Gaza Cybergang

Threat Actor updated 19 hours ago (2024-11-20T17:34:15.387Z)

Download STIX

Preview STIX

Gaza Cybergang, a threat actor group affiliated with Hamas, has been active since at least 2012, targeting entities in the Middle East and North Africa. The group's activities primarily involve intelligence collection and espionage campaigns against Palestinian and Israeli victims. Researchers have identified several subgroups under the Gaza Cybergang umbrella, including Gaza Cybergang Group 1 (Molerats), Group 2 (Arid Viper, Desert Falcons, APT-C-23), and Group 3 (the group behind Operation Parliament). These groups have shown consistent activity over the years, using sophisticated malware such as Pierogi++ to enhance their capabilities and evade detection. WIRTE is believed to be another subgroup connected to Gaza Cybergang, although this association is assessed with low confidence. Despite the ongoing war in the region, WIRTE's activities continue, indicating a persistent threat landscape. Check Point Research found links between recent attacks using the Rust-based SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company, previously attributed to Gaza Cybergang. This connection suggests that the same actors may be involved, despite the significant time gap between the operations. The Gaza Cybergang's modus operandi involves the use of phishing attacks and social media engagements to circulate malicious files. At the start of the year, there were several detected cases where the group adjusted its Tactics, Techniques, and Procedures (TTPs) slightly. However, no increase in the baseline volume of activity has been observed since the start of the Gaza conflict in October. Furthermore, the group has demonstrated an ability to maintain and innovate its malware arsenal, as evidenced by the new variation of the Pierogi++ backdoor malware used in recent attacks.

Description last updated: 2024-11-15T15:55:05.580Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Molerats is a possible alias for Gaza Cybergang. Molerats, also known as the Gaza Cybergang Group1, is a threat actor group historically associated with Hamas. The group has been tracked for over a decade under various names including Frankenstein and WIRTE, among others. Molerats, along with five other groups including APT 35 and Moses Staff, are	5
Operation Electric Powder is a possible alias for Gaza Cybergang. Operation Electric Powder is a threat actor operation that was actively involved in targeted attacks against Israeli organizations between 2016-2017. This operation, as previously reported by ClearSky, has been linked to the threat actor known as Gaza Cybergang, also referred to as Molerats. The cyb	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Operation El...

Hamas

Rust

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Sysjoker Malware is associated with Gaza Cybergang. SysJoker is a sophisticated malware, short for malicious software, that has been leveraged by a Hamas-linked Advanced Persistent Threat (APT) against Israel. Unlike other malware, SysJoker is written in Rust, a programming language known for its performance and safety, which makes it more challengin	has used	4

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The WIRTE Threat Actor is associated with Gaza Cybergang. WIRTE is a threat actor that has been identified as part of several overlapping groups, including TA402, Molerats, and Frankenstein. In mid-2023, Proofpoint researchers first noticed WIRTE's activity within TA402, which targeted Middle Eastern governments using an intricate infection chain and a new	is related to	2

Source Document References

Information about the Gaza Cybergang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	6 days ago	Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel
Checkpoint	6 days ago	Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity - Check Point Research
Securelist	3 months ago	Kaspersky report on APT trends in Q2 2024
DARKReading	a year ago	Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets
DARKReading	a year ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
CERT-EU	a year ago	Novel SysJoker variant leveraged by Hamas-linked threat operation
CERT-EU	a year ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
DARKReading	a year ago	Hamas-Linked APT Wields New SysJoker Backdoor Against Israel
InfoSecurity-magazine	a year ago	SysJoker Malware: Hamas-Related Threat Expands With Rust Variant
Securityaffairs	a year ago	Hamas-linked APT uses Rust-based SysJoker backdoor against Israel
Checkpoint	a year ago	Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker - Check Point Research
MITRE	2 years ago	Gaza Cybergang Group1, operation SneakyPastes
MITRE	2 years ago	Public report on attacks in Middle East we attribute to WIRTE APT