Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Hamas Tied to October Wiper Attacks Using Eset Email

'Wirte' Threat Actor Used Wiper That Checks if Victim Is Located in Israel
Hamas Tied to October Wiper Attacks Using Eset Email
Hamas fires a large number of rockets towards Israel in the city of Rafah in the southern Gaza Strip on Oct. 7, 2023. (Image: Shutterstock)

Hackers likely connected to Palestinian militants Hamas were behind wiper attacks detected in October against Israeli organizations including hospitals and municipalities.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Israeli cybersecurity firm Check Point on Tuesday attributed the attacks to a group tracked as Wirte, which overlaps with threat actors also tracked as TA40, Molerats and the Gaza Cyber Gang.

Israeli and Hamas have been locked in armed combat since the Palestinian nationalist group on Oct. 7, 2023, breached the Gaza–Israel barrier in a violent incursion. The conflict, which has spread into Lebanon, hasn't been notable for its cyber activity (see: Exploding Hezbollah Pagers Not Likely a Cybersecurity Attack).

War hasn't disrupted Wirte activity, Check Point said, writing that the group continues to launch phishing-fueled cyberespionage operations against the Palestinian Authority, Jordan, Iraq, Egypt and Saudi Arabia. It reserves disruptive attacks for Israeli targets.

One such attack involved the October phishing attacks, made using a breached email account of an Israeli reseller for Slovak cybersecurity firm Eset. The emails contained a version of the SameCoin Wiper spotted in a February wave of phishing attacks that impersonating the Israeli National Cyber Directorate.

"In addition to minor changes in the malware, the newer version introduces a unique encryption function that has only been seen in Wirte malware," Check Point wrote. The setup file for the malware checks that target computers are located inside Israel by connecting to a military web page only accessible within the country. The Windows variant drops onto victim computers a pro-Hamas propaganda video, Hamas wallpaper, a wiper component and a task spreader that attempts to copy the loader onto other machines in the same network.

Proofpoint researchers in November 2023 said SameCoin additionally shares code with a malware loader dubbed IronWind. A comparison of the encryption function in IronWind and the SameCoin wiper "suggests that the same actor developed both tools and possibly were compiled in the same environment."

Researchers first detected Write Group in 2019, writing that it has been active since 2018.


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.