Researchers have discovered possible signs of cooperation between the Palestinian militant organization Hamas and one of the oldest Arabic-speaking hacker groups.
According to a report published Thursday by Recorded Future researchers, Hamas allegedly turned to operators outside Gaza and “third parties” to keep a news site linked to its military wing, the Al-Qassam Brigades, online during the war with Israel.
Days after Hamas’ first major attack on Israel, a Telegram channel used by Hamas members and supporters announced the launch of an application linked to the Al-Qassam Brigades.
The app was launched to spread Hamas’ message, the researchers said. Recorded Future News is an editorially independent unit of Recorded Future.
Running a website or app in Gaza is difficult: Israeli airstrikes have damaged its internet infrastructure and caused power outages. The region is also under constant attack by politically motivated hackers who aim to disrupt its vital services and websites, researchers said. Some providers likely refused to host websites associated with Hamas.
Hamas is believed to be trying to get around the problem by sharing its infrastructure with those who can help keep it running. After the major attack on Israel, the operators of the Al-Qassam Brigades website kept it online by transferring it between several different infrastructure providers.
Researchers analyzed this infrastructure and discovered suspicious redirects to the Al-Qassam Brigades website as well as identical Google Analytics code associated with the website domain and approximately 90 other domains.
The researchers were able to identify the putative operators of two clusters of these domains.
The first cluster used recording techniques similar to those of a hacking group known as TAG-63, also tracked as AridViper and APT-C-23. It is a state-sponsored cyberespionage group known for targeting Arabic-speaking individuals in the Middle East. The group is believed to operate on behalf of Hamas.
The second group of domains was suspected of being linked to Iran. It had several subdomains whose names contained references to Iran, including Farsi terms like “director” and “comrade.”
A page linked to Iran was also used to impersonate the World Organization Against Torture (OMCT). Researchers could not confirm whether this website had been used by hackers for phishing or social engineering attacks.
Iran maintains close ties to Hamas, and the Iranian Quds Force, a unit specializing in unconventional warfare and military intelligence, is the only confirmed Iranian entity known to provide cyber assistance to Hamas and other threat groups Palestinians, according to a study by Recorded Future.
Although there isn’t much evidence of cooperation between the two sides, this report provides insight into how these groups might help each other, according to the researchers.
Future saved
Intelligence cloud.
No previous articles
No new articles
Daryna Antoniuk
Daryna Antoniuk is a freelance journalist for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe, and the state of the Ukraine-Russia cyberwar. She was previously a tech journalist for Forbes Ukraine. His work has also been published in Sifted, The Kyiv Independent and The Kyiv Post.