Gaza Cybergang

Threat Actor updated 2 months ago (2024-08-13T15:17:40.123Z)

Download STIX

Preview STIX

The Gaza Cybergang is a threat actor that has been active since at least 2012, primarily targeting the Middle East and North Africa. The group is known for its intelligence collection and espionage campaigns against Palestinian and Israeli victims. It consists of three main subgroups: Group 1 (Molerats), Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Group 3 (the group behind Operation Parliament). The gang uses a diverse set of tools, including interpreted language malware such as VBS and PowerShell scripts, which adds flexibility to update their toolset and avoid static detection controls. In addition, they have recently shown a commitment to enhancing their capabilities and evading detection by innovating their malware, as evidenced by the development of Pierogi++. Over the years, Gaza Cybergang's activities have created some confusion within the cybersecurity community due to the separation of roles and campaigns. There are suspicions, albeit with low confidence, that the WIRTE group is related to or even a subgroup under the Gaza Cybergang umbrella. At the start of this year, several cases involving Gaza Cybergang were detected in which the threat actor slightly adjusted its Tactics, Techniques, and Procedures (TTPs). Despite these adjustments, there have been no observed significant changes in dynamics since the start of the Israel-Hamas war. In recent developments, an Advanced Persistent Threat (APT) group believed to be Gaza Cybergang (aka Molerats) has attacked Israeli targets using a Rust-based version of SysJoker, a multi-platform backdoor first discovered in 2021. Links have also been found between these latest attacks and the 2016-2017 Electric Powder Operation against the Israel Electric Company, attributed to Gaza Cybergang. This connection, despite the significant time gap between the operations, suggests a continued threat from the group. However, it's worth noting that the group hasn't increased its baseline volume of activity since the start of the Gaza conflict in October.

Description last updated: 2024-08-13T15:17:28.757Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Molerats is a possible alias for Gaza Cybergang. Molerats, also known as Gaza Cybergang Group1, is a threat actor linked to Hamas that has been active for over a decade. This low-budget group has been tracked by researchers under various names including Molerats, Gaza Cybergang, Frankenstein, WIRTE, and Proofpoint’s TA402 designation. Among 16 Adv	5
Operation Electric Powder is a possible alias for Gaza Cybergang. Operation Electric Powder is a threat actor operation that was actively involved in targeted attacks against Israeli organizations between 2016-2017. This operation, as previously reported by ClearSky, has been linked to the threat actor known as Gaza Cybergang, also referred to as Molerats. The cyb	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rust

Operation El...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Sysjoker Malware is associated with Gaza Cybergang. SysJoker is a malicious software (malware) that has been used in cyber attacks targeting Israeli systems. This malware, developed in the Rust programming language, is capable of exploiting and damaging computer systems without the user's knowledge. It can infiltrate these systems via suspicious down	has used	4

Source Document References

Information about the Gaza Cybergang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	2 months ago	Kaspersky report on APT trends in Q2 2024
DARKReading	10 months ago	Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets
DARKReading	a year ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
CERT-EU	a year ago	Novel SysJoker variant leveraged by Hamas-linked threat operation
CERT-EU	a year ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
DARKReading	a year ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
InfoSecurity-magazine	a year ago	SysJoker Malware: Hamas-Related Threat Expands With Rust Variant
Securityaffairs	a year ago	Hamas-linked APT uses Rust-based SysJoker backdoor against Israel
Checkpoint	a year ago	Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker - Check Point Research
MITRE	2 years ago	Gaza Cybergang Group1, operation SneakyPastes
MITRE	2 years ago	Public report on attacks in Middle East we attribute to WIRTE APT