Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground invasion of Gaza in order to release the hostages and take down Hamas. The conflict between these two sides has quickly escalated into the cyber space, turning into an online war of attacks and disinformation, with the involvement of many different hacker groups.

 

Cyberwarfare-Israel-Hamas-War1Figure 1. Ghost of Palestine cyber group welcomes Hamas attack and calls others under their banner.

 

In this blog we summarize the selected cyberwarfare used, discuss the differences and similarities in cyberwarfare tactics between the Israel-Hamas war compared to the Ukraine-Russia conflict, and present how other threat actors leveraged the Israel-Hamas conflict in phishing attacks.

 

Overview of the Cyber Groups Involved

According to Soc Radar, there are 72 pro-Palestinian cyber groups, 17 pro-Israeli and 3 against both sides. During its research, Trustwave SpiderLabs identified 41 more groups mentioned in different cyberattacks, mostly DDoS, related to the cyber operations against Israel; for a total of 133 groups.

 Cyberwarfare-Israel-Hamas-War2

Figure 2. The division of cybergroups based on their side preferences.

 

The majority of cyber groups, approximately 85%, appear to be pro-Palestinians. A smaller percentage, around 13%, seem to be affiliated with, or in support of Israel. Meanwhile, a minor portion, about 3%, appear to be acting against both sides in the conflict. This distribution reflects the diverse and complex nature of the situation in the region.

 

Cyberwarfare-Israel-Hamas-War3Figure 3. Geographic association of selected cyber groups participating in the online conflict.

 

The pro-Israeli side includes groups such as Red Evils, Israeli Cyber Defense, SilentOne, but also Indian Cyber Force, Indian Cyber Sanatani, Indian Cyber Force, and UCC Team.

 Cyberwarfare-Israel-Hamas-War4

Figure 4. pro-Israeli Red Evils group

 

The pro-Palestinian list includes teams tied to Hamas, Hezbollah, and Iran as well as other Islamic countries such as Algeria, Morocco, and Malaysia. It was not a major surprise to see KillNet on the list, likely due to the mutual agreements with Anonymous Sudan. Below we can see a Telegram post where KillNet declares support for Palestinian resistance along Anonymous Sudan.

 

Cyberwarfare-Israel-Hamas-War5Figure 5. Telegram post demonstrating KillNet support for Palestinian resistance.

 

Some of the underground cyber groups have chosen to stay neutral. An example of such a group is the ThreatSec, which declared to continue attacking both sides of this conflict regardless.

 

Cyberwarfare-Israel-Hamas-War6Figure 6. ThreatSec statement in Telegram declaring neutrality.

 

The Differences and Similarities to Russia – Ukraine War

The Israeli-Hamas conflict has a different background than the Russian-Ukrainian war, but there are similarities. The main difference here is that Russia was planning for the invasion, whereas Israel was taken by surprise by the Hamas attack and was not prepared for it particularly from cyberwarfare perspective.

In the Ukraine-Russia war, destructive cyberattacks were often coordinated with ground offensive. One of such attacks happened on February 24, 2022, the day the war started, when a cyberattack against Viasat’s KA-SAT satellite network provider, using AcidRain wiper malware, impacted communication lines used by Ukrainian army, but also several thousand customers in Ukraine and tens of thousands across Europe. In the Israel-Hamas war, however, the destructive attacks against Israel did not seem to be coordinated with the ground offensive, and although few wiper variants were reported, we did not observe any meaningful impact resulting from the use of aforementioned malware.

 

Cyberwarfare-Israel-Hamas-War7Figure 7. Timeline of the attacks conducted by Pro-Palestinian and Pro-Israeli groups.

 

Similarities include the use of online propaganda, disinformation, and DDoS attacks against government and private sector websites. Disinformation and propaganda are pivotal elements in the arsenal of informational warfare. The Hamas attack on Israel and the subsequent Israeli assault on Gaza have led to a surge in misinformation, hate speech, and violent content online.

Both factions are employing similar social engineering techniques to discern the positions of combatants or gather information about attack plans. Below we can see an example demonstrated by an Israeli soldier, where an unknown profile, seemingly portraying a woman, attempts to establish contact to acquire intelligence.

 

Cyberwarfare-Israel-Hamas-War8Figure 8. Israeli soldier demonstrates interaction with a deceptive account attempting to initiate contact.

 

Such honey trapping techniques do not only rely on text but also on voice and video messages. The most common questions were: Where do you serve, what territory, and when are you going to enter Gaza? We’ve seen this tactic successfully employed by Ukrainian supporters against the Russian army with Russian soldiers giving away unit locations and subsequently being hit by artillery strikes.

 

Propaganda, Artificial Intelligence, and Fake Claims

The use of believable, AI-generated photos is contributing to the spread of misinformation and propaganda, likely marking this as the first armed conflict to widely use AI in war.

