Hamas-Linked Group WIRTE Expands Cyber Operations
/ 3 min read
Quick take - The Hamas-linked cyber group WIRTE has expanded its operations to target Israeli and regional entities amid the ongoing Israel-Hamas conflict, employing various cyber tools for espionage and sabotage.
Fast Facts
- WIRTE, a Hamas-linked cyber group, has expanded its operations, targeting Israeli entities and regional nations amid the ongoing Israel-Hamas conflict.
- The group is classified as a Middle Eastern advanced persistent threat (APT) and has been active since at least August 2018, identified by S2 Grupo.
- WIRTE employs various cyber tools, including BarbWire, IronWind, and the SameCoin Wiper, to conduct espionage and sabotage campaigns.
- In October 2024, WIRTE executed a phishing campaign against Israeli organizations, using emails from a legitimate ESET partner to deliver malware.
- The SameCoin Wiper, used in previous attacks, has been updated to include a unique encryption function and disrupts both Windows and Android devices.
Hamas-Linked Cyber Group WIRTE Expands Operations Amid Regional Conflict
A threat actor associated with Hamas, identified as WIRTE, has significantly expanded its cyber operations. The group is targeting Israeli entities and other nations in the region, including the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt. According to an analysis by Check Point, the ongoing Israel-Hamas conflict has not deterred WIRTE’s activities, as the group continues to exploit the regional turmoil for espionage purposes.
Background on WIRTE
WIRTE is classified as a Middle Eastern advanced persistent threat (APT) and has been active since at least August 2018. It was first identified by the Spanish cybersecurity firm S2 Grupo and is believed to be part of a politically motivated collective known as the Gaza Cyber Gang, which is also referred to as Molerats or TA402. The group is recognized for employing various tools in its operations, including BarbWire, IronWind, and Pierogi. Despite the complexities surrounding the geographical attribution of WIRTE’s activities, the group has demonstrated a strong affiliation with Hamas.
Recent Activities
WIRTE continues its cyber campaigns throughout the ongoing conflict in Gaza. In 2024, the group has been observed leveraging geopolitical tensions in the Middle East. WIRTE deploys deceptive RAR archive lures that utilize the Havoc post-exploitation framework. Prior to September 2024, similar RAR archives were employed to deliver the IronWind downloader. Both infection methods involve the use of a legitimate executable to sideload malware-laden DLLs, with victims being presented with decoy PDF documents.
In October 2024, WIRTE executed a phishing campaign targeting various Israeli organizations, including hospitals and municipalities. The phishing emails were sent from a legitimate address associated with ESET’s partner in Israel and contained a new version of the SameCoin Wiper. SameCoin Wiper had previously been used in attacks against Israeli entities, and the updated version features modifications, including a unique encryption function not present in earlier versions. This latest iteration overwrites files with random bytes and alters the victim’s system background to display an image linked to the Al-Qassam Brigades, the military wing of Hamas.
Malware Distribution and Impact
SameCoin, a custom wiper identified in February 2024, has been utilized by a Hamas-affiliated actor and disrupts both Windows and Android devices. It has been distributed under the guise of a security update, with Windows loader samples having timestamps modified to coincide with the date of Hamas’s surprise offensive on Israel, which occurred on October 7, 2023. The initial access vector for the malware is believed to be an email impersonating the Israeli National Cyber Directorate (INCD). Despite the ongoing conflict, WIRTE has maintained a diverse array of cyber campaigns, showcasing a toolkit that includes wipers, backdoors, and phishing pages aimed at both espionage and sabotage.
Original Source: Read the Full Article Here
