By Tom Hegel and Aleksandar Milenkoski
Since the start of the Israel-Hamas war, the cyber domain has played a critical role in the conflict, albeit in ways the world may not have expected. Immediately following the attacks from Hamas on October 7th, social media became a hotbed of disinformation, inaccurate self-described OSINT investigators, and public confusion. Unfortunately, leading social media platforms continue to fail at stopping the spread of disinformation regarding this war. We will continue to see it abused as a go-to method to sway public perception of events with no signs of it ending soon.
However, outside of social media information abuse and opportunistic-hacktivism, we must not forget the likelihood of targeted attacks originating from specific, state-sponsored threat actors. Understanding and closely monitoring all-aspects of the quickly evolving conflict within the digital domain is critical as such targeted attacks will translate into real-world consequences. While we continue to collaborate privately with partners, we also seek to bolster the wider industry knowledge about where to place our efforts.
This is an updated compendium of actors for cybersecurity researchers, analysts, and network defenders to watch closely. These actors have potential for significant involvement as the war continues, including APTs across Hamas, Hezbollah, and Iran-based clusters of activity. While state-sponsored APTs should remain a strong focus, we must also carefully monitor the increasingly common use of hacktivist personas used to cloak state-sponsored operations.
In this post, we share recommended and publicly accessible information in effort to streamline the community’s understanding of relevant actors across historical reports for reference. In addition, we are sharing our perspective of public actor naming overlaps. Please note that each source of public reporting may perform attribution and actor clustering uniquely from their perspective. Nonetheless, these sources should serve as starting points for readers looking to catch up on relevant open-source intelligence for your own defense posturing and analysis needs.
Aliases:
Description:
Arid Viper is a threat group conducting cyber espionage and information theft operations since at least 2017, predominantly against targets in the Middle East. Based primarily on the geopolitical context of its activities, Arid Viper is suspected to operate on behalf of Hamas with further conclusive information needed to solidify this assessment. For example, the Israeli Defence Forces (IDF) have reported on a campaign targeting soldiers stationed near the Gaza border, which is suspected to be orchestrated by Hamas. This campaign has been separately attributed with medium confidence to Arid Viper based on victimology and similarities with previous activities attributed to this actor such as overlaps in initial infection techniques.
Targeting individuals is a common practice of Arid Viper. This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements. Common initial infection vectors include social engineering and phishing attacks using themed lure documents. The latter often involves establishing rapport with targets over social media, such as Facebook and Instagram, with catfishing being a frequently used technique.
Arid Viper uses a variety of malware as part of its operations, including stagers, backdoors, and mobile spyware applications for the iOS and Android platforms. Arid Viper’s malware is actively maintained and upgraded to meet the group’s operational requirements. This threat actor has consistently demonstrated innovation by adopting new malware development practices across a range of programming and scripting languages, such as Delphi, Go, Python, and C++.
Aliases:
Description:
Gaza Cybergang is a threat actor that has been active since at least 2012. The group primarily targets throughout the Middle East, including Israel and Palestine, while also less-observed in the EU and US. Targeted entities include government, defense, energy, financial, media, technology, telecommunication, and civil society. Current assessment of Gaza Cybergang indicates a medium to high level of confidence in Hamas affiliation.
The group has historically used a variety of custom and publicly available tools in their attacks, showing a notable preference for spear phishing as a method of initial access. They have been known to use malicious documents and email attachments to deliver malware and link lures, and they often deploy implants to maintain persistence on compromised systems. Tools include Molerat Loader, XtremeRAT, SharpStage, DropBook, Spark, Pierogi, PoisonIvy, and many others observed uniquely over the years.
The overall objectives of Gaza Cybergang appear to be primarily intelligence collection and espionage. They seek to gather intelligence, monitor political developments in the region, and support their cause through cyber activities. The group has been active for many years, and their persistence and adaptability in the face of evolving tensions make it a notable actor in the cyber threat landscape moving forward.
Aliases:
Description:
Plaid Rain is a threat actor first documented in 2022 with a primary focus on targeting entities in Israel across a broad range of verticals, including defense, government, manufacturing, and financial organizations. Plaid Rain is considered to be based in Lebanon, however, its activities indicate potential coordination with Iran-nexus actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Some indicators supporting this assessment include observed overlaps in targeting and TTPs. The potential collaboration between MOIS and Plaid Rain positions this threat group in the nexus of actors that serve as proxies, providing plausible deniability to the government of Iran, such as Cobalt Sapling.