During all conflicts, the public is faced with profoundly distressing and disturbing visuals; but it’s important to recognize that the utilization of AI-generated images can significantly erode the public's confidence in the information being disseminated.

Cyberwarfare-Israel-Hamas-War9Figure 9. An image depicting a man carrying children through rubble shared on Facebook.

 

An image depicting a man carrying children through rubble has been circulated widely on social media and linked to Israel's bombing of the Gaza Strip. However, as pointed out by Media Forensic Lab Director Siwei, the image exhibits signs of artificial intelligence manipulation.

 

Cyberwarfare-Israel-Hamas-War10Figure 10. An analysis by Media Forensic Lab Director Siwei Lyu, highlighting signs of AI manipulation. Source: AFP

 

This is just one instance of numerous social media posts featuring conflict-themed images generated using AI. Below are additional examples of posts containing images with discernible artifacts.

Cyberwarfare-Israel-Hamas-War11Figure 11. Social media posts containing images which appear to be AI generated.

 

The integration of AI-generated materials into propaganda news is not only prevalent, but has transcended boundaries, especially when certain platforms allow commercialization of this practice. Adobe’s stock platform is actively leveraged to sell AI-generated conflict theme images depicting the violence.

 

Cyberwarfare-Israel-Hamas-War12Figure 12. AI-generated images depicting Gaza bombing, available on Adobe stock platform.

 

Conflict zones are always marked by uncertainty and misinformation, and the incorporation of AI-generated content can further muddy the waters. This technology has the potential to blur the distinction between reality and fiction, emphasizing the importance of our vigilance as consumers of the information we encounter.

Some companies have started offering technology for detecting AI-generated content. One such Israeli vendor, Eternity-IT, has offered to use their technology for detecting such content specifically as part of the Israel-Hamas conflict. In some cases, it detects photos that were taken from other events and times, or photos that were created using Generative AI. Interestingly, according to the vendor it uses AI to achieve that. 

 

Fabricated Evidence of Dorad Power Plant Attack Used by Cyber Av3ngers

An example of a disinformation tactic used in this conflict is the alleged hack on the Israeli Dorad Power Plant announced on October 8, 2023, by the underground group Cyber Av3ngers. The group shared photos of the alleged hack with a logo that has the Palestinian flag colors and political messages. However, Kaspersky researchers found that the data published by Cyber Av3ngers was sourced from older leaks performed by another hacktivist group called Moses Staff. The initial disclosure by Moses Staff in June 2022 contained data from multiple Israeli companies, including files associated with the Dorad Power Plant breach.

 

Cyberwarfare-Israel-Hamas-War13Figure 13. Comparison of the image released by Cyber Av3ngers, and one discovered within Moses Staff leak. Source: Securelist

 

Moses Staff is an Iranian hacker group, first identified on underground forums in September 2021 as described by Checkpoint researchers. The group's primary goal revolves around inflicting damage, usually achieved through the utilization of disk encryptors and the subsequent publication of exfiltrated data. While its primary target is Israeli companies, Moses Staff doesn't limit its scope and extends its attacks to organizations in other countries.

 

Attacks Against IOT Devices and ICS Systems

Cybercriminals frequently target Internet of Things (IoT) devices due to their prevalence and lack of strong security measures. Individual users, but also companies, integrate IoT devices into their network environment without being aware of the hidden security risks, creating an entry point for hackers. Trustwave SpiderLabs identified compromised IOT devices such as network printers and IP cameras in Shodan located both in Israeli and Palestinian territories.

 

Cyberwarfare-Israel-Hamas-War14Figure 14. Compromised Palestinian devices visible in Shodan discovered by SpiderLabs.

 

Cyberwarfare-Israel-Hamas-War15Figure 15. Compromised Israeli devices visible in Shodan discovered by SpiderLabs.

 

Multiple underground groups made claims about the alleged compromise of network devices in Israel and Gaza. One such claim was published by the Indian Cyber Force, which claimed to have conducted a mass attack against network devices in the Gaza region, however Trustwave was unable to confirm the compromise of the alleged 200 devices involved.

 

Cyberwarfare-Israel-Hamas-War16Figure 16. Indian Cyber Force claimed to get access to more than 200 Network devices.

 

Attacks on Industrial Control Systems (ICS) represent a critical cybersecurity concern, posing substantial risks to critical infrastructure worldwide. ICS systems, responsible for managing and controlling industrial processes in sectors such as energy and utilities, have become attractive targets for malicious actors. The consequences of successful ICS breaches can often lead to physical damage, operational disruptions, and potentially threats to public safety.

In the middle of October 2023, the Pro-Israeli Red Evil team claimed to have infiltrated the Iranian energy system and two Iranian oil supply systems. There were no official reports regarding power outages in Iran, but Red Evil posted a vast number of files, in total 12 GB related to the mentioned breach.

