On October 13, 2022, HAMAS acknowledged that it had established a cyber unit dubbed the “al-Quds Electronic Army” as early as October 2014. Since its inception and over the course of several years, the group executed numerous cyber attacks against Israeli security force and army organizations. The targets disrupted included command-and-control systems of kibbutz communities in the Gaza Envelope, Israeli Defense Force (IDF) servers, and electricity providers, among others. Like many other nonstate and terrorist organizations, HAMAS saw the benefits afforded to it by the Internet and has since steadily developed online capabilities to support its propaganda, recruitment, fundraising, and offensive operational needs. Iran no doubt has played some part in this progress, having a history of providing HAMAS financial aid, weapons, and training to help its proxy efforts against Israel, though the extent with which this involves cyber is unknown. However, what is clear is that HAMAS has quickly improved its capabilities over time.

Though its capabilities are not as nearly robust as those of its Lebanese counterpart Hezbollah, HAMAS’ steady progression over this period achieved enough successes against Israel that it warranted Tel Aviv to take what it deemed as appropriate retaliatory action. In mid-May 2021, the Israel military conducted two airstrikes against edifices in the Gaza Strip that were believed to have been a launching place for HAMAS cyber operations. This was the second time Israel engaged in kinetic reprisal against HAMAS-launched cyber attacks. In 2019, Israel also conducted similar airstrikes against what the IDF identified as HAMAS’ cyber “HQ” in order to prevent a potential cyber attack before cyber unit had prepared to execute it.

What’s clear is that some time between its inception and its operationalization, HAMAS has demonstrated to a cyber proficient Israel that it is an entity that Tel Aviv needs to reckon with if not careful. Further supporting this assessment is the fact that HAMAS’ cyber activities are not limited to disruptive attacks against Israeli targets. HAMAS has invested in refining its cyber espionage capabilities, increasing its threat potential, and following states’ lead in cyber exploitation as a means to enhance intelligence collection for decision-making and operational planning. And while disruptive attacks typically garner global media attention, the more surreptitious activity that escapes public scrutiny or is not as well publicized provides a more strategic advantage for a nonstate group competing against the fiscal and material dominance of a nation state.

There are two notable groups associated with the HAMAS cyber unit that reflect separate interests operating under the larger HAMAS cyber umbrella: APT-C-23 and MOLERATS. In April 2022, a cybersecurity company observed APT-C-23 conducting cyber espionage activities targeting “high-profile” Israeli individuals that were employed in areas where their accesses to sensitive information could be exploited. These organizations included defense, law enforcement, and emergency services. Techniques employed by these actors included sophisticated social engineering and employed previously unknown backdoors for Windows and Android devices, indicating that their capabilities had matured from earlier efforts that had been marked largely as unsophisticated when the group first appeared.

In early 2020, the same cybersecurity company identified a different set of activity dubbed MOLERATS targeting various organizations in the Middle East that also employed two previously unseen backdoors at the time, which facilitated the surreptitious theft of information from compromised victims. The phishing campaign employed lures related to Middle East affairs, and primarily targeted Arabic-speaking individuals in Egypt, the Palestinian Territories, and the UAE, and non-Arabic speakers in Turkey. MOLERATS temporarily ceased operations only to emerge in 2022 with new tools and techniques, revealing that the actors likely changed tactics in response to cybersecurity vendor reporting that exposed its previous activities. This indicates that HAMAS cyber operators not only follow what’s being written about them and will adjust their activities accordingly to reduce their exposure and enhance the success of future efforts.

Additionally, HAMAS’ online operations have adopted practices of legitimate intelligence organizations, showing an understanding of the soft power tenet of online information-enabled activities. In 2018, HAMAS gained access into the Android phones of hundreds of Israeli soldiers using World Cup and dating apps, which once downloaded deployed surveillance malware. This allowed HAMAS operatives to gather sensitive information from their phones such as photographs, phone numbers, email addresses and even to remotely control the phones’ cameras and microphones. They obtained information about the Israeli military including data on its bases around the Gaza Strip. What’s more, HAMAS operatives employed security tradecraft to obfuscate their identities, as well as their intentions, using images that were altered to obstruct reverse-search capabilities. Exploiting social media has proven effective for HAMAS who has used these platforms to lure soldiers in these honeypot operations.

Unsurprisingly, like any entity looking to thrive in cyberspace, HAMAS’ steady capability evolution has coincided with a maturation of how it conducts operations, a testament to the unit’s ability to apply lessons-learned to future operations. For example, phishing attacks now incorporate social engineered emails more tailored to their targets; data encryption to obfuscate exfiltrated information; and deployment of previously unseen malware to circumvent standard signature-based defense tools like antivirus programs. This increased attention at protecting the operational security of their operations is indicative of an actor trying not to repeat the mistakes of the past. The Israeli airstrikes against cyber unit-related buildings in Gaza likely encouraged HAMAS to diversify the locations from where its units conduct operations to avoid the repercussions of physical reprisal attacks. According to one report, HAMAS set up a unit in Turkey, which was likely incorporated into its intelligence branch also located in Istanbul. The cyber component was overseen by a senior HAMAS member who acted under the direct supervision of HAMAS’ leader. The intent behind this is to avoid Israel reprisal, as Tel Aviv has pledged not to harm HAMAS operatives on Turkish sovereign territory.

Although not yet in the same category, HAMAS is positioning itself to become a force in the information space like Hezbollah. Despite receiving state funding and support, HAMAS understands that it cannot compete directly with a state of Israel’s caliber head on. However, by developing its soft power capabilities for asymmetric advantage, HAMAS can be another useful prong for Iran in the region and a source for disinformation and influence, as well as an orchestrator of disruption, when needed. HAMAS has been one of Israel’s biggest antagonists launching kinetic strikes and media campaigns against the Jewish state. The more involved it becomes in all facets of information operations, and the more it can capably integrate and execute them, the more important HAMAS will become to its largest state benefactor, particularly if its efforts can be coordinated with those of Iran and Hezbollah.

As it continues to invest time, effort, and resources into these capabilities, HAMAS will assert itself as an influence on regional audiences in direct contrast to Israel and other pro-Western voices. And while it will likely continue to execute disruptive cyber attacks, it may find an increasing role in drawing – and training – pro-hacktivist conclaves under its fold to be used in a similar capacity as the ones engaged in the Ukraine conflict against geopolitical crises involving Israel and the Arab World.

Source » oodaloop