Cyber Tradecraft Revealed: Hamas, TAG-63, and the Spoofed Domains
Researchers have discerned potential indications of collaboration between Hamas, a Palestinian military organization, and one of the longstanding Arabic hacking collectives. According to a dossier released by the research firm Recorded Future, Hamas might have expanded its reliance on external operators and third-party entities to sustain the news websites related to its military wing, al-Qassam, operational during conflicts with Israel.
A mere few days following Hamas’ significant offensive against Israel, channels on Telegram, frequented by Hamas affiliates and sympathizers, announced the unveiling of an application associated with Al-Qassam. The launch of this application was intended to propagate Hamas’ narratives.
(Left) The application’s interface when it loads in an Android environment; (Right) “Connection Failure” notification
(Source: Recorded Future)
Maintaining websites or applications in Gaza is challenging – Israeli air raids have impaired the internet infrastructure, causing power outages. Furthermore, this region is routinely targeted by politically motivated hackers attempting to sabotage its essential services and platforms.
To circumvent this issue, Hamas should consider collaborating with entities capable of bolstering its operational infrastructure. Post a substantial attack on Israel, the proprietors of the al-Qassam site transitioned its hosting among various infrastructure providers.
Upon analysis of this infrastructure, scholars identified suspicious redirections of the Al-Qassam website and the recurring Google Analytics code linked to both this domain and approximately 90 others.
The initial cluster of domain names employed registration methodologies reminiscent of the hacking entity TAG-63, also known as AridViper and APT-C-23. This organization, believed to be state-backed, is renowned for targeting Arabic-speaking individuals in the Middle East and is speculated to operate on behalf of Hamas.
The secondary group of domains might have affiliations with Iran. One of the pages connected to Iran purportedly impersonated the World Organization Against Torture (OMCT). The researchers, however, could not ascertain whether this site had been exploited for cyber phishing or social engineering tactics.
Iran and Hamas share profound ties, with Iran’s Revolutionary Guard being a specialized faction, known for its expertise in unconventional warfare and military intelligence. It remains the sole verified Iranian body renowned for extending cyber support to Hamas and other Palestinian extremist organizations.
The researchers posit that while substantial evidence of direct collaboration is scant, this report offers insights into how these factions might be mutually supportive.