 

Cyberwarfare-Israel-Hamas-War17Figure 17. Pro-Israeli Red Evils claims to have accessed the Iranian energy system and two Iranian oil systems.

Red Evils is a very concentrated and active group. During this period, it targeted many Hamas websites and businesses related to the nuclear, oil, and energy sectors of Iran. They also keep attacking targets in various countries that support the Palestinians.

 

Attacks Against Water Utility Control Systems

On November 25, 2023, The Municipal Water Authority of Aliquippa, Pennsylvania, reported that one of their booster stations had been hacked by an Iranian-backed cyber group. As reported by CNBC, the station located on the outskirts of town monitors and regulates pressure for Raccoon and Potter Townships.


The compromised system was Unitronics PLC V570, and the message left on the display indicated that Cyber Av3ngers group was responsible for this attack.

 

Cyberwarfare-Israel-Hamas-War18Figure 18. Message left by Cyber Av3ngers on compromised Unitronics PLC device. Source: CNBC news

 

The November 28 the message appeared on Cyber Av3ngers cyber group telegram channel, claiming a hack into the Municipal Water Authority of Aliquippa.

 

Cyberwarfare-Israel-Hamas-War19Figure 19: Cyber Av3ngers telegram channel, stating that all Israeli-made equipment would be a target for the cyber group.

 

An intriguing observation is that the group removed all previous publications, opting to retain only the most recent one, likely anticipating heightened interest in their activities.

Unitronics is an Israeli manufacturer of Programmable Logic Controllers (PLC), and its devices are widely used worldwide. SpiderLabs identified over 1,800 Unitronics devices exposed to the internet in Shodan.

 

Cyberwarfare-Israel-Hamas-War20Figure 20. Interned exposed Unitronics PLC devices.

 

Trustwave SpiderLabs was likely able to locate in Shodan the Unitronics PLC V570 controller that has been the object of the attacks reported, PLC Name indicates “Raccoon Primary PLC” and location points to McKeensport which is very close to the affected area. This device was observed with Unitronics PCOM TCP port exposed. PCOM is a proprietary protocol by Unitronics for remote management of the PLC (TCP port 20256). The PCOM protocol allows unauthenticated queries to PLCs that can be used to retrieve, the PLC model, the hardware version, the OS build and OS version, the PLC name and the UnitID value. This information allows an attacker to look up potential vulnerabilities and exploits.

 

Cyberwarfare-Israel-Hamas-War21Figure 21. Unitronics PLC V570 controller located in affected area.

 

Similar attacks have been observed against exactly the same Unitronics PLC devices in Israel. On 9th April 2023, as reported by JNS news, a cyberattack shut down ten water controllers in agricultural areas. Earlier attacks against Unitronics devices in Israel took place on February 07, 2022, as reported by Firedome. Attackers targeted postal office offering smart mailbox services in Israel.


Compromise of the Red Alert Applications Used in Israel

In Israel, Red Alert applications serve as vital tools for public safety, offering real-time warnings of potential bombings or security threats. on October 9, just two days after Hamas’ attack on Israel, , the hacktivist group AnonGhost compromised the Israeli alert app ‘Red Alert’ developed by Koby Snir by exploiting the application's API to send threatening notifications.

 

Cyberwarfare-Israel-Hamas-War22Figure 22. RedAlert app showing threatening notifications to the users.

 

The attackers also had shared a python code snippet allowing to flood the application chat.

 

Cyberwarfare-Israel-Hamas-War24Figure 23. AnonGhost exposing the API request used to flood the Red Alert application chat.

 

The creators of other popular alert apps "Red Alert" and "Tzofar" also seemed to be targeted with Distributed Denial of Service (DDoS) attacks as indicated by the comments left by users.

 

Cyberwarfare-Israel-Hamas-War25Figure 24. RedAlert Application review page, user reports application issues. Developers confirm DDoS attack

  

Cyberwarfare-Israel-Hamas-War26Figure 25. Tzofar Application review page, users report about application issues.

 

Data Exfiltration

SiegedSec, a hacktivist group that emerged during the conflict between Russia and Ukraine, has rapidly gained prominence under the leadership of the hacktivist figure known as "YourAnonWolf," as reported by SocRadar. The group's inception seems to coincide with the unfolding geopolitical events, and since its emergence, SiegedSec has demonstrated a notable escalation in its capabilities. Under the guidance of YourAnonWolf, the group has asserted itself by consistently announcing a growing number of victims, showcasing an expanding influence within the cyber realm, such as US government websites, Atlassian, Communities of Interest (COI), Cooperation Portal (platform for NATO members), and Liberia Revenue Authority.

