Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Hamas Tied to October Wiper Attacks Using Eset Email
'Wirte' Threat Actor Used Wiper That Checks if Victim Is Located in IsraelHackers likely connected to Palestinian militants Hamas were behind wiper attacks detected in October against Israeli organizations including hospitals and municipalities.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Israeli cybersecurity firm Check Point on Tuesday attributed the attacks to a group tracked as Wirte, which overlaps with threat actors also tracked as TA40, Molerats and the Gaza Cyber Gang.
Israeli and Hamas have been locked in armed combat since the Palestinian nationalist group on Oct. 7, 2023, breached the Gaza–Israel barrier in a violent incursion. The conflict, which has spread into Lebanon, hasn't been notable for its cyber activity (see: Exploding Hezbollah Pagers Not Likely a Cybersecurity Attack).
War hasn't disrupted Wirte activity, Check Point said, writing that the group continues to launch phishing-fueled cyberespionage operations against the Palestinian Authority, Jordan, Iraq, Egypt and Saudi Arabia. It reserves disruptive attacks for Israeli targets.
One such attack involved the October phishing attacks, made using a breached email account of an Israeli reseller for Slovak cybersecurity firm Eset. The emails contained a version of the SameCoin Wiper spotted in a February wave of phishing attacks that impersonating the Israeli National Cyber Directorate.
"In addition to minor changes in the malware, the newer version introduces a unique encryption function that has only been seen in Wirte malware," Check Point wrote. The setup file for the malware checks that target computers are located inside Israel by connecting to a military web page only accessible within the country. The Windows variant drops onto victim computers a pro-Hamas propaganda video, Hamas wallpaper, a wiper component and a task spreader that attempts to copy the loader onto other machines in the same network.
Proofpoint researchers in November 2023 said SameCoin additionally shares code with a malware loader dubbed IronWind. A comparison of the encryption function in IronWind and the SameCoin wiper "suggests that the same actor developed both tools and possibly were compiled in the same environment."
Researchers first detected Write Group in 2019, writing that it has been active since 2018.