Iran-Hezbollah hackers target Israel-Hamas conflict with cyberattacks, aiming to sway public opinion and gather intelligence.
Iranian and Hezbollah hackers launched cyberattacks aiming to weaken support for the Israel-Hamas conflict post-October 2023. These cyber offensives included destructive assaults on vital Israeli institutions, exposure and leak operations against targets in Israel and the U.S., phishing schemes to gather intelligence, and propaganda efforts to sway public opinion against Israel.
Google reports that Iran was behind almost 80% of all state-sponsored phishing attacks on Israel in the six months leading up to the October 7 incidents. The tech giant highlighted that hack-and-leak tactics and propaganda campaigns are crucial for these actors to showcase their intentions and capabilities throughout the conflict, targeting both their enemies and other groups they wish to influence.
Interestingly, the cyber aspects of the Israel-Hamas conflict were conducted separately from physical military actions, a departure from what was observed during the Russo-Ukrainian war. This indicates that cyber tools offer a swift, cost-effective method for engaging with regional adversaries outside of traditional military engagement, according to the company.
One group with ties to Iran, known as GREATRIFT (also UNC4453 or Plaid Rain), has spread malware through a fake "missing persons" website aimed at individuals looking for information on kidnapped Israelis. This group also employed documents themed around blood donation as a means to distribute malware.
Hacktivist entities named Karma and Handala Hack have used malware such as BiBi-Windows Wiper and BiBi-Linux Wiper, along with ChiLLWIPE and COOLWIPE, to conduct destructive operations against Israel, targeting systems running Windows and Linux.
Charming Kitten, another Iranian hacking collective, targeted media and NGOs with a PowerShell backdoor named POWERPUG in a phishing operation detected in late October and November 2023. POWERPUG joins a series of backdoors used by this group, including PowerLess and BellaCiao among others.
Conversely, Hamas-associated groups targeted Israeli software engineers with deceptive coding assignments to distribute SysJoker malware before the October 7 attacks. This effort was attributed to a group known as BLACKATOM, which approached potential victims under the guise of legitimate company employees via LinkedIn, offering freelance software development jobs.
Google described Hamas cyber tactics as straightforward yet effective, employing social engineering to deploy trojans and backdoors like MAGNIFI, targeting individuals in Palestine and Israel. This operation is linked to BLACKSTEM (also known as Molerats).
The campaigns also involved Android spyware, capable of extracting sensitive data and sending it to the attackers' servers. The spyware, dubbed MOAAZDROID and LOVELYDROID, was developed by the Hamas-linked actor DESERTVARNISH, also identified as Arid Viper and Desert Falcons among other names.
State-sponsored Iranian groups like MYSTICDOME (also UNC1530) have targeted mobile devices in Israel with MYTHDROID (AhMyth) Android trojan and a custom spyware called SOLODROID for intelligence gathering.
Google also uncovered an Android malware called REDRUSE, masquerading as the legitimate Red Alert app, used to collect contacts, messages, and location data, spread through SMS phishing impersonating police authorities.
Iran's infrastructure faced disruptions from an entity named Gonjeshke Darande (Predatory Sparrow) in December 2023, believed to be linked to Israeli Military Intelligence, highlighting the reciprocal nature of cyber hostilities.
Microsoft's findings echo Google's, reporting Iranian and Hezbollah cyber and propaganda efforts aimed at bolstering Hamas and undermining Israel and its allies. Collaboration among Iran-affiliated groups like Pink Sandstorm and Hezbollah cyber units has lowered the entry barrier for cyberattacks, enabling shared capabilities and strategies.
Recent U.S. cyber operations against Iranian military interests and Recorded Future analyses reveal the complex network of hacking personas and groups within Iran, demonstrating a broad strategy to destabilize target nations through cyber means.