The first significant SiegedSec attack against an Israeli company during the ongoing Israeli-Hamas war took place against a major Israeli Internet service provider. The cybergroup claims it hacked into the provider system and extracted sensitive data, claiming to send an email from the telecommunication company portal to the company’s subscribers.

 

Cyberwarfare-Israel-Hamas-War27Figure 26. SiegedSec leaked file, illustrating customers of Israeli telecom provider.

 

Trustwave SpiderLabs examined portions of the leaked data, and the email addresses revealed were not mentioned in earlier leaks. Approximately 46,500 unique emails were identified, a figure that appears relatively low when compared to the customer base. This discrepancy suggests the possibility that the leak may have originated from one of the company's contractors, rather than the primary telecommunications service provider. The telecommunication company has not issued any official statements regarding the reported data leak.

 

Cyberwarfare-Israel-Hamas-War28Figure 27. SiegedSec group telegram channel, November 16, 2023, claiming the hacking of several targets in Israel.

 

On November 16, SiegedSec posted a new statement, where it mentioned a hack into one of the largest Israeli supermarket chains, a major airline company based in Israel, and others.

 

Cyberwarfare-Israel-Hamas-War29Figure 28. SiegedSec provided file with samples content, claiming to target an airline company.

 

Upon a thorough investigation, our analysis reveals a complex timeline associated with the leaked files. While certain files date to 2016, indicating an older leak as potential origin, we observed more recent entries ranging from 2019 to 2022.


The most recent file identified was from the first half of October 2023.

 

Cyberwarfare-Israel-Hamas-War30Figure 29. An example of a leaked file providing an update on ongoing Israel-Hamas war.

 

No significant information or company secrets were revealed in the published archive. As of the latest update, the airline company and the Israeli supermarket chain have not issued any formal responses to the claims made by the cyber group. Similarly, the pro-Israeli hacker group We Red Evils OG claimed on November 29th that it broke into the computer systems of the Iranian judiciary and parliament and provided a link to the documents. Their announcement was mixed Hebrew and Arabic. Here’s the translation to English:

We broke into the computerized systems of the Iranian judiciary and parliament and were able to obtain thousands of classified documents of the decision makers on behalf of the Revolutionary Guards.

These documents will not please the Iranian citizens.

It's time for the Iranians to take to the streets and demonstrate!

We heard that soon a huge protest will break out in the streets of Iran, and the organizers will update the participants via text messages to a widely distribution.

Among our exposures you can find bills that harm the status of women in Iran, conclusive evidence of corruption across governmental sectors and more.

Some of the documents are civil matters, full disclosure coming soon, but here's a taste of the stuff in the link below.

A message to the Iranian citizens:


When we entered Iran's judicial system and some of the documents that Iranian citizens don't like to read, it's time for Iranians to go to the streets and demonstrate, we heard that soon every Iranian citizen will send a message with a date for the largest demonstration in Iran. In this case, we will also update the group.


Link to the documents:

https://easyupload.io/iz0945

The documents which were uploaded there were mostly procedural documents from legal and civilian discussions, nevertheless they probably should not be publicly accessible. Here are two examples from those documents, translated to English :

Cyberwarfare-Israel-Hamas-War31Cyberwarfare-Israel-Hamas-War32Figure 30. Iranian Documents Claimed to Exfiltrated by We Red Evils OG

 

RedLine Stealer

As reported by SentinelOne, between October 15-19, 2023, the Iranian group Haghjhoyan claimed to infect 1,000 Israeli computers. The full message shared on telegram channel is as follows:

“1000 computers from Israel were infected. This is a gift from Palestinian children to Israel hac*kers and the bast*ard people of Israel.”

 

Cyberwarfare-Israel-Hamas-War33Figure 31. Screenshots from infected computers of Israeli citizens posted by Haghjhoyan. Source: SentinelOne


Screenshots posted on the Haghjhoyan Telegram channel show filenames suggesting the possible utilization of malware and social engineering lures. Additional screenshots led SentinelOne researchers to conclude the RedLine stealer was employed in conjunction with PrivateLoader.

 

SysJoker Backdoor

Recently, Checkpoint researchers reported a new variant of SysJoker malware written in Rust programming language. The file was submitted to VirusTotal on October 12, 2023. SysJocker is a multi-platform backdoor, which may have been utilized by a Hamas-affiliated group to target Israel, according to Checkpoint. Analysis of newly discovered SysJoker variants revealed connection to previously undisclosed samples of Operation Electric Powder, a set of targeted attacks against Israeli organizations between 2016-2017.

SysJoker uses PowerShell cmdlet to obtain persistence by adding entry into registry Run key in HKEY_CURRENT_USER hive. C2 address is retrieved from OneDrive storage in XOR encrypted form. Using OneDrive allows the attackers to easily update the C2 address. It’s a typical behavior across different versions of SysJoker.

