Days after Israel and Gaza-based militant group Hamas agreed to a ceasefire in May, Arabic-speaking hackers resumed an effort to break into government networks in the Middle East, according to research published Thursday.
The hacking group, known as MoleRATs, sent target organizations a malware-laced PDF claiming to be a report on Hamas members meeting with the Syrian government, security firm Proofpoint said. The malicious code is able to access files and take screenshots on a victim’s computer in furtherance of a spying campaign.
It’s an example of how, alongside the violence that has long marked the Israel-Palestine conflict, there are often much subtler efforts by digital spies to access networks.
It’s unclear what caused the hacking group to take a two-month break starting in March, or why it resumed activity in early June. Proofpoint analysts speculated that either the Muslim holy month of Ramadan or the latest Israel-Hamas conflict, which left hundreds dead, may have played a part. But analysts couldn’t “confirm either hypothesis with high confidence.”
MoleRATs is one of the more opportunistic hacking units in the Middle East, and often seizes on headlines of regional conflict to try to dupe targets into clicking on links. After the U.S. military killed Iran’s top general in January 2020, MoleRATs sent malicious emails to targets purporting to contain news of the general’s funeral.
Proofpoint says the group appears to support “military or Palestinian state objectives.” And while Israeli firm ClearSky has linked MoleRATs to Hamas, Proofpoint said it didn’t have evidence tying MoleRATs to a specific militant group.
The latest MoleRATs spearphishing campaign uses an updated version of hacking tool first noticed in December by security firm Cybereason. Then and now, the attackers are using the popular file-sharing platform Dropbox to siphon off data from targets.
Proofpoint declined to reveal the targets of the recent MoleRATs hacking.
The Israeli government, known for its own hacking prowess, singled out Hamas’ alleged cyber capabilities during the recent fighting. The Israeli Air Force on May 19 said that it had attacked an apartment in Gaza that Hamas members used for offensive cyber capabilities.
Security analysts have exposed multiple hacking operations linked with Palestinian organizations in recent months. Facebook’s security team in April said they had taken down accounts and blocked internet domains associated with separate groups linked with Hama and the Palestinian Authority.