Apr 13, 2024NewsroomCyber influence / Warfare

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on Friday announced sanctions against an official associated with Hamas for his involvement in cyber influence operations.

Hudhayfa Samir ‘Abdallah al-Kahlut, 39, also known as Abu Ubaida, has served as the public spokesperson of Izz al-Din al-Qassam Brigades, the military wing of Hamas, since at least 2007.

“He publicly threatened to execute civilian hostages held by Hamas following the terrorist group’s October 7, 2023, attacks on Israel,” the Treasury Department said.

“Al-Kahlut leads the cyber influence department of al-Qassam Brigades. He was involved in procuring servers and domains in Iran to host the official al-Qassam Brigades website in cooperation with Iranian institutions.”

Alongside Al-Kahlut, two other individuals named William Abu Shanab, 56, and Bara’a Hasan Farhat, 35, for their role in the manufacturing of unmanned aerial vehicles (UAVs) used by Hamas to conduct terrorist operations, including urban warfare and intelligence gathering.

Both Abu Shanab and his assistant Farhat are said to be part of the Lebanon-based al-Shimali unit, where the former is a commander.

Coinciding with the actions taken by the U.S., the European Union imposed sanctions of its own against Al-Qassam Brigades, Al-Quds Brigades, and Nukhba Force for their “brutal and indiscriminate terrorist attacks” targeting Israel last year.

While Al-Quds Brigades is the armed wing of Palestinian Islamic Jihad, Nukhba Force is a special forces unit of Hamas.

The joint action, said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson, is aimed at “disrupting Hamas’s ability to conduct further attacks, including through cyber warfare and the production of UAVs.”

The development arrived a little over two months after the U.S. government sanctioned six Iranian officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries.

Mar 21, 2024NewsroomNational Security / Data Privacy

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on Wednesday announced sanctions against two 46-year-old Russian nationals and the respective companies they own for engaging in cyber influence operations.

Ilya Andreevich Gambashidze (Gambashidze), the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin (Tupikin), the CEO and current owner of Russia-based Company Group Structura LLC (Structura), have been accused of providing services to the Russian government in connection to a “foreign malign influence campaign.”

The disinformation campaign is tracked by the broader cybersecurity community under the name Doppelganger, which is known to target audiences in Europe and the U.S. using inauthentic news sites and social media accounts.

“SDA and Structura have been identified as key actors of the campaign, responsible for providing [the Government of the Russian Federation] with a variety of services, including the creation of websites designed to impersonate government organizations and legitimate media outlets in Europe,” the Treasury said.

Both Gambashidze and Tupikin have been accused of orchestrating a campaign in the Fall of 2022 that created a network of over 60 sites designed to masquerade as legitimate news websites and fake social media accounts to disseminate the content originating from those spoofed sites.

The department said the fake websites were built with an intent to mimic the appearance of their actual counterparts, with the portals including embedded images and working links to the legitimate sites and even impersonated the cookie consent pages as part of efforts to trick visitors.

Furthermore, a closer examination of the two cryptocurrency wallets listed by OFAC as associated with Gambashidze reveals that they have received more than $200,000 worth of USDT on the TRON network, with a significant chunk originating from the now-sanctioned exchange Garantex, Chainalysis said.

“He then cashed out most of his funds to a single deposit address at a mainstream exchange,” blockchain analytics firm noted. “These transactions highlight Garantex’s continued involvement in the Russian government’s illicit activities.”

Doppelganger, active since at least February 2022, has been described by Meta as the “largest and the most aggressively-persistent Russian-origin operation.”

In December 2023, Recorded Future revealed attempts by the malign network to leverage generative artificial intelligence (AI) to create inauthentic news articles and produce scalable influence content.

SDA and Structura, along with Gambashidze, have also been the subject of sanctions imposed by the Council of the European Union as of July 2023 for conducting a digital information manipulation campaign called Recent Reliable News (RRN) aimed at amplifying propaganda declaring support for Russia’s war against Ukraine.

“This campaign […] relies on fake web pages usurping the identity of national media outlets and government websites, as well as fake accounts on social media,” the Council said at the time. “This coordinated and targeted information manipulation is part of a broader hybrid campaign by Russia against the EU and the member states.”

The development comes as the U.S. House of Representatives unanimously passed a bill (Protecting Americans’ Data from Foreign Adversaries Act, or H.R.7520) that would bar data brokers from selling Americans’ sensitive data to foreign adversaries, counting China, Russia, North Korea, and Iran.

It also arrives a week after Congress passed another bill (Protecting Americans from Foreign Adversary Controlled Applications Act, or H.R.7521) that seeks to force Chinese company ByteDance to divest popular video sharing platform TikTok within six months, or risk facing a ban, due to national security concerns.

Hackers backed by Iran and Hezbollah staged cyber attacks designed to undercut public support for the Israel-Hamas war after October 2023.

This includes destructive attacks against key Israeli organizations, hack-and-leak operations targeting entities in Israel and the U.S., phishing campaigns designed to steal intelligence, and information operations to turn public opinion against Israel.

