Hackers affiliated with Hamas have targeted Israelis through a complex cyber espionage campaign over the past six months, making use of fake Facebook accounts, social engineering techniques and advanced malware to hack into Israeli soldiers and police officers' phones and computers, Israeli cyberdefense firm Cybereason revealed Wednesday, describing it as a “new level of sophistication” for Hamas.
Cybereason’s research team has long followed Hamas-linked hackers. Over the past six months, they found that one of the two main hacking units belonging to the group was involved in an “elaborate campaign that targeted Israeli individuals and officials. The campaign is characterized as an espionage campaign aiming to steal sensitive information from PCs and mobile devices belonging to a chosen target group of Israeli individuals working for law enforcement, military and emergency services.”
According to their findings, which they shared with both Facebook and Israel's defense establishment, the hackers use social engineering techniques to find their victims and lure them, as well as fake Facebook profiles “to trick specific individuals into downloading trojanized direct message applications for Android and PC, which granted them access to the victims’ devices.”
The so-called trojan horse program that was downloaded to their devices, researchers say, is much more advanced than malware software deployed by the group in the past, targeting both computers and mobile devices. The spyware provided hackers with full access to the computers or phones, including their microphones and camera, and even included “operational security” mechanisms intended to prevent detection and automatically updated itself, one researcher explained.
After reviewing the report, Facebook took down all of the accounts.
This is not the first time Hamas has made use of catfishing techniques for cyber needs: In 2017 and 2018, Hamas hackers were revealed to be posing as young women to try to lure Israeli soldiers to chat with them on dating apps like Tinder. Once in communication with their targets, the hackers would infect their phones.
- Hamas cyber ops spied on hundreds of Israeli soldiers using fake World Cup, dating apps
- From Bar Refaeli to Gilad Shalit: How Gazan hackers are targeting Israelis
- Palestinian hackers launch advanced cyberspying operation, Israeli firm says
Since then, Hamas' has learned how to make more believable fake accounts, one Cybereason researcher explained. “They set up fake accounts, but while usually such accounts are quite easy to spot, in this case they would seem very real to an untrained eye.”
The fake accounts, all of which pretended to be Israeli women, were set up months in advance. “They were extremely active accounts, they were very well versed in Israeli politics and current events, they chatted with their victims and posted in perfect Hebrew, with none of the tell-tale signs of fake foreign accounts.
“After gaining the victim’s trust, the operator of the fake account suggests migrating the conversation from Facebook over to WhatsApp. By doing so, the operator quickly obtains the target's mobile number. In many cases, the content of the chat revolves around sexual themes, and the operators often suggest to the victims that they should use a ‘safer’ and more ‘discrete’ means of communication, suggesting a designated app for Android.” For example, some targets were asked to download a fake messaging app called “Wink Wink Chat.”
“In addition, they also entice the victims to open a .rar file containing a video that supposedly contains explicit sexual content. However, when the users open the video they are infected with malware,” Cybereason's report explains. According to the researchers, the victims were specifically targeted during their work hours with the hopes of infecting their work computers.
At the end of 2020, Cybereason revealed what was then the most sophisticated cyber espionage operation carried out by Hamas. The hackers behind that operation were Molerats, a group also known as The Gaza Cybergang, that has historically targeted Israelis, but has also gone after the Palestinian Authority and the Arab world. But this time around, it remains unclear which of Hamas' cyber units are behind the latest campaign.
According to Cybereason, Hamas' revamped toolset and playbook was made most clear by the fact that they targeted Israelis as opposed to their usual Arabic-speaking targets in places like Jordan or Saudi Arabia.
This week also marks OpIsrael, an annual cyberattack on Israel by pro-Palestinians hacktivists. Industry sources say that while the annual attack can cause some damage – for example, websites targeted by so-called denial of service attacks may incur financial losses – generally speaking the Hamas operation is of a different magnitude and poses a much more severe threat.
In response to this report, Israel’s cyber authority referred Haaretz to the IDF’s spokesperson unit, that said that “no substantial damage” was caused as a result of the operation, which they said “did not manage to penetrate the IDF’s system.” The army spokesperson added that, said “Hamas’ cyber units are under constant surveillance and preventive actions are taken against their efforts in cyberspace.” They further said Hamas’ cyber forces have only “basic technological abilities which are limited to creating fake profiles on social media platforms.”