For initial infection, Plaid Rain is suspected to rely primarily on vulnerability exploitation, downstream compromises, and stolen credentials. The group’s arsenal consists of a wide range of well-maintained custom tooling exemplified by the Creepy malware toolset. Plaid Rain’s malware supports a broad range of complementing functionalities following the latest trends in the malware landscape. For example, the CreepyDrive malware uses Cloud services for command and control purposes, likely in an attempt to evade detection by making malicious traffic look legitimate.
Aliases:
Description:
Lebanese Cedar is a lesser-reported APT with a history of successful intrusions across Lebanon, Israel, Palestine, Egypt, United States, United Kingdom, and more. The group was first observed in 2015 and has since maintained limited security industry attention. Similar to Plaid Rain, we associate Lebanese Cedar with Lebanese Shiite militant group Hezbollah attribution as well as potential coordination with Iran-nexus actors affiliated with the Ministry of Intelligence and Security (MOIS).
Initial access methods best observed have been centered around the compromise of victim web servers via n-day vulnerabilities for the deployment of webshells, including ASPXSpy, devilzshell, and Caterpillar. Further use of Meterpreter and their custom Explosive RAT have been associated with objectives around maintaining access through theft of legitimate network credentials, ultimately pursuing espionage objectives.
Iran hosts a diverse array of state-sponsored threat actors whose activities quickly expand past the specific focus on the Israel-Hamas war. These threat actors exhibit variability in terms of size, capability, and motivation, and they have been responsible for a wide spectrum of cyber operations. While some have clear affiliations with the Iranian government, many Iranian hacktivist personas claim to operate independently. It is crucial to acknowledge that emerging hacktivist collectives may serve as a means to obscure state sponsorship, influencing public opinion and concealing attribution of offensive actions. We strongly recommend that media outlets and industry colleagues exercise caution when publicly disseminating content produced by hacktivist collectives. The propagation of their claims, viewpoints, and actions aligns with an overarching mission, and endorsing these activities contributes to their success.Nonetheless, the diversity and adaptability of Iranian cyber threat actors make them a significant and multifaceted component of the global threat landscape moving forward. As we monitor the evolving situation in the Middle East, it is imperative to focus on Iran as a potential origin of both direct cyber offensive actions and proxy operations supported by Iran-linked groups like Hamas and Hezbollah.
Aliases:
Description:
ShroudedSnooper has been part of multiple recent intrusions across the Middle East, including Israel within the past two months, and elsewhere since at least 2020. Most recent observations and activity we can confirm, center around intrusions across the telecommunication and government sectors. The group is attributed to Iran’s Ministry of Intelligence and Security (MOIS).
Our current understanding of the group is that they operate for intelligence collection and initial access to other MOIS entities. Initial access methods for ShroudedSnooper have, and potentially continue to be, accomplished through the compromise of publicly accessible web servers via n-day vulnerabilities. As observed in the recent Israeli telecom intrusions, the group has then made use of backdoors mimicking enterprise security software.
Aliases:
Description:
‘Moses Staff’ and ‘Abraham’s Ax’ are hacktivist personas known for their anti-Israel rhetoric, disruptive and data exfiltration attacks, and penchant for leaking stolen data online along with propaganda content in the form of videos or imagery. Moses Staff and Abraham’s Ax are potentially distinct groups. Since the emergence of Moses Staff in 2021 and Abraham’s Ax in 2022 proclaiming allegiance with Hezbollah, the groups have continued to separately maintain their online presence. However, they share iconography, content editing and infrastructure management practices. This, and the alignment of their activities with the geopolitical interests of Iran, suggests that the two groups are likely part of a single cluster (also referred to as Cobalt Sapling) and serve as proxy groups providing plausible deniability to Iran.
Moses Staff has traditionally focused its efforts on business and government organizations primarily within Israel. In contrast, Abraham’s Ax has asserted responsibility for attacks on entities located outside of Israel but with geopolitical relevance to the country. For example, the alleged intrusions into Saudi Arabian government entities by Abraham’s Ax may have been an attempt to counter the normalization of relations between Israel and Saudi Arabia previously conditioned by resolving the Israeli-Palestinian issue.
Although the threat intelligence research community has identified custom offensive tooling observed in Moses Staff attacks, such as StrifeWater, PyDCrypt and DCSrv, we do not exclude the possibility of Moses Staff and Abraham’s Ax sharing tooling and operational practices making accurate clustering challenging at this time. Operations attributed to Moses Staff have involved RATs and ransomware with no indications of financial motivations, but rather disruption, destruction, and concealment of cyber espionage activities.