12264379886?profile=RESIZE_400xSentinelLabs has provided a timely report on the current cyber posture regarding the Israel-Hamas War.  Since the start of the Israel-Hamas war, the cyber domain has played a critical role in the conflict, albeit in ways the world may not have expected. Immediately following the attacks from Hamas on 7 October, social media became a hotbed of disinformation, inaccurate self-described OSINT investigators, and public confusion.  Unfortunately, leading social media platforms failed to stop the spread of disinformation regarding this war.  We will continue to see it abused as a go-to method to sway public perception of events with no signs of it ending soon.[1]

However, outside of social media information abuse and opportunistic hacktivism, we must not forget the likelihood of targeted attacks originating from specific, state-sponsored threat actors.  Understanding and closely monitoring all aspects of the quickly evolving conflict within the digital domain is critical, as such targeted attacks will translate into real-world consequences.  While we continue to collaborate privately with partners, we also seek to bolster the broader industry knowledge about where to place our efforts.

This is an updated compendium of actors for cybersecurity researchers, analysts, and network defenders to watch closely.  These actors have the potential for significant involvement as the war continues, including APTs across Hamas, Hezbollah, and Iran-based clusters of activity.  While state-sponsored APTs should remain a strong focus, we must also carefully monitor the increasingly common use of hacktivist personas to cloak state-sponsored operations.

In this post, we share recommended and publicly accessible information to streamline the community’s understanding of relevant actors across historical reports for reference.  In addition, we are sharing our perspective on public actor naming overlaps.  Please note that each source of public reporting may perform attribution and actor clustering uniquely from their viewpoint.  Nonetheless, these sources should serve as starting points for readers looking to catch up on relevant open-source intelligence for their own defense posturing and analysis needs.

Hamas - Aligned Clusters

Arid Viper

Aliases:

  • APT-C-23
  • Grey Karkadann
  • Desert Falcon
  • Mantis

Description:

Arid Viper is a threat group conducting cyber espionage and information theft operations since at least 2017, predominantly against targets in the Middle East.  Based primarily on the geopolitical context of its activities, Arid Viper is suspected of operating on behalf of Hamas with further conclusive information needed to solidify this assessment.  For example, the Israeli Defence Forces (IDF) have reported on a campaign targeting soldiers stationed near the Gaza border, which Hamas is suspected of orchestrating.  This campaign has been attributed with medium confidence to Arid Viper based on victimology and similarities with previous activities attributed to this actor, such as overlaps in initial infection techniques.

Targeting individuals is a common practice of Arid Viper.  This includes pre-selected Palestinian and Israeli high-profile targets and broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements.  Initial infection vectors include social engineering and phishing attacks using themed lure documents.  The latter often involves establishing rapport with targets over social media, such as Facebook and Instagram, with catfishing being a frequently employed technique.

Arid Viper uses a variety of malware as part of its operations, including stagers, backdoors, and mobile spyware applications for the iOS and Android platforms.  Arid Viper’s malware is maintained and upgraded to meet the group’s operational requirements.  This threat actor has consistently demonstrated innovation by adopting new malware development practices across various programming and scripting languages, such as Delphi, Go, Python, and C++.

Gaza Cybergang

Aliases:

  • Molerats
  • TA402
  • Gaza Hackers Team
  • Moonlight
  • Extreme Jackal
  • Aluminum Saratoga
  • JEA/Jerusalem Electronic Army (Low to Medium Confidence)


Description:

Gaza Cybergang is a threat actor that has been active since at least 2012.  The group primarily targets throughout the Middle East, including Israel and Palestine, while also less-observed in the EU and US.  Targeted entities include government, defense, energy, financial, media, technology, telecommunication, and civil society.  Current assessment of Gaza Cybergang indicates a medium to high level of confidence in Hamas affiliation.

The group has historically used a variety of custom and publicly available tools in their attacks, showing a notable preference for spear phishing as a method of initial access.  They have been known to use malicious documents and email attachments to deliver malware and link lures, and they often deploy implants to maintain persistence on compromised systems.  Tools include Molerat Loader, XtremeRAT, SharpStage, DropBook, Spark, Pierogi, PoisonIvy, and many others observed uniquely over the years.

The overall objectives of Gaza Cybergang appear to be primarily intelligence collection and espionage.  They seek to gather intelligence, monitor political developments in the region, and support their cause through cyber activities.  The group has been active for many years, and their persistence and adaptability in the face of evolving tensions make it a notable actor in the cyber threat landscape moving forward.

Hezbollah - Plaid Rain

Aliases:

  • Aqua Dev 1
  • Polonium


Description:

Plaid Rain is a threat actor first documented in 2022 with a primary focus on targeting entities in Israel across a broad range of verticals, including defense, government, manufacturing, and financial organizations.  Plaid Rain is considered to be based in Lebanon, however, its activities indicate potential coordination with Iran-nexus actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS).  Some indicators supporting this assessment include observed overlaps in targeting and TTPs.  The potential collaboration between MOIS and Plaid Rain positions this threat group in the nexus of actors that serve as proxies, providing plausible deniability to the government of Iran, such as Cobalt Sapling.