The response from the C2 server is JSON formatted data containing an array of actions for the sample to execute. One of the possible actions allows SysJocker to download, unpack, and execute secondary payload from ZIP archive.

 

DDoS Attacks

In the realm of modern conflicts, Distributed Denial of Service (DDoS) attacks have emerged as a potent weapon, strategically employed to cripple essential services, and render them unavailable. The ease of access to certain tools on the internet means that anyone can launch a DoS (Denial of Service) attack. More sophisticated attackers leverage the power of multiple compromised systems to inundate a target, overwhelming its infrastructure and causing disruptions.

The utilization of DoS and DDos attacks is not a novel tactic. Many organizations and hosting providers have developed advanced strategies and technologies to effectively fend off such assaults. The evolving landscape of cybersecurity has prompted the implementation of proactive measures, including sophisticated mitigation tools and resilient infrastructure, to safeguard against disruptions caused by these attacks.

Ganosec, an Indonesia-based group, has gained notoriety for previous DDoS attacks on India, especially during the G20 Summit in September 2023. Its expertise extends beyond simple disruptions, encompassing more sophisticated cyber operations such as defacements. One of the defacement examples linked to the G20 Summit in September, was the official site of the Indian Directorate General of Training (DGT.GOV.IN). Ganosec publicly declared its pro-Palestinian affiliations and initiated attacks on Israeli websites, including those of Poriya and Sheba Medical Centers.

 

Cyberwarfare-Israel-Hamas-War34Figure 32. Ganosec Team in telegram, claims to DDoS Sheba and Poriya Medical centers on October 8th.

 

As opposed to these attacks, the pro-Israeli Indian Cyber Force launched some of the first attacks against Palestinian websites, targeting the Palestine Telecommunication company, Palestine National Bank, Palestine Web Mail Government Services, and Hamas’ official website. These companies moved to Russian hosting after this attack.

 

Cyberwarfare-Israel-Hamas-War35Figure 33. Indian Cyber Force claims putting down Hamas official website.

 

Later, India was attacked in retaliation by pro-Palestinian cyber group members. The main targets were Indian government websites, including the Delhi government and the All India Institute of Medical Sciences (AIIMS). According to Indian government officials, all attacks, the majority of which were DDoS, were successfully defended.

 

Cyberwarfare-Israel-Hamas-War36Figure 34. Indian Cyber Force statement about the latest cyber-attacks on India

 

Defacements

Defacement attacks against websites involve unauthorized alterations to the appearance and content of a site, typically by hackers who exploit vulnerabilities in web security. Hackers often use techniques such as SQL injection or exploiting weak passwords to gain access to a website's administrative functions, allowing them to manipulate its appearance. These attacks can range from the insertion of political or ideological messages to the replacement of content with offensive or malicious material.

Trustwave SpiderLabs identified several Israeli websites compromised by Pro-Palestinian hacking groups. All these websites are fairly minor and carry little weight in the context of this conflict.

 

Cyberwarfare-Israel-Hamas-War37Figure 35. Compromised Israeli websites visible in Google search identified by SpiderLabs.

  

Malware Attacks

 Web Shells

Attackers frequently deploy web shells upon successful exploitation of vulnerable web services, as a stealthy means to maintain unauthorized access and control over compromised systems. These web shells are usually in the form of malicious scripts, but also programs that provide a command-and-control interface to the attackers.

Unit 42 researchers reported a series of destructive cyberattacks commencing in January 2023 and persisting until October 2023, specifically targeting the education and technology sectors in Israel, conducted by Iranian-backed APT group known as Agonizing Serpens (also known as Agrius, BlackShadow, Pink Sandstorm and DEV-0022).

The attackers reportedly gained initial access to the environment by exploiting vulnerable internet-facing web servers and deploying web shells, which granted them access to the network. Following the successful theft of information, the threat actors deployed wiper malware designed not only to cover tracks but also to render the affected endpoints inoperable.

 

Cyberwarfare-Israel-Hamas-War38Figure 36. Two aspx web shells presenting minor differences used by Agonizing Serpens.

 

This piece of code seems to function as a webpage granting attackers the ability to execute server commands via a form submission.

 

Wiper Malware

Upon successful installation of web shells, attackers proceeded to steal sensitive data such as personally identifiable information (PII) and intellectual property. SpiderLabs researchers were able to retrieve the “sqlexctractor” tool used in these attacks. The tool is an application with wide abilities to work with SQL databases. Its main purpose is to extract all possible data from targeted SQL database.

 

Cyberwarfare-Israel-Hamas-War39Figure 37. The sqlexctractor method dumps limited numbers of rows from SQL database to file.