Iran accounted for nearly 80% of all government-backed phishing activity targeting Israel in the six months leading up to the October 7 attacks, Google said in a new report.

“Hack-and-leak and information operations remain a key component in these and related threat actors’ efforts to telegraph intent and capability throughout the war, both to their adversaries and to other audiences that they seek to influence,” the tech giant said.

But what’s also notable about the Israel-Hamas conflict is that the cyber operations appear to be executed independently of the kinetic and battlefield actions, unlike observed in the case of the Russo-Ukrainian war.

Such cyber capabilities can be quickly deployed at a lower cost to engage with regional rivals without direct military confrontation, the company added.

One of the Iran-affiliated groups, dubbed GREATRIFT (aka UNC4453 or Plaid Rain), is said to have propagated malware via fake “missing persons” site targeting visitors seeking updates on abducted Israelis. The threat actor also utilized blood donation-themed lure documents as a distribution vector.

At least two hacktivist personas named Karma and Handala Hack, have leveraged wiper malware strains such as BiBi-Windows Wiper, BiBi-Linux Wiper, ChiLLWIPE, and COOLWIPE to stage destructive attacks against Israel and delete files from Windows and Linux systems, respectively.

Another Iranian nation-state hacking group called Charming Kitten (aka APT42 or CALANQUE) targeted media and non-governmental organizations (NGOs) with a PowerShell backdoor known as POWERPUG as part of a phishing campaign observed in late October and November 2023.

POWERPUG is also the latest addition to the adversary’s long list of backdoors, which comprises PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), NokNok, and BASICSTAR.

Hamas-linked groups, on the other hand, targeted Israeli software engineers with coding assignment decoys in an attempt to dupe them into downloading SysJoker malware weeks before the October 7 attacks. The campaign has been attributed to a threat actor referred to as BLACKATOM.

“The attackers […] posed as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for software development freelance opportunities,” Google said. “Targets included software engineers in the Israeli military, as well as Israel’s aerospace and defense industry.”

The tech giant described the tactics adopted by Hamas cyber actors as simple but effective, noting their use of social engineering to deliver remote access trojans and backdoors like MAGNIFI to target users in both Palestine and Israel, which has been linked to BLACKSTEM (aka Molerats).

Adding another dimension to these campaigns is the use of spyware targeting Android phones that are capable of harvesting sensitive information and exfiltrating the data to attacker-controlled infrastructure.

The malware strains, called MOAAZDROID and LOVELYDROID, are the handiwork of the Hamas-affiliated actor DESERTVARNISH, which is also tracked as Arid Viper, Desert Falcons, Renegade Jackal, and UNC718. Details about the spyware were previously documented by Cisco Talos in October 2023.

State-sponsored groups from Iran, such as MYSTICDOME (aka UNC1530), have also been observed targeting mobile devices in Israel with the MYTHDROID (aka AhMyth) Android remote access trojan as well as a bespoke spyware called SOLODROID for intelligence collection.

“MYSTICDOME distributed SOLODROID using Firebase projects that 302-redirected users to the Play store, where they were prompted to install the spyware,” said Google, which has since taken down the apps from the digital marketplace.

Google further highlighted an Android malware called REDRUSE – a trojanized version of the legitimate Red Alert app used in Israel to warn of incoming rocket attacks – that exfiltrates contacts, messaging data, and location. It was propagated via SMS phishing messages that impersonated the police.

The ongoing war has also had an impact on Iran, with its critical infrastructure disrupted by an actor named Gonjeshke Darande (meaning Predatory Sparrow in Persian) in December 2023. The persona is believed to be linked to the Israeli Military Intelligence Directorate.

The findings come as Microsoft revealed that Iranian government-aligned actors have “launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners.”

Redmond described their early-stage cyber and influence operations as reactive and opportunistic, while also corroborating with Google’s assessment that the attacks became “increasingly targeted and destructive and IO campaigns grew increasingly sophisticated and inauthentic” following the outbreak of the war.

Beside ramping up and expanding their attack focus beyond Israel to encompass countries that Iran perceives as aiding Israel, including Albania, Bahrain, and the U.S., Microsoft said it observed collaboration among Iran-affiliated groups such as Pink Sandstorm (aka Agrius) and Hezbollah cyber units.

“Collaboration lowers the barrier to entry, allowing each group to contribute existing capabilities and removes the need for a single group to develop a full spectrum of tooling or tradecraft,” Clint Watts, general manager at the Microsoft Threat Analysis Center (MTAC), said.

Last week, NBC News reported that the U.S. recently launched a cyber attack against an Iranian military ship named MV Behshad that had been collecting intelligence on cargo vessels in the Red Sea and the Gulf of Aden.

An analysis from Recorded Future last month detailed how hacking personas and front groups in Iran are managed and operated through a variety of contracting firms in Iran, which carry out intelligence gathering and information operations to “foment instability in target countries.”

“While Iranian groups rushed to conduct, or simply fabricate, operations in the early days of the war, Iranian groups have slowed their recent operations allowing them more time to gain desired access or develop more elaborate influence operations,” Microsoft concluded.