For initial infection, Plaid Rain is suspected to rely primarily on vulnerability exploitation, downstream compromises, and stolen credentials.  The group’s arsenal consists of a wide range of well-maintained custom tooling exemplified by the Creepy malware toolset.  Plaid Rain’s malware supports a broad range of complementing functionalities following the latest trends in the malware landscape.  For example, the CreepyDrive malware uses Cloud services for command and control purposes, likely in an attempt to evade detection by making malicious traffic look legitimate.

Lebanese Cedar

Aliases:

  • Volatile Cedar
  • DeftTorero

Description:

Lebanese Cedar is a lesser-reported APT with a history of successful intrusions across Lebanon, Israel, Palestine, Egypt, the United States, the United Kingdom, and more.  The group was first observed in 2015 and has maintained limited security industry attention.  Like Plaid Rain, we associate Lebanese Cedar with Lebanese Shiite militant group Hezbollah attribution and potential coordination with Iran-nexus actors affiliated with the Ministry of Intelligence and Security (MOIS).

Initial access methods best observed have been centered around compromised victim web servers via n-day vulnerabilities for deploying webshells, including ASPXSpy, devilzshell, and Caterpillar.  Further use of Meterpreter and their custom Explosive RAT have been associated with objectives around maintaining access through theft of legitimate network credentials, ultimately pursuing espionage objectives.

Relevant Iranian Clusters

Iran hosts diverse state-sponsored threat actors whose activities quickly expand past the specific focus on the Israel-Hamas war.  These threat actors exhibit variability in size, capability, and motivation and have been responsible for a wide spectrum of cyber operations.  While some have apparent affiliations with the Iranian government, many Iranian hacktivist personas claim to operate independently.  It is crucial to acknowledge that emerging hacktivist collectives may serve as a means to obscure state sponsorship, influencing public opinion and concealing attribution of offensive actions.  Sentinel strongly recommends that media outlets and industry colleagues exercise caution when publicly disseminating content produced by hacktivist collectives. The propagation of their claims, viewpoints, and actions aligns with an overarching mission, and endorsing these activities contributes to their success. Nonetheless, the diversity and adaptability of Iranian cyber threat actors make them a significant and multifaceted component of the global threat landscape moving forward. Continued monitoring will expose the evolving situation in the Middle East, as it is imperative to focus on Iran as a potential origin of both direct cyber offensive actions and proxy operations supported by Iran-linked groups like Hamas and Hezbollah.

ShroudedSnooper

Aliases:

  • Not publicly available


Description:

ShroudedSnooper has been part of multiple recent intrusions across the Middle East, including Israel, within the past two months and elsewhere since at least 2020.  Most recent observations and activity we can confirm center around intrusions across the telecommunication and government sectors.  The group is attributed to Iran’s Ministry of Intelligence and Security (MOIS).

The group's current understanding is that they operate for intelligence collection and initial access to other MOIS entities.  Initial access methods for ShroudedSnooper have, and potentially continue to be, accomplished through the compromise of publicly accessible web servers via n-day vulnerabilities.  As observed in the recent Israeli telecom intrusions, the group has then used backdoors to mimic enterprise security software.

Cobalt Sapling

Aliases:

  • Moses Staff
  • Abraham’s Ax
  • Marigold Sandstorm


Description:

‘Moses Staff’ and ‘Abraham’s Ax’ are hacktivist personas known for their anti-Israel rhetoric,  disruptive and data exfiltration attacks, and penchant for leaking stolen data online along with propaganda content in the form of videos or imagery.   Moses Staff and Abraham’s Ax are potentially distinct groups.   The groups have maintained their online presence since the emergence of Moses Staff in 2021 and Abraham’s Ax in 2022 proclaiming allegiance with Hezbollah.  However, they share iconography, content editing, and infrastructure management practices.  This, and the alignment of their activities with the geopolitical interests of Iran, suggests that the two groups are likely part of a single cluster (also referred to as Cobalt Sapling) and serve as proxy groups providing plausible deniability to Iran.

Moses Staff has traditionally focused on business and government organizations, primarily within Israel.  In contrast, Abraham’s Ax has asserted responsibility for attacks on entities outside of Israel but with geopolitical relevance to the country.  For example, the alleged intrusions into Saudi Arabian government entities by Abraham’s Ax may have been an attempt to counter the normalization of relations between Israel and Saudi Arabia previously conditioned by resolving the Israeli-Palestinian issue.

Although the threat intelligence research community has identified custom offensive tooling observed in Moses Staff attacks, such as StrifeWater, PyDCrypt, and DCSrv, we do not exclude the possibility of Moses Staff and Abraham’s Ax sharing tooling and operational practices making accurate clustering challenging at this time.  Operations attributed to Moses Staff have involved RATs and ransomware with no indication of financial motivations but disruption, destruction, and concealment of cyber espionage activities.

APPENDIX: Recommended Public Reporting

Arid Viper

Gaza Cybergang

Plaid Rain

Lebanese Cedar

ShroudedSnooper

Cobalt Sapling


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

 

[1] https://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/

You need to be a member of Red Sky Alliance to add comments!