Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Hamas Isn't Fighting a Cyberwar
Militants Didn't Deploy a Cyber Surge Ahead of the Assault on IsraelCybersecurity experts say every future conflict will likely involve cyber operations. If so, why didn't Hamas deploy cyber operations in its latest war with Israel?
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The answer may be that Hamas' military planners purposefully didn't order any change in the long-standing tempo of its cyber operations to avoid tipping its hand. In a report, researchers from Google's Threat Analysis Group and Mandiant said that the volume of known cyber operations by Hamas stayed consistent ahead of its storming of Israeli towns nearby the Gaza Strip last October. Hamas' war planners also don't appear to have tried to coordinate their ground attack with cyberattacks.
The researchers' assessment is that this was by design and that "Hamas intentionally did not use cyber operations to tactically support the Oct. 7 attacks," Sandra Joyce, head of global intelligence at Mandiant, told reporters Monday.
"This is potentially because the operational security risks from a cyber operation really outweighed the assessed potential benefit," she said. Likewise, early evidence suggests the militants' planners used nondigital means to evade Israel's known digital dragnet capabilities (see: Intelligence Failure: Surprise Strike on Israel by Hamas).
"We didn't see something like in Ukraine, where in the days and weeks preceding the invasion, we saw this very large uptick in wiper activity," Joyce said.
Prewar cyberespionage operations tied to Hamas or Hamas-linked groups last year typically involved "phishing and malware lures with topical political themes, basic custom backdoors and widely available remote access tools such as njRAT and Xtreme RAT, and malware obfuscation tools purchased on underground forums," Google said. "Mobile spyware is also common."
That cyber picture stands in stark contrast to the weeks prior to Russia's February 2022 invasion of Ukraine, when security experts tracked a massive surge in cyber operations and malware at the same time that troops surged on the border. On the day it initiated a war of conquest, Russia used AcidRain malware in a major attack that bricked tens of thousands of Viasat KA-SAT satellite communications network consumer broadband modems. Russia's invasion stalled, despite the cyberattack.
Hamas didn't engage in any foreshadowing. And once Hamas launched its assault, "we saw no indication that cyber activity was integrated into the Hamas battlefield operations - there wasn't that sort of combined kinetic and cyber complementary action together," as with Russia's invasion of Ukraine, Joyce said.
Following the assault, Google said Hamas' cyber operations appear to have dropped to virtually nil. "Since that time, we really haven't seen significant activity from this actor," said Shane Huntley, senior director of Google's Threat Analysis Group.
While Hamas-linked groups could have ramped up their online attacks ahead of Oct. 7, 2023, or even deployed wiper malware, they chose to not do so.
"Hamas is nothing like Russia," Huntley said. "Therefore, it's not surprising that the use of cyber is very different, due to the nature of the conflict between standing armies versus the sort of attack like we saw on Oct. 7."
What was normal for Hamas-linked cyber actors? "Historically, they've really relied on simple but very effective tools, techniques and procedures," said Kristen Dennesen, a threat analyst at Google TAG. Those often featured "massive phishing campaigns" designed to distribute malware and backdoors, typically targeting Israel, Palestine-based groups, neighboring Middle Eastern countries, and some U.S. and European targets.
Dennesen said that when looking at what Hamas-linked cyber actors didn't choose to do and at why there hasn't been "any significant activity from these actors" since the attack, "we don't offer any explanation as to why, because we don't know."
Hamas' insurgency tactics may not have been suited to be combined with kinetic operations. Also, the choice to not alter the tempo of Hamas-linked cyber operations may have aimed for deceptive normality precisely to avoid tipping off Israeli intelligence. If so, one takeaway for cyber defenders might be: Don't just track anomalies; track the absence of anomalies.
Another takeaway is to beware of trying to apply cyber lessons from one conflict to another, Huntley said. "That's something for us all to notice as we look to other conflicts or future conflicts or potential conflicts: It's never going to look exactly the same," he said. "That's a real risk we could run of fighting the last war, assuming that everything's going to be the same. What we're saying is: There will be cyber, but it will be actually used in different ways in different conflicts."
Proxy War
To his point, one facet of the Israel-Hamas war is that "while we have observed no evidence that Hamas' initial attack included a planned cyber component, regional actors immediately engaged in cyber operations following the assault," Google said.
Before and since the assault by Hamas, Google said, 80% of all phishing attacks targeting Israel continued to trace to two Iran-backed groups - APT42, aka Calanque, which likely operates at the behest of the Islamic Revolutionary Guard Corps; and DustyCave, aka UNC4444, which launched wiper malware attacks last December.
"Espionage has really been a through line for Iran-backed actors before the conflict and continuing through the present," Dennesen said. Many recent attacks have targeted "current and former government and military officials in the U.S. and Israel," she added, and were likely designed to gather intelligence into their decision-making processes around the war.
"Iran's proxy Hezbollah has also conducted cyber operations focused on Israel since the conflict started," Dennesen said. Google cited examples including GreatRift - a Lebanese group that security experts believe has links with Hezbollah - creating a fake missing persons website that claimed to be tracking abducted Israelis and a fake version of a hospital website that Google said distributed "malware with a blood donation theme."
Another tactic that proxy groups have employed regularly since the start of the war is using data leaks to claim hits against targets, including critical infrastructure - and the claims appear to be massively overstated. "These kinds of hack-and-leak activities really become pretty predictable," Joyce said. "Typically, there might be some limited hack or an actor that gets their hands on information that appears sensitive, and then they use this information to suggest that they have greater access and impact than they actually do."
Practitioners of this strategy include a group that calls itself CyberAveng3rs, aka Cyber Avengers, which the U.S. Cybersecurity and Infrastructure Security Agency said had falsely claimed to have gained control of operational technology environments in Israel.
"Hacking leaks and information operations really remain a key component in these and related threat actors efforts to signal their intent and capability through the war, both to the adversaries and to audiences that they seek to influence," Joyce said.
Iran has been the target of at least one cyberattack that shut down gas stations across the country last December. The hacking group Gonjeshke Darande, aka Predatory Sparrow, claimed credit for the disruption, saying via social media that it "was conducted in a controlled manner while taking measures to limit potential damage to emergency services."
The researchers have yet to attribute the group's operations to any given country. "We don't have the definitive evidence of who's sponsoring their activity and interestingly, Iran has made multiple different sorts of accusations about attribution," John Hultquist, the chief analyst of Mandiant Intelligence, told reporters.
The group has an antagonistic relationship with Tehran, appears to be well-funded and appears to limit the impact of its few attacks to date, which suggest that "legal constraints" might govern its operations. "We have to be careful not to draw too much from those sorts of aspects," Hultquist said, "but they are certainly something that I would consider in any kind of attribution."