Insights, news, education and announcements from PolySwarm

2023 Recap - Cyber Activity in the Gaza Conflict

Written by The Hivemind | Dec 11, 2023 8:08:36 PM

Executive Summary

While tension in the Gaza region has existed for years, the all-out war that ignited in October 2023 brought with it a variety of cyber activity targeting both sides of the conflict. In this report, PolySwarm provides the highlights of cyber activity associated with the Gaza conflict in 2023.

Key Takeaways

  • The Gaza conflict has created a large-scale cyber battleground. 
  • The majority of the cyber activity observed surrounding the Gaza conflict appears to be perpetrated by hacktivists rather than nation-state threat actors.
  • There are an estimated 48 anti-Israel and 10 pro-Israel hacktivist groups involved in related cyber activity. 
  • Samples of the Rust variant of SysJoker, a backdoor used by a Hamas-linked threat actor, are featured in the IOCs section.  

Background

While tension in the Gaza region has existed for years, the all-out war that ignited in October 2023 brought with it a variety of cyber activity. It is interesting to note that the majority of the cyber activity observed surrounding the Gaza conflict appears to be perpetrated by hacktivists rather than nation-state threat actors. There are an estimated 48 anti-Israel and 10 pro-Israel hacktivist groups involved in some sort of cyber activity or influence operations activity surrounding the conflict.

General hacktivist shenanigans have included DDoS attacks, website defacements, both real and unsubstantiated claims of breaches and leaks, targeting of individuals on social media and communications apps, and doxxing.

In addition to cyberattacks, a myriad of threat actors on both sides of the conflict have allegedly been using social media and communications apps to spread disinformation, including false reports of cyber attacks and false reports of real-world events.

In this report, PolySwarm provides the highlights of cyber activity associated with the Gaza conflict in 2023. The numerous cyberattacks affecting the region prior to October 2023, thereby pre-dating the kinetic conflict, are not included in this report.

Highlights

BiBi-Linux

In October, a pro-Hamas hacktivist group was observed using BiBi-Linux to target entities in Israel.  The attacks were targeted, with sabotage and data destruction as the motive. BiBi-Linux is an x64 ELF executable. While the malware fakes file encryption, reminiscent of ransomware, it does not otherwise attempt to disguise its true purpose. It does not drop a ransom note, exfiltrate files, or use reversible encryption algorithms. It also does not establish communication with a remote C2, indicating no data was exfiltrated. Espionage does not seem to be part of the threat actor’s intent. BiBi-Linux allows threat actors to target specific folders and can wipe an operating system if run with root permissions. It corrupts files by overwriting them with useless data, damaging both the data and the operating system. BiBi-Linux uses multiple threads and a queue system, increasing speed.

BiBi-Windows

A Windows variant of the BiBi wiper was also discovered. It is thought to be created by the same group responsible for the BiBi-Linux wiper. If compile dates were not timestamped, BiBi-Windows was compiled in October. It is capable of corrupting all files except those with .exe, .dll, and .sys extensions. It also deletes system shadow copies to prevent file recovery. BiBi-Windows runs 12 threads with eight processor cores for a fast and effective means of destruction.

ESET dubbed the responsible threat actor group BiBiGun, although few industry researchers have attempted to link the activity to a particular known threat actor. Security Joe identified TTP overlaps with Moses Staff but did not definitively attribute the activity to the group. Moses Staff is thought to be of Iran nexus.

CyberToufan

CyberToufan, an anti-Israel hacktivist group, hacked an Israeli storage company known as Signature-it, which contains state archives and data from around 40 other Israeli websites. The group leaked databases stolen from the Nature and Parks Authority and the Academic College of Tel Aviv and threatened to leak the data of an Israeli medical device company. The group stated political ideology as the motivation for the attacks.

AnonGhost

Pro-Palestine hacktivist group AnonGhost was observed using a malicious clone of the RedAlert Android app to target users in Israel. The genuine RedAlert app allows users to receive alerts about incoming airstrikes, potentially saving lives. At the time of the original reporting, over 5000 rockets had been launched into Israel since October 7th, and the app was widely used. AnonGhost reportedly used the malicious clone of RedAlert to collect sensitive user data from victim devices.

Anonymous Sudan

Anonymous Sudan claimed a DDoS attack against the genuine version of the above-mentioned RedAlert app in October. They also reportedly took down the Jerusalem Post website for a brief period of time. More recently, the group has been targeting organizations in Kenya due to the Kenyan government’s support for Israel.

