Site icon Check Point Blog

Hamas-linked Threat Group Expands Espionage and Destructive Operations

Introduction

Check Point Research has been closely tracking a significant cyber campaign led by the WIRTE group, an Advanced Persistent Threat (APT) originating from the Middle East with connections to Gaza Cybergang, a cluster affiliated with Hamas. Active since at least 2018, the covert organization has gained notoriety for its politically driven cyber-espionage activities, focusing on intelligence gathering that likely ties into the complexities of regional geopolitical conflicts. The group targets entities in the Middle East, specifically the Palestinian Authority, Jordan, Egypt, Iraq, and Saudi Arabia.

While many other Hamas-associated cyber activities have halted as the war continues, WIRTE’s operations have persisted and even expanded. Recently, the group went beyond espionage and carried out at least two destructive operations against Israel.

In this blog, we will examine WIRTE’s espionage activities and their new destructive operations and association with Hamas, though also raising questions about attributing this activity specifically to actors within Gaza.

WIRTE’s Espionage Operations

As tensions in the Middle East persist, various threat actors have taken advantage of the conflict to create targeted deceptive lures in recent months. Specifically, WIRTE remains very active throughout the war, conducting regional attacks.

Check Point Research has observed multiple campaigns using malware connected to WIRTE since October 2023.

Lure PDF showing an error and having an embedded malicious link

WIRTE Expands Activities to Disruptive Attacks

In October 2024, a malicious email campaign was launched from the account of a reseller of ESET, a cyber security company. The emails targeted various organizations in Israel, such as hospitals and municipalities, claiming that the user’s device was targeted by a state-backed threat actor.  The email includes a link to a URL that claims to install a threat protection program. However, this link points to a wiper, a type of malware intended to erase or corrupt data on a computer or network. Unlike other malware that may aim to steal information or hold data for ransom, wipers are specifically designed to cause destruction.

This wiper is an updated version of a previously reported Samecoin wiper. Earlier this year, it was used in a malicious campaign that impersonated the Israeli National Cyber Directorate (INCD). Samecoin is a multi-platform wiper available for Android and Windows. In each case, it disguised itself as a security update from the INCD.

In the October campaign, when clicked, the URL in the email initiates an infection chain which, at some point, directs victims to a malicious file that tries to connect to the Israel Home Front Command site to verify that the victim is Israeli, as the site can only be accessed within Israel. The malware then decrypts the following files to be executed:

The translated wallpaper mentions Al-Qassam Brigades, the military wing of Hamas.

Hamas Likely the Driving Force Behind the WIRTE Threat Actor

The campaign’s messaging in distruptive attacks and a consistent focus on the Palestinian Authority (PA), political rivals of Hamas, together with multiple historical links published over the years, suggests a connection between WIRTE and Hamas. The use of imagery associated with Hamas’s military wing, the Al-Qassam Brigade, could potentially indicate a false flag operation; however, such references have not been observed in attacks attributed to other groups, including Iranian factions. WIRTE’s targeting strategy aligns closely with Hamas’s interests, particularly about Palestinian issues. Furthermore, WIRTE’s historical associations with groups like the Molerats and the Gaza Cyber Gang, both of which have ties to Hamas, reinforce the likelihood of their connection to the organization.

A Dual Strategy of Disruption and Espionage in the Middle East

WIRTE has consistently targeted various entities across the Middle East, with indicators of their activities, such as file submissions, lures, and domain references, suggesting involvement with Lebanon, Iraq, Saudi Arabia, and Egypt. Propaganda content and themes specifically targeted Israeli audiences, along with phishing emails directed at Israeli recipients. Additionally, the Wiper is activated only if the target country is Israel or the system language is set to Hebrew.

The various techniques and payloads used against Israel, in contrast to those aimed at other Middle Eastern nations, reveal a fascinating and complex strategy. It seems there are two critical goals at play here: one focused on disruption within Israel, while the other targets espionage activities in neighboring countries. This dual approach highlights the intricate dynamics of regional conflicts and the differing priorities of those involved.

Enhancing Security Through Proactive Threat Analysis

In an age of evolving cyber threats, Check Point’s Threat Emulation stands guard by inspecting every file before it enters your network. Executing files in controlled virtual environments identifies unknown threats and zero-day vulnerabilities and monitors for harmful behavior like unauthorized system changes.

When integrated with Check Point Harmony Endpoint, this dynamic duo analyzes files in real time, allowing users to access safe versions almost instantly while the originals undergo thorough scrutiny. This proactive approach ensures rapid access to secure content and effectively identifies and neutralizes potential threats, safeguarding your network’s integrity in today’s risky digital landscape.

For a comprehensive report on WIRTE’s espionage and disruptive activities, read Check Point Research’s report here.

Protections:

Threat Emulation:

Harmony End Point :

Exit mobile version