 

This application extracts SQL Server table data. Depending on the presence of binary data, it adopts different strategies, directly writing values for non-binary data or converting binary data to Base64 format before appending it to the file. After the data theft was completed, attackers moved to the final phase and deployment of three types of data wipers on the systems. The specific wipers reported include:

 

MultiLayer Wiper: A .NET malware that enumerates files for deletion or corruption with random data, making data recovery extremely challenging and rendering the system unusable by wiping the boot sector.

 

Cyberwarfare-Israel-Hamas-War40Figure 38. MultiLayer wiper routine using a scheduled task and wevtutil to delete events logs. Source: Unit42

 

PartialWasher: A C++-based wiper that scans drives to wipe specified folders and their subfolders.

 

BFG Agonizer: This wiper leverages the open-source project CRYLINE-v5.0 and has the ability to corrupt boot sectors rendering targeted system inoperable.

 

Cyberwarfare-Israel-Hamas-War41Figure 39. BFG wiper routine overwriting the boot sectors. Source: Unit42

 

Unit 42 researchers have also identified an apparent enhancement in the group's capabilities, including efforts to bypass endpoint detection and response (EDR) and other security measures. To achieve this, Agonizing Serpens strategically rotates between various known proof-of-concept (PoC) and pen testing tools, as well as custom tools, signaling an ongoing and concerning evolution in their tactics and resources.

 

BiBi Wiper

On October 30, SecurityJoes reported on the new Linux wiper targeting Israeli organizations, dubbed BiBi. The name is unusual and was mentioned in the dropped filename: “bibi-linux.out.” It is the nickname of Israeli Prime Minister Benjamin Netanyahu. One day later, ESET research mentioned a new version of BiBi wiper for Windows. The compilation date on the Windows executable is 2023-10-22 00:24:41 UTC. Windows variant covered extensively in research published on github. Both Bibi wipers are linked to a cyber group BiBiGun, related to Hamas.

Trustwave SpiderLabs Security Researchers performed additional analysis of the BiBi wiper samples to confirm the validity of published findings. Both variants operate in a similar way, where files are overwritten based on the file size random sequence of bytes, then the filename is replaced with random characters and numbers, adding “BiBi” followed by one digit in range 0-9 to the file extension: <random_name>.BiBi[0-9]. Both iterations of the wiper possess the capability to leverage multiple threads. This sophisticated feature enables the wipers to execute tasks concurrently, enhancing their efficiency and potentially accelerating the damage they inflict. The wiper will operate with an infinite loop until it overwrites all the files.

Additionally, on Windows-based systems, the BiBi wiper targets files in hardcoded directory - "C:\Users" and all available removable, ramdisk and fixed type drives except C: drive. To further hinder recovery, BiBi executes commands to disable recovery environment and deletes shadow copies. BiBi wiper utilizes simple string obfuscation method where command strings are simply reversed.

  • cmd.exe /c bcdedit /set {default} recoveryenabled no
  • cmd.exe / c bcdedit / set {default} bootstatuspolicy ignoreallfailures
  • cmd.exe /c wmic shadowcopy delete
  • cmd.exe /c vssadmin delete shadows /quIet /all

 

Cyberwarfare-Israel-Hamas-War42Figure 40. The Windows version of BiBi wiper and shadow copy deletion command revealed in the code.

 

The nature of the behavior of the wiper looks like ransomware activity and there is a possibility that ransomware attacks that pretend to be done on some Israeli facilities could be a usage of BiBi or similar wipers.

 

Hostage Rescue Operations and Pegasus Spyware

 As reported by Bloomberg, Israeli security services requested help from several companies, including NSO, the maker of the controversial Pegasus software, to help track hostages in the Gaza Strip. The Pegasus spyware, developed by Israeli firm NSO Group, is marketed to governments and law enforcement agencies for the purpose of infiltrating mobile phones, allowing them to record emails, phone calls, text messages, and more. In 2021, Amnesty International, Citizen Lab, and Forensic Architecture documented over 60 cases where this spyware was utilized to target government critics across various nations. Among the countries involved were Rwanda, Togo, Spain, the United Arab Emirates, Saudi Arabia, Poland, Mexico, Morocco, and India.

NSO Group and Candiru, both blacklisted by the U.S., were reportedly requested to enhance their spyware capabilities to align with the requirements specified by the country's security forces.

This information was sourced from four cybersecurity industry insiders and one Israeli government official according to Bloomberg. The Israeli Defense Forces and NSO Group have refrained from providing comments on the matter.

 

Cyberwarfare-Israel-Hamas-War43Figure 41. NSO Pegasus 2013 manual - dashboard provides information like the current location of 'targets' on the map.

 

Scams Leveraging the Israel – Hamas Conflict Theme

Undoubtedly, threat actors have their own motives for exploiting conflicts, including financial gain. An analysis of telemetry from Trustwave MailMarshal revealed the presence of numerous phishing emails taking advantage of the Israel-Hamas conflict. These emails exploit people's willingness to assist those affected by the war.

