Key Takeaways
Background
While tension in the Gaza region has existed for years, the all-out war that ignited in October 2023 brought with it a variety of cyber activity. It is interesting to note that the majority of the cyber activity observed surrounding the Gaza conflict appears to be perpetrated by hacktivists rather than nation-state threat actors. There are an estimated 48 anti-Israel and 10 pro-Israel hacktivist groups involved in some sort of cyber activity or influence operations activity surrounding the conflict.
General hacktivist shenanigans have included DDoS attacks, website defacements, both real and unsubstantiated claims of breaches and leaks, targeting of individuals on social media and communications apps, and doxxing.
In addition to cyberattacks, a myriad of threat actors on both sides of the conflict have allegedly been using social media and communications apps to spread disinformation, including false reports of cyber attacks and false reports of real-world events.
In this report, PolySwarm provides the highlights of cyber activity associated with the Gaza conflict in 2023. The numerous cyberattacks affecting the region prior to October 2023, thereby pre-dating the kinetic conflict, are not included in this report.
Highlights
BiBi-Linux
In October, a pro-Hamas hacktivist group was observed using BiBi-Linux to target entities in Israel. The attacks were targeted, with sabotage and data destruction as the motive. BiBi-Linux is an x64 ELF executable. While the malware fakes file encryption, reminiscent of ransomware, it does not otherwise attempt to disguise its true purpose. It does not drop a ransom note, exfiltrate files, or use reversible encryption algorithms. It also does not establish communication with a remote C2, indicating no data was exfiltrated. Espionage does not seem to be part of the threat actor’s intent. BiBi-Linux allows threat actors to target specific folders and can wipe an operating system if run with root permissions. It corrupts files by overwriting them with useless data, damaging both the data and the operating system. BiBi-Linux uses multiple threads and a queue system, increasing speed.
BiBi-Windows
A Windows variant of the BiBi wiper was also discovered. It is thought to be created by the same group responsible for the BiBi-Linux wiper. If compile dates were not timestamped, BiBi-Windows was compiled in October. It is capable of corrupting all files except those with .exe, .dll, and .sys extensions. It also deletes system shadow copies to prevent file recovery. BiBi-Windows runs 12 threads with eight processor cores for a fast and effective means of destruction.
ESET dubbed the responsible threat actor group BiBiGun, although few industry researchers have attempted to link the activity to a particular known threat actor. Security Joe identified TTP overlaps with Moses Staff but did not definitively attribute the activity to the group. Moses Staff is thought to be of Iran nexus.
CyberToufan
CyberToufan, an anti-Israel hacktivist group, hacked an Israeli storage company known as Signature-it, which contains state archives and data from around 40 other Israeli websites. The group leaked databases stolen from the Nature and Parks Authority and the Academic College of Tel Aviv and threatened to leak the data of an Israeli medical device company. The group stated political ideology as the motivation for the attacks.
AnonGhost
Pro-Palestine hacktivist group AnonGhost was observed using a malicious clone of the RedAlert Android app to target users in Israel. The genuine RedAlert app allows users to receive alerts about incoming airstrikes, potentially saving lives. At the time of the original reporting, over 5000 rockets had been launched into Israel since October 7th, and the app was widely used. AnonGhost reportedly used the malicious clone of RedAlert to collect sensitive user data from victim devices.
Anonymous Sudan
Anonymous Sudan claimed a DDoS attack against the genuine version of the above-mentioned RedAlert app in October. They also reportedly took down the Jerusalem Post website for a brief period of time. More recently, the group has been targeting organizations in Kenya due to the Kenyan government’s support for Israel.
Moroccan Black Cyber Army
Moroccan Black Cyber Army claimed an attack on an Israeli gaming site and purportedly stole sensitive Israeli documents.
Muslim Cyber Army
Muslim Cyber Army, a pro-Palestine hacktivist group, claimed to breach the personal data of Israeli citizens.
AslanNeferler Tim
AslanNeferler Tim, a Turkish hacktivist group, claimed to hack an Israeli weapons manufacturer and the Israeli Air Force.
Ghosts of Palestine
Ghosts of Palestine claimed to have hacked an Israeli government site and the Israeli Ministry of Education.
Malek Team
Malek Team, an Iran-linked hacktivist group, claimed to have hacked Israel's Ziv Medical Center and leaked what reportedly included the medical records of IDF soldiers.
CyberAv3ngers
CyberAv3ngers, another Iran-linked hacktivist group, has made claims of engaging in cyber activity throughout the Gaza conflict. One of their most recent claims is that they are actively targeting US facilities that are utilizing Israeli-made computer systems. The affected devices are Unitronics Vision Series programmable logic controllers, which are often used by water and wastewater systems as well as by entities in the energy, food and beverage, and healthcare verticals. CISA has confirmed that several entities have been breached.
WildCard
A Hamas-linked threat actor group has been observed using a Rust-based variant of SysJoker to target Israeli entities. SysJoker is a backdoor that was originally written in C++. It is capable of infecting Windows, MacOS, and Linux systems. The newer variant uses OneDrive for dynamic C2. Industry researchers have attributed the activity to a group dubbed WildCard.
Other Activity
Analyst Commentary
It is interesting to note that activity definitively attributed to Arid Viper, a Hamas-linked threat actor group with a long history of targeting Israeli military personnel, has not been observed in relation to the Gaza conflict. While the group has been actively engaged in other campaigns throughout 2023, none have been officially linked to the current conflict.
Our analysts assess with a low degree of confidence that Arid Viper likely conducted espionage activities in support of Hamas prior to the beginning of the kinetic conflict, which was said to be calculated. It is likely that Arid Viper is choosing to either lie low during the brunt of the conflict or to continue more stealthy operations, strategically using the noise generated by ongoing hacktivist activity as a distraction to help them remain inconspicuous.
SysJoker (Rust Variant) IOCs
SysJoker’s Rust variant is one of the most recently reported malware families used in the Gaza conflict. As such, we have chosen to feature SysJoker samples in this report.
PolySwarm has multiple samples of SysJoker
0ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba
67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706
6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95
96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f
D4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72
E076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836
You can use the following CLI command to search for all SysJoker samples in our portal:
$ polyswarm link list -f SysJoker
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.