Attacks by Iranian and Hezbollah hackers shape narrative on Israel and Hamas
Hackers backed by Iran and Hezbollah launched cyber attacks aimed at undermining public support for a post-October 2023 Israel-Hamas war.
This includes destructive attacks against major Israeli organizations, hacking and leak operations targeting Israeli and U.S. entities, phishing campaigns aimed at stealing intelligence, and information operations aimed at turning public opinion against Israel.
Google said in a new report that Iran accounted for nearly 80% of all government-backed phishing campaigns targeting Israel in the six months before the Oct. 7 attack.
“Hacking and leaking and information operations remain a critical component of the efforts of these and related threat actors throughout the war to communicate intentions and capabilities to their adversaries and other audiences they seek to influence,” the tech giant said.
But another noteworthy aspect of the Israel-Hamas conflict is that cyber operations appear to be executed independently of dynamic and battlefield operations, unlike what was observed in the Russia-Ukraine war.
The company added that this cyber capability can be rapidly deployed at low cost to engage regional rivals without the need for direct military confrontation.
One of the Iran-linked groups, GREATRIFT (also known as UNC4453 or Plaid Rain), is said to be distributing malware through fake “missing persons” websites, targeting visitors seeking the latest information on abducted Israelis. Threat actors are also using blood donation-themed decoy documents as a distribution medium.
At least two hacker actors named Karma and Handala Hack have launched destructive attacks against Israel using wiper malware strains such as BiBi-Windows Wiper, BiBi-Linux Wiper, ChiLLWIPE and COOLWIPE from Windows and Linux systems respectively. Delete Files.
Another Iranian nation-state hacker group called Charming Kitten (aka APT42 or CALANQUE) exploited a PowerShell backdoor called POWERPUG to target media and non-governmental organizations (NGOs), as observed in late October and November 2023 as part of a phishing campaign.
POWERPUG is also the latest in a long list of backdoors from its adversaries, including PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), NokNok, and BASICSTAR.
On the other hand, Hamas-affiliated groups used coded distribution lures targeting Israeli software engineers in an attempt to trick them into downloading the SysJoker malware in the weeks leading up to the October 7 attacks. The campaign has been attributed to a threat actor known as BLACKATOM.
“The attacker […] Google said it “posed as an employee of a legitimate company and contacted targets via LinkedIn, inviting them to apply for software development freelance opportunities. Targets included software engineers in the Israeli military and the Israeli aerospace and defense industry.”
The tech giant described the tactics employed by Hamas cyber actors as simple yet effective, noting that they use social engineering to deliver remote access trojans and backdoors (such as MAGNIFI) to Palestinian and Israeli users, which is consistent with Related to BLACKSTEM (aka Molerats).
Another dimension of these campaigns is the use of spyware that targets Android phones, which can collect sensitive information and exfiltrate it into attacker-controlled infrastructure.
The malware strains, named MOAAZDROID and LOVELYDROID, are the work of the Hamas-affiliated group DESERTVARNISH, also tracked as Arid Viper, Desert Falcons, Renegade Jackal, and UNC718. Cisco Talos recorded details about the spyware in October 2023.
據觀察,來自伊朗的國家資助組織,如MYSTICDOME(又稱UNC1530),也被發現使用MYTHDROID(又稱AhMyth)Android 遠端存取木馬以及用於情報收集的客製化間諜軟體SOLODROID 來針對以色列的mobile device.
Google said: “MYSTICDOME used the Firebase project to distribute SOLODROID, 302 redirecting users to the Play Store and prompting them to install spyware.” The company has since removed the apps from the digital market.
Google further highlighted an Android malware called REDRUSE, a Trojanized version of the legitimate Red Alert app used in Israel to warn of impending rocket attacks, that leaks contacts, messaging data and locations. It was spread via SMS phishing messages impersonating police officers.
The ongoing war has also had an impact on Iran, whose critical infrastructure was damaged in December 2023 by an actor named Gonjeshke Darande (meaning “predatory sparrow” in Persian). The figure is believed to be linked to Israel’s military intelligence service.
Microsoft revealed that actors aligned with the Iranian government “launched a series of cyberattacks and influence operations (IOs) designed to help Hamas launch and undermine Israel and its political allies and business partners.”
Redmond described their early cyber and influence operations as reactive and opportunistic, while also confirming Google’s assessment that since the war broke out, attacks have become “increasingly targeted and destructive,” the message said. War activities are becoming increasingly complex and unrealistic.”
Microsoft said that in addition to ramping up its attacks and expanding their focus beyond Israel, including Albania, Bahrain and the United States, which Iran considers to be aiding Israel, it has observed Pink Sand Storm, also known as Agrius, and the Hezbollah cyber group. and other organizations with ties to Iran. unit.
“Collaboration lowers the barrier to entry, allows each team to contribute existing capabilities, and eliminates the need for a single team to develop a full suite of tools or technologies,” said Clint Watts, general manager of the Microsoft Threat Analysis Center (MTAC). .
Last week, NBC News reported that the United States had recently launched a cyber attack on an Iranian warship called the MV Behshad, which had been collecting intelligence on cargo ships in the Red Sea and Gulf of Aden.
An analysis by Recorded Future last month detailed how Iran’s hacking actors and front companies are managed and operated through various contracting companies in Iran that conduct intelligence collection and information operations to “foment destabilization in target countries.” .
“While Iranian groups rushed to conduct or outright fabricate operations early in the war, Iranian groups have recently slowed their operations, giving them more time to gain the access they need or conduct more sophisticated influence operations,” Microsoft concluded.
from Tech Empire Solutions https://techempiresolutions.com/attacks-by-iranian-and-hezbollah-hackers-shape-narrative-on-israel-and-hamas/
via https://techempiresolutions.com/
from Tech Empire Solutions https://techempiresolutions.blogspot.com/2024/02/attacks-by-iranian-and-hezbollah.html
via https://techempiresolutions.com/
Comments
Post a Comment