
The surge in hacktivism surrounding the conflict provides state-sponsored groups affiliated with Iran, Hamas, and Hezbollah the perfect cover for conducting offensive cyber operations against Israel and its allies under hacktivist personas. Given the widespread support for Palestine amongst the hacktivist community, Hamas and its allies are able to exploit the fog of cyber war to target Israel and Western states in offensive cyber operations and cyber espionage.
It is worth noting that, although there has been no evidence of state-sponsored APTs operating under hacktivist personas since the start of the flashpoint, this would be a very suitable cover for potential cyber activities. The use of hacktivism as a cover for state-sponsored activity is nothing new. The most notable case of this was the North Korean state-sponsored Lazarus Group's attack on Sony in 2014. The actors claimed responsibility for the hack under the cover of "Guardians of Peace".
Iranian APT, Cobalt Spider, has been known to target Israel under the hacktivist personas of "Moses Staff" and "Abraham's Ax". If Iran were to engage in cyber operations under the guise of hacktivism, it'll most likely be this group behind the activity. Iran has also been known to employ private contractors to execute cyber actions against foreign targets.
Hamas will likely operate under the guise of Palestinian-based hacktivists, whilst Hezbollah may employ the cover of Lebanese-based groups.
Anonymous Sudan is arguably the most notable hacktivist group active in the conflict surrounding Israel and Hamas. Several reports have revealed that the group is actually operating at the behest of the Russian-based APT, Killnet. Intelligence suggests that the modus operandi of the group, their communications, and affiliations all point to Anonymous Sudan being linked to the Russian state. Anonymous Sudan mainly targets Western organisations and state entities in response to anti-Islamic action. Russia has been known to use religious-related disinformation in an attempt to polarise Western societies.
Through this assessment, it is unlikely that Hamas and Hezbollah will directly conduct operations under the cover of hacktivist personas. However, it is most likely that Russian and Iranian state-sponsored groups will employ these covers to ensure plausible deniability for any action against Israel or pro-Israeli states.
Analytical Summary
It is with moderate confidence that the assessments made in KJ-1 and KJ-3 are likely to occur surrounding the events of the conflict in Israel. Considering the use of cyberspace as a strategic supplement to kinetic warfare, Hamas will likely engage Israeli target information systems in an attempt to disrupt Israel's response to further offensive action from Hamas.
Iranian- and Russian-affiliated cyber actors are very likely to operate under the guise of hacktivist personas to cover their offensive operations and espionage campaigns against Israeli and Western targets.
KJ-2 is less likely in the immediate future in response to the conflicts, as Hezbollah's strategic position in the Iranian proxy network is more focused on long-term espionage campaigns.
Additional Information