The below screenshot shows a scam email using an Israel bombing as a lure. It asks for a donation and uses multiple Zoho Campaign URL redirectors. The links are inaccessible now.

 

 

Cyberwarfare-Israel-Hamas-War44Figure 42. Scam email using the recent Israel bombing as lure.

 

Other scam operators pretend to be a charity collecting funds for Gaza in the form of crypto. Trustwave SpiderLabs observed other variations using King Salman Center for Humanitarian Aid and Relief (KS/Relief).

 

 

Cyberwarfare-Israel-Hamas-War45Figure 43. Donation crypto scam. Operator pretends to be a charity collecting funds for Gaza.

 

One of the crypto donation scams impersonating Islamic Relief Worldwide caught our attention. Crypto wallets used here had transactions in 2021-2022.

 

Cyberwarfare-Israel-Hamas-War46Figure 44. Crypto donation scam impersonating Islamic Relief Worldwide.

Cyberwarfare-Israel-Hamas-War47Figure 45.Transaction history of bitcoin wallet related to aforementioned scam.

 

Cyberwarfare-Israel-Hamas-War48Figure 46. Transaction history of Ethereum wallet related aforementioned scam.

 

Summary

Modern warfare no longer means solely using missiles, drones, and satellite-guided bombs. Cyberwarfare has become a necessary weapon capable of causing significant harm through cyberattacks on critical infrastructure and planting false and unverified claims on social media.

Remarkably, this conflict attracted distinct cybergroups from distant countries not directly affected by the war. While cybercrime entities based in the region focus on familiar targets, newly joined groups entered the fray directing their efforts toward disrupting social and government websites.

This multifaceted conflict not only encompasses traditional cyberwarfare but extends into the area of informational propaganda, disinformation, fake news, and the strategic use of AI-generated imagery to sway public opinions on a massive scale. The parties involved wield the power to significantly alter the perceived reality of events, blurring the lines between fact and fiction. The ongoing information warfare that we're witnessing could be considered a groundbreaking AI-driven battle due to the extensive use of AI-generated images. It's a unique and unprecedented situation where technology is at the forefront of shaping the narrative and public opinion.

As is often the case, some other cybergroups view the conflict not as an ideological battleground but rather as a means of financial gain. For these groups, it's a matter of "nothing personal, just business," as they exploit the chaos of conflict for their enrichment.

IOCs:

bibi-linux.out

23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad

 

bibi.exe

40417e937cd244b2f928150cae6fa0eff5551fdb401ea072f6ecdda67a747e17

 

Agonizing Serpens Sqlextractor

a8e63550b56178ae5198c9cc5b704a8be4c8505fea887792b6d911e488592a7c

Agonizing Serpens MultiLayer wiper

38e406b17715b1b52ed8d8e4defdb5b79a4ddea9a3381a9f2276b00449ec8835

f65880ef9fec17da4142850e5e7d40ebfc58671f5d66395809977dd5027a6a3e

Agonizing Serpens PartialWasher Wiper

ec7dc5bfadce28b8a8944fb267642c6f713e5b19a9983d7c6f011ebe0f663097

Agonizing Serpens BFG Agonizer Wiper

c52525cd7d05bddb3ee17eb1ad6b5d6670254252b28b18a1451f604dfff932a4

Agonizing Serpens Web shells

1ea4d26a31dad637d697f9fb70b6ed4d75a13d101e02e02bc00200b42353985c

62e36675ed7267536bd980c07570829fe61136e53de3336eebadeca56ab060c2

abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d

 

Agonizing Serpens NimScan

dacdb4976fd75ab2fd7bb22f1b2f9d986f5d92c29555ce2b165c020e2816a200

e43d66b7a4fa09a0714c573fbe4996770d9d85e31912480e73344124017098f9

Agonizing Serpens Mimikatz

2a6e3b6e42be2f55f7ab9db9d5790b0cc3f52bee9a1272fc4d79c7c0a3b6abda

Agonizing Serpens ProcDump

5d1660a53aaf824739d82f703ed580004980d377bdc2834f1041d512e4305d07

f4c8369e4de1f12cc5a71eb5586b38fc78a9d8db2b189b8c25ef17a572d4d6b7

Agonizing Serpens Plink

13d8d4f4fa483111e4372a6925d24e28f3be082a2ea8f44304384982bd692ec9

Agonizing Serpens GMER Driver Loader - agmt.exe

8967c83411cd96b514252df092d8d3eda3f7f2c01b3eef1394901e27465ff981

a2d8704b5073cdc059e746d2016afbaecf8546daad3dbfe4833cd3d41ab63898

Agonizing Serpens GMER Driver

18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7

Agonizing Serpens Rentdrv2 Loader - drvIX.exe

2fb88793f8571209c2fcf1be528ca1d59e7ac62e81e73ebb5a0d77b9d5a09cb8

Agonizing Serpens Rentdrv2 Driver

9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5

 

Agonizing Serpens Infrastructure

185.105.46[.]34

185.105.46[.]19

93.188.207[.]110

109.237.107[.]212

217.29.62[.]166

81.177.22[.]182

 

SysJocker

d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72

6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95

e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836

96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f

67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706

0ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba

 

Appendix A.

 

The Division of cyber groups based on their side preference:

 

Pro-Israeli

Pro-Palestinian

Against both sides

Anonymous Israel

177 Members

Cyber Army Of Russia

Dark Cyber Warrior

1915 Team

KromSec

Garuna Ops

313_TEAM

ThreatSec

Gaza parking lot crew

4 Exploitation

 

GlorySec

777exploitteam

 

ICD-Israel Cyber Defense

Abeercr02i

 

Indian Cyber Force

ACEH

 

Indian Cyber Sanatani

AcehAboutHackedWorld

 

Indian Darknet Association

AllGarudaCyberSecurity

 

Isr@CyberH3ll

AnonGhost

 

IT ARMY of Ukraine

AnonGhostIndonesia

 

Kerala Cyber Xtractors

AnonGhostMedia

 

RedEvils

Anonymous Algeria

 

SilentOne

Anonymous Morocco

 

Team NWH Security

Anonymous Russia

 

Termux Israel

Anonymous Sudan

 

UCC Team

AnonymousX

 
 

Arab Anonymous Team

 
 

ASKAR DDOS

 
 

AzraelAnggelOfDeath

 
 

BandungCyberTeam

 
 

Bangladesh Civilian Force

 
 

BlackShieldCrew

 
 

ChaosSec

 
 

CsCrew

 
 

Cyb3r Drag0nz

 
 

CYBER Sederhana Team

 
 

CyberErrorSystem

 
 

CyberErrorTeam

 
 

CyberSederhanaTeam

 
 

Dark Strom Team

 
 

Dark Team

 
 

Dragon Force Malaysia

 
 

Eagle Cyber Crew

 
 

Electronic Tigers Unit

 
 

End Sodoma

 
 

Esteem Restoration Eagle

 
 

FakeSec

 
 

FredensOfSecurity

 
 

FreePalestine

 
 

GangsterCrew7

 
 

Ganosec team

 
 

Garnesia Team

 
 

GARNESIA_ID

 
 

Garuda Security

 
 

GARUDA_FROM_CYBER

 
 

Gb Anon 17

 
 

Ghost Clain Malaysia

 
 

GhostClan

 
 

Ghosts of Palestine

 
 

GhostSec

 
 

HackersFactory

 
 

Hacktivism Indonesia

 
 

Haghjoyan

 
 

Hizbullah Cyb3r Team

 
 

I.C.C

 
 

ImperialAdministrator

 
 

INDOS666Gh0sT_Sec

 
 

Infinite_Insight

 
 

Irox Team

 
 

Islamic Cyber Team

 
 

Ixp66Sec

 
 

Jakarta Error System

 
 

JakartaGhost

 
 

Jateng Cyber Team

 
 

JATIMRedStormXploit

 
 

KEP TEAM

 
 

KETAPANG_GRAY_HAT

 
 

KhalifahCyberCrew (KCC)

 
 

KillNet

 
 

KingsmenWorld

 
 

KuninganExploiter

 
 

LEGION7_HACKERS_TEAM

 
 

Lulz_Security_Agency

 
 

Moroccan Black Cyber Army

 
 

Moroccan Defenders Group

 
 

Moroccan Ghosts

 

 

Muddy Water

 

 

Muslim Cyber Army

 
 

Mysterious Team Bangladesh

 
 

NinjaForces

 
 

Pakistani Leet Hackers

 
 

Panoc team

 
 

RedSharkTeam

 
 

SevenBrother

 
 

Skynet

 
 

StarsX Team

 
 

Storm-1133

 
 

Stucx Team

 
 

SukowonoBlackHat

 
 

Sylhet Gang-SG

 
 

SynixCyberCrime

 
 

SynixCyberCrimeMY

 
 

T.Y.G Team

 
 

TabarakKhan

 
 

TANGERANGBlackHat

 
 

Team Azrael Angel of Death

 
 

Team Herox

 
 

Team R70

 
 

Team_insane_Pakistan

 
 

TeaParty

 
 

TengkorakCyberCrew (TCC)

 
 

The Cyber Watchers

 
 

The White Crew

 
 

TigerGroupCommunity

 
 

TYG Team

 
 

Union_Of_Greats

 
 

US Nexus Cyber Team

 
 

UserSec

 
 

VulzSec

 
 

WeedSec

 
 

YourAnon T13x

 
 

ZERO-XPLOITS-ID

 

 

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More