Hamas likely cooperates with hackers to stay online
Researchers have discovered possible signs of cooperation between the Palestinian militant organization Hamas and one of the longest-running groups of Arabic-speaking hackers.
According to a report published Thursday by researchers at Recorded Future, Hamas has allegedly turned to operators outside Gaza and “third parties” to keep a news website linked to its military wing, Al-Qassam Brigades, online during the war with Israel.
A few days after Hamas' first major attack on Israel, a Telegram channel used by Hamas members and supporters announced the launch of an app linked to Al-Qassam Brigades.
The app was released to get Hamas’ message out, the researchers said. Recorded Future News is an editorially independent unit of Recorded Future.
Running a website or an app in Gaza is tough — Israeli airstrikes damaged its internet infrastructure and caused power outages. The region is also under constant attack from politically-motivated hackers who aim to disrupt its vital services and websites, the researchers said. Some providers have likely declined to host websites associated with Hamas.
Hamas is believed to be working around the issue by sharing its infrastructure with those who can help keep it running. Following the major attack on Israel, the operators of the Al-Qassam Brigades website kept it online by moving it between several different infrastructure providers.
The researchers analyzed this infrastructure and found suspicious redirects to the Al-Qassam Brigades website and identical Google Analytics code associated with the website domain and about 90 other domains.
The researchers were able to identify the alleged operators of two clusters of these domains.
The first cluster used similar registration techniques as a hacker group known as TAG-63, which is also tracked as AridViper and APT-C-23. It’s a state-sponsored cyber espionage group known for targeting Arabic-speaking individuals in the Middle East. The group is believed to operate on behalf of Hamas.
The second group of domains was suspected to be linked to Iran. It featured multiple subdomains with names containing references to Iran, including Farsi terms like "director" and "comrade."
One Iran-linked page was also used to impersonate the World Organization Against Torture (OMCT). The researchers couldn't confirm if this website had been used by hackers for phishing or social engineering attacks.
Iran maintains close ties with Hamas, and the Iranian Quds Force, a unit specializing in unconventional warfare and military intelligence, is the only confirmed entity from Iran known to provide cyber assistance to Hamas and other Palestinian threat groups, according to Recorded Future research.
Though there's not a lot of evidence of cooperation between both sides, this report gives a glimpse into how these groups might help each other, according to the researchers.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.