Moroccan Black Cyber Army

Moroccan Black Cyber Army claimed an attack on an Israeli gaming site and purportedly stole sensitive Israeli documents.

Muslim Cyber Army

Muslim Cyber Army, a pro-Palestine hacktivist group, claimed to breach the personal data of Israeli citizens.

AslanNeferler Tim

AslanNeferler Tim, a Turkish hacktivist group, claimed to hack an Israeli weapons manufacturer and the Israeli Air Force.

Ghosts of Palestine

Ghosts of Palestine claimed to have hacked an Israeli government site and the Israeli Ministry of Education.

Malek Team

Malek Team, an Iran-linked hacktivist group, claimed to have hacked Israel's Ziv Medical Center and leaked what reportedly included the medical records of IDF soldiers.

CyberAv3ngers

CyberAv3ngers, another Iran-linked hacktivist group, has made claims of engaging in cyber activity throughout the Gaza conflict. One of their most recent claims is that they are actively targeting US facilities that are utilizing Israeli-made computer systems. The affected devices are Unitronics Vision Series programmable logic controllers, which are often used by water and wastewater systems as well as by entities in the energy, food and beverage, and healthcare verticals. CISA has confirmed that several entities have been breached.

WildCard

A Hamas-linked threat actor group has been observed using a Rust-based variant of SysJoker to target Israeli entities. SysJoker is a backdoor that was originally written in C++. It is capable of infecting Windows, MacOS, and Linux systems. The newer variant uses OneDrive for dynamic C2. Industry researchers have attributed the activity to a group dubbed WildCard.  

 

Other Activity

  • The websites of two relief groups providing aid to the region were victims of DDoS attacks by unnamed threat actors. The affected entities included United Hatzalah and Medical Aid for Palestinians. An unknown threat actor or scammer also created a website impersonating United Hatzalah in an attempt to obtain donations under false pretenses. 
  • Over 100 Israeli websites have been the victim of a DDoS attack or defacement since the conflict began. 
  • Multiple Israeli government and financial entities were reportedly targeted by DDoS attacks or attempted intrusions in October. 
  • Two smart billboards in Israel were reportedly hacked to display pro-Hamas messages. The threat actors responsible for the hack were not named. 
  • Ono Academic College near Tel Aviv was targeted by a hacktivist group claiming to be from Jordan. Employee and student records were reportedly stolen. 
  • An official associated with the Israel National Cyber Directorate stated hackers affiliated with Hezbollah had hacked private security cameras in Israel in an attempt to track Israeli troop movements. The official also noted that Iranian hackers may play a role in attacks on Israeli assets. 
  • Unknown threat actors reportedly targeted Mekorot, Israel’s national water company. 
  • Various hacktivist groups have either made threats toward Israel and its allies or have made unsubstantiated claims of hacking Israeli entities. These groups include but are not limited to Solomon’s Ring, KillNet Palestine, Team Insane Pakistan, Electronic Quds Force, SS Cyber Team, 1915 Team, Haghjhoyan, Electronic Tigers Unit, Soldiers of Solomon, DragonForce Malaysia, X7root, Cyb3r Drag0nz Team, Irox Team, and Dark Storm Team.

Analyst Commentary

It is interesting to note that activity definitively attributed to Arid Viper, a Hamas-linked threat actor group with a long history of targeting Israeli military personnel, has not been observed in relation to the Gaza conflict. While the group has been actively engaged in other campaigns throughout 2023, none have been officially linked to the current conflict.

Our analysts assess with a low degree of confidence that Arid Viper likely conducted espionage activities in support of Hamas prior to the beginning of the kinetic conflict, which was said to be calculated. It is likely that Arid Viper is choosing to either lie low during the brunt of the conflict or to continue more stealthy operations, strategically using the noise generated by ongoing hacktivist activity as a distraction to help them remain inconspicuous.

SysJoker (Rust Variant) IOCs

SysJoker’s Rust variant is one of the most recently reported malware families used in the Gaza conflict. As such, we have chosen to feature SysJoker samples in this report.

 

PolySwarm has multiple samples of SysJoker

 

0ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba

67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706

6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95

96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f

D4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72

E076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836

 

You can use the following CLI command to search for all SysJoker samples in our portal:

$ polyswarm link list -f SysJoker

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.