Hackers from Iran and Hezbollah launch attacks to influence the narrative of Israel and Hamas

Iran and Hezbollah Hackers

Hackers, backed by Iran and Hezbollah, carried out cyberattacks intended to undermine public support for the war between Israel and Hamas after October 2023.

This includes destructive attacks on key Israeli organizations, hack-and-leak operations targeting entities in Israel and the US, phishing campaigns designed to steal intelligence, and information operations to turn public opinion against Israel.

Iran was responsible for nearly 80% of all state-sponsored phishing activity targeting Israel in the six months leading up to the October 7 attacks, Google said in a new report.

“Hack-and-leak and information operations remain a key component in the efforts of these and related threat actors to telegraph their intentions and capabilities throughout the war, both to their adversaries and to other audiences they seek to influence,” the tech giant said. said.

But what is also remarkable about the Israeli-Hamas conflict is that the cyber operations appear to be carried out independently of the kinetic and battlefield actions, unlike what has been observed in the case of the Russian-Ukrainian war.

Such cyber capabilities can be deployed quickly and at a lower cost to take on regional rivals without direct military confrontation, the company added.

One of the Iran-affiliated groups, called GREATRIFT (also known as UNC4453 or Plaid Rain), is believed to have propagated malware through a fake missing persons site, targeting visitors looking for updates on kidnapped Israelis. The threat actor also used blood donation-themed decoy documents as a distribution vector.


At least two hacktivist characters, Karma and Handala Hack, have used wiper malware strains such as BiBi-Windows Wiper, BiBi-Linux Wiper, ChiLLWIPE and COOLWIPE to carry out destructive attacks on Israel and steal files from Windows and Linux systems respectively. to delete.

Another Iranian nation-state hacking group called Charming Kitten (also known as APT42 or CALANQUE) targeted media and non-governmental organizations (NGOs) with a PowerShell backdoor known as POWERPUG as part of a phishing campaign that launched in late October and November 2023 was observed.

POWERPUG is also the latest addition to the adversary’s long list of backdoors, including PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), NokNok, and BASICSTAR.

1708411065 518 Hackers from Iran and Hezbollah launch attacks to influence the

Hamas-linked groups, on the other hand, targeted Israeli software engineers with coding job lures in an attempt to trick them into downloading SysJoker malware weeks before the October 7 attacks. The campaign is attributed to a threat actor called BLACKATOM.

“The attackers […] posed as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for freelance software development opportunities,” Google said. Targets include software engineers in the Israeli military, as well as the Israeli aerospace and defense industry.

The tech giant described the tactics of Hamas cyber actors as simple but effective, noting that they used social engineering to remotely deliver trojans and backdoors such as MAGNIFI to users in both Palestine and Israel, which are linked to BLACKSTEM (also known as Molerats). .

Another dimension to these campaigns is the use of spyware that targets Android phones capable of collecting sensitive information and exfiltrating the data into an attacker-controlled infrastructure.

The malware strains, named MOAAZDROID and LOVELYDROID, are the handiwork of Hamas-affiliated actor DESERTVARNISH, who is also tracked as Arid Viper, Desert Falcons, Renegade Jackal and UNC718. Details about the spyware were previously documented by Cisco Talos in October 2023.

1708411065 18 Hackers from Iran and Hezbollah launch attacks to influence the

State-sponsored groups from Iran, such as MYSTICDOME (aka UNC1530), have also been observed targeting mobile devices in Israel with the MYTHDROID (aka AhMyth) Android remote access trojan, as well as a custom-made spyware called SOLODROID for intelligence gathering.

“MYSTICDOME distributed SOLODROID using Firebase projects that 302 redirected users to the Play Store, where they were prompted to install the spyware,” said Google, which has since removed the apps from the digital marketplace.

Google further highlighted an Android malware called REDRUSE – a trojanized version of the legitimate Red Alert app used in Israel to warn of incoming missile attacks – that exfiltrates contacts, message data and location. It was spread via SMS phishing messages impersonating police.

The ongoing war has also affected Iran, with its critical infrastructure disrupted in December 2023 by an actor named Gonjeshke Darande (which means Predatory Sparrow in Persian). The persona is believed to be linked to Israel’s Military Intelligence Directorate.

1708411065 546 Hackers from Iran and Hezbollah launch attacks to influence the

The findings come as Microsoft revealed that Iranian government actors have launched “a series of cyber attacks and influence operations (IO) intended to advance Hamas’ cause and weaken Israel and its political allies and business partners.”

Redmond described their early-stage cyber and influence operations as reactive and opportunistic, while also confirming Google’s assessment that the attacks “became increasingly targeted and destructive and that IO campaigns became increasingly sophisticated and inauthentic” after the outbreak of the war.


In addition to ramping up and expanding their attack focus beyond Israel to include countries that Iran believes are helping Israel, including Albania, Bahrain and the US, Microsoft said it is observing cooperation between Iran-affiliated groups such as Pink Sandstorm (also known as Agrius) and Hezbollah cybercrime. units.

1708411066 359 Hackers from Iran and Hezbollah launch attacks to influence the

“Collaboration lowers the barrier to entry, allowing each group to contribute existing capabilities and eliminating the need for a single group to develop a full spectrum of tools or crafts,” said Clint Watts, general manager at the Microsoft Threat Analysis Center (MTAC) , said.

Last week, NBC News reported that the US recently launched a cyber attack on an Iranian military ship called MV Behshad that had been gathering intelligence on cargo ships in the Red Sea and Gulf of Aden.

A Recorded Future analysis last month detailed how hacking personas and front groups in Iran are managed and operated through a variety of contracting companies in Iran, which conduct intelligence gathering and information operations to “foster instability in target countries.” .

“While Iranian groups rushed to conduct or simply devise operations in the early days of the war, Iranian groups have slowed their recent operations, giving them more time to gain desired access or develop more extensive influence operations,” concluded Microsoft.

#Hackers #Iran #Hezbollah #launch #attacks #influence #narrative #Israel #Hamas

Notify of
Inline Feedbacks
View all comments
Previous Post
WordPress Hack

Critical error affects more than 25,000 sites

Next Post
LockBit Ransomware

LockBit Ransomware Darknet Domains Seized in Global Law Enforcement Raid

Related Posts