Hamas Linked to October Wiper Attacks via Eset Email

Recent investigations indicate that cyberattacks perpetrated by hackers potentially affiliated with the Palestinian organization Hamas targeted various Israeli entities, including health facilities and municipal offices, throughout October 2023. According to Israeli cybersecurity firm Check Point, these wiper attacks have been linked to a group identified as Wirte, which has associations with other recognized threat actors such as TA40, the Molerats, and the Gaza Cyber Gang.

The escalation of hostilities between Israel and Hamas following the October 7 breach of the Gaza-Israel border has yet to lead to a significant increase in cyber operations during this conflict, contrary to expectations. Typical cyber activities observed have predominantly involved phishing attacks—particularly those fueled by engagements with Israeli targets, while operations against other nations in the region remain more focused on espionage.

In one attack, hackers utilized a compromised email account from an Israeli distributor for Eset, a Slovak cybersecurity firm, to launch phishing campaigns. These emails deployed a variant of the SameCoin wiper malware, which had previously been identified in a phishing campaign impersonating the Israeli National Cyber Directorate earlier this year. The malware’s installation process verifies that its target is inside Israel by checking access to a military webpage exclusive to the country.

Check Point noted that the updated version of the SameCoin malware introduces a unique encryption feature that distinguishes it within the Wirte malware set. The wiper not only deletes data but also propagates itself across local networks, deploying a pro-Hamas propaganda video and changing victim machine backgrounds to Hamas-themed imagery.

The attackers have exhibited a clear understanding of the MITRE ATT&CK framework, likely employing techniques such as initial access through phishing, persistence via malicious payloads, and multiple methods of privilege escalation during their operations. Proofpoint researchers observed in late 2023 that Code similarities between SameCoin and another malware loader, IronWind, suggest both tools may have been crafted by the same threat actors.

Researchers originally identified the Wirte group in 2019, noting its activity dating back to 2018. The group’s ongoing engagement in disruptive attacks only against Israeli targets underscores a strategic focus aimed at undermining the adversary while maintaining operational cover against regional entities.