Press Release

Hamas-linked Threat Group Expands Espionage and Destructive Operations

  • Check Point Research has been monitoring the ongoing activities of the WIRTE threat actor, which is previously linked to the Hamas-associated group Gaza Cybergang, despite the ongoing conflict in the region.
  • The conflict has not disrupted the group’s activities, and WIRTE uses lures related to recent events in the region for its espionage operations, likely targeting the Palestinian Authority, Jordan, Egypt, Iraq, and Saudi Arabia.
  • Check Point Research reveals that the group has expanded its operations beyond espionage to conduct disruptive attacks.  We present clear ties between the custom malware used by the group and SameCoin, a wiper malware targeting Israeli entities in two waves in February and October 2024.

 

Introduction

Check Point Research has been closely tracking a significant cyber campaign led by the WIRTE group, an Advanced Persistent Threat (APT) originating from the Middle East with connections to Gaza Cybergang, a cluster affiliated with Hamas. Active since at least 2018, the covert organization has gained notoriety for its politically driven cyber-espionage activities, focusing on intelligence gathering that likely ties into the complexities of regional geopolitical conflicts. The group targets entities in the Middle East, specifically the Palestinian Authority, Jordan, Egypt, Iraq, and Saudi Arabia.

While many other Hamas-associated cyber activities have halted as the war continues, WIRTE’s operations have persisted and even expanded. Recently, the group went beyond espionage and carried out at least two destructive operations against Israel.

In this blog, we will examine WIRTE’s espionage activities and their new destructive operations and association with Hamas, though also raising questions about attributing this activity specifically to actors within Gaza.

WIRTE’s Espionage Operations

As tensions in the Middle East persist, various threat actors have taken advantage of the conflict to create targeted deceptive lures in recent months. Specifically, WIRTE remains very active throughout the war, conducting regional attacks.

Check Point Research has observed multiple campaigns using malware connected to WIRTE since October 2023.

  • Several espionage campaigns that utilize malicious RAR files were identified. This led to initial stage malware that sends the attacker the victim’s Office version, operating system version, computer name, username, and a list of installed programs. It’s likely to be followed by additional malware with wider capabilities.

.

Lure PDF showing an error and having an embedded malicious link

  • In September 2024, Check Point Research discovered a new infection chain that starts with a PDF file. This file deploys Havoc, an open-source framework intended for advanced cyber operations. Once attackers gain access to compromised systems, they can maintain persistent control, enabling them to carry out various malicious activities, including data exfiltration, lateral movement, and remote access.

 

WIRTE Expands Activities to Disruptive Attacks

In October 2024, a malicious email campaign was launched from the account of a reseller of ESET, a cyber security company. The emails targeted various organizations in Israel, such as hospitals and municipalities, claiming that the user’s device was targeted by a state-backed threat actor.  The email includes a link to a URL that claims to install a threat protection program. However, this link points to a wiper, a type of malware intended to erase or corrupt data on a computer or network. Unlike other malware that may aim to steal information or hold data for ransom, wipers are specifically designed to cause destruction.

This wiper is an updated version of a previously reported Samecoin wiper. Earlier this year, it was used in a malicious campaign that impersonated the Israeli National Cyber Directorate (INCD). Samecoin is a multi-platform wiper available for Android and Windows. In each case, it disguised itself as a security update from the INCD.

In the October campaign, when clicked, the URL in the email initiates an infection chain which, at some point, directs victims to a malicious file that tries to connect to the Israel Home Front Command site to verify that the victim is Israeli, as the site can only be accessed within Israel. The malware then decrypts the following files to be executed:

  • A wallpaper mentioning Al-Qassam Brigades, the military wing of Hamas

The translated wallpaper mentions Al-Qassam Brigades, the military wing of Hamas.

  • A graphic Hamas propaganda video showing attacks from October 7th
  • wiper, which is a type of malware designed to erase or corrupt data on a computer or network
  • An Infector component that sends an attachment to other addresses in the same organization and copies the wiper files to other computers in the same network

 

Hamas Likely the Driving Force Behind the WIRTE Threat Actor

The campaign’s messaging in distruptive attacks and a consistent focus on the Palestinian Authority (PA), political rivals of Hamas, together with multiple historical links published over the years, suggests a connection between WIRTE and Hamas. The use of imagery associated with Hamas’s military wing, the Al-Qassam Brigade, could potentially indicate a false flag operation; however, such references have not been observed in attacks attributed to other groups, including Iranian factions. WIRTE’s targeting strategy aligns closely with Hamas’s interests, particularly about Palestinian issues. Furthermore, WIRTE’s historical associations with groups like the Molerats and the Gaza Cyber Gang, both of which have ties to Hamas, reinforce the likelihood of their connection to the organization.

 

A Dual Strategy of Disruption and Espionage in the Middle East

WIRTE has consistently targeted various entities across the Middle East, with indicators of their activities, such as file submissions, lures, and domain references, suggesting involvement with Lebanon, Iraq, Saudi Arabia, and Egypt. Propaganda content and themes specifically targeted Israeli audiences, along with phishing emails directed at Israeli recipients. Additionally, the Wiper is activated only if the target country is Israel or the system language is set to Hebrew.

The various techniques and payloads used against Israel, in contrast to those aimed at other Middle Eastern nations, reveal a fascinating and complex strategy. It seems there are two critical goals at play here: one focused on disruption within Israel, while the other targets espionage activities in neighboring countries. This dual approach highlights the intricate dynamics of regional conflicts and the differing priorities of those involved.

 

Enhancing Security Through Proactive Threat Analysis

In an age of evolving cyber threats, Check Point’s Threat Emulation stands guard by inspecting every file before it enters your network. Executing files in controlled virtual environments identifies unknown threats and zero-day vulnerabilities and monitors for harmful behavior like unauthorized system changes.

 

When integrated with Check Point Harmony Endpoint, this dynamic duo analyzes files in real time, allowing users to access safe versions almost instantly while the originals undergo thorough scrutiny. This proactive approach ensures rapid access to secure content and effectively identifies and neutralizes potential threats, safeguarding your network’s integrity in today’s risky digital landscape.

 

For a comprehensive report on WIRTE’s espionage and disruptive activities, read Check Point Research’s report here.

Protections:

Threat Emulation:

  • APