Hackers backed by Iran and Hezbollah staged cyber attacks designed to undercut public support for the Israel-Hamas war after October 2023.

This includes destructive attacks against key Israeli organizations, hack-and-leak operations targeting entities in Israel and the U.S., phishing campaigns designed to steal intelligence, and information operations to turn public opinion against Israel.

Iran accounted for nearly 80% of all government-backed phishing activity targeting Israel in the six months leading up to the October 7 attacks, Google said in a new report.

“Hack-and-leak and information operations remain a key component in these and related threat actors’ efforts to telegraph intent and capability throughout the war, both to their adversaries and to other audiences that they seek to influence,” the tech giant said.

But what’s also notable about the Israel-Hamas conflict is that the cyber operations appear to be executed independently of the kinetic and battlefield actions, unlike observed in the case of the Russo-Ukrainian war.

Such cyber capabilities can be quickly deployed at a lower cost to engage with regional rivals without direct military confrontation, the company added.

One of the Iran-affiliated groups, dubbed GREATRIFT (aka UNC4453 or Plaid Rain), is said to have propagated malware via fake “missing persons” site targeting visitors seeking updates on abducted Israelis. The threat actor also utilized blood donation-themed lure documents as a distribution vector.

At least two hacktivist personas named Karma and Handala Hack, have leveraged wiper malware strains such as BiBi-Windows Wiper, BiBi-Linux Wiper, ChiLLWIPE, and COOLWIPE to stage destructive attacks against Israel and delete files from Windows and Linux systems, respectively.

Another Iranian nation-state hacking group called Charming Kitten (aka APT42 or CALANQUE) targeted media and non-governmental organizations (NGOs) with a PowerShell backdoor known as POWERPUG as part of a phishing campaign observed in late October and November 2023.

POWERPUG is also the latest addition to the adversary’s long list of backdoors, which comprises PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), NokNok, and BASICSTAR.

Hamas-linked groups, on the other hand, targeted Israeli software engineers with coding assignment decoys in an attempt to dupe them into downloading SysJoker malware weeks before the October 7 attacks. The campaign has been attributed to a threat actor referred to as BLACKATOM.

“The attackers […] posed as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for software development freelance opportunities,” Google said. “Targets included software engineers in the Israeli military, as well as Israel’s aerospace and defense industry.”

The tech giant described the tactics adopted by Hamas cyber actors as simple but effective, noting their use of social engineering to deliver remote access trojans and backdoors like MAGNIFI to target users in both Palestine and Israel, which has been linked to BLACKSTEM (aka Molerats).

Adding another dimension to these campaigns is the use of spyware targeting Android phones that are capable of harvesting sensitive information and exfiltrating the data to attacker-controlled infrastructure.

The malware strains, called MOAAZDROID and LOVELYDROID, are the handiwork of the Hamas-affiliated actor DESERTVARNISH, which is also tracked as Arid Viper, Desert Falcons, Renegade Jackal, and UNC718. Details about the spyware were previously documented by Cisco Talos in October 2023.

State-sponsored groups from Iran, such as MYSTICDOME (aka UNC1530), have also been observed targeting mobile devices in Israel with the MYTHDROID (aka AhMyth) Android remote access trojan as well as a bespoke spyware called SOLODROID for intelligence collection.

“MYSTICDOME distributed SOLODROID using Firebase projects that 302-redirected users to the Play store, where they were prompted to install the spyware,” said Google, which has since taken down the apps from the digital marketplace.

Google further highlighted an Android malware called REDRUSE – a trojanized version of the legitimate Red Alert app used in Israel to warn of incoming rocket attacks – that exfiltrates contacts, messaging data, and location. It was propagated via SMS phishing messages that impersonated the police.

The ongoing war has also had an impact on Iran, with its critical infrastructure disrupted by an actor named Gonjeshke Darande (meaning Predatory Sparrow in Persian) in December 2023. The persona is believed to be linked to the Israeli Military Intelligence Directorate.

The findings come as Microsoft revealed that Iranian government-aligned actors have “launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners.”

Redmond described their early-stage cyber and influence operations as reactive and opportunistic, while also corroborating with Google’s assessment that the attacks became “increasingly targeted and destructive and IO campaigns grew increasingly sophisticated and inauthentic” following the outbreak of the war.

Beside ramping up and expanding their attack focus beyond Israel to encompass countries that Iran perceives as aiding Israel, including Albania, Bahrain, and the U.S., Microsoft said it observed collaboration among Iran-affiliated groups such as Pink Sandstorm (aka Agrius) and Hezbollah cyber units.

“Collaboration lowers the barrier to entry, allowing each group to contribute existing capabilities and removes the need for a single group to develop a full spectrum of tooling or tradecraft,” Clint Watts, general manager at the Microsoft Threat Analysis Center (MTAC), said.

Last week, NBC News reported that the U.S. recently launched a cyber attack against an Iranian military ship named MV Behshad that had been collecting intelligence on cargo vessels in the Red Sea and the Gulf of Aden.

An analysis from Recorded Future last month detailed how hacking personas and front groups in Iran are managed and operated through a variety of contracting firms in Iran, which carry out intelligence gathering and information operations to “foment instability in target countries.”

“While Iranian groups rushed to conduct, or simply fabricate, operations in the early days of the war, Iranian groups have slowed their recent operations allowing them more time to gain desired access or develop more elaborate influence operations,” Microsoft concluded.

Jan 18, 2024NewsroomCyber Espionage / Threat Intelligence

High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called Mind Sandstorm since November 2023.

The threat actor “used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files,” the Microsoft Threat Intelligence team said in a Wednesday analysis, describing it as a “technically and operationally mature subgroup of Mind Sandstorm.”

The attacks, in select cases, involve the use of a previously undocumented backdoor dubbed MediaPl, indicating ongoing endeavors by Iranian threat actors to refine their post-intrusion tradecraft.

Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is known for its adept social engineering campaigns, even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective targets. It’s assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).

The sub-cluster, per Redmond, engages in resource-intensive social engineering to single out journalists, researchers, professors, and other individuals with insights on security and policy issues of interest to Tehran.

The latest intrusion set is characterized by the use of lures pertaining to the Israel-Hamas war, sending innocuous emails under the guise of journalists and other high-profile individuals to build rapport with targets and establish a level of trust before attempting to deliver malware to targets.

Microsoft said it’s likely the campaign is an effort undertaken by the nation-state threat actor to collect perspectives on events related to the war.

The use of breached accounts belonging to the people they sought to impersonate in order to send the email messages is a new Mind Sandstorm tactic not seen before, as is its use of the curl command to connect to the command-and-control (C2) infrastructure.

Should the targets engage with the threat actor, they are sent a follow-up email containing a malicious link that points to a RAR archive file, which, when opened, leads to the retrieval of Visual Basic scripts from the C2 server to persist within the targets’ environments.

The attack chains further pave the way for custom implants like MischiefTut or MediaPl, the former of which was first disclosed by Microsoft in October 2023.

Implemented in PowerShell, MischiefTut is a basic backdoor that can run reconnaissance commands, write outputs to a text file, and download additional tools on a compromised system. The first recorded use of the malware dates back to late 2022.

MediaPl, on the other hand, masquerades as Windows Media Player and is designed to transmit encrypted communications to its C2 server and launch command(s) it has received from the server.

“Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection,” Microsoft said.

“The ability to obtain and maintain remote access to a target’s system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system.”

The disclosure comes as Dutch newspaper De Volkskrant revealed earlier this month that Erik van Sabben, a Dutch engineer recruited by Israel and U.S. intelligence services, may have used a water pump to deploy an early variant of the now-infamous Stuxnet malware in an Iranian nuclear facility sometime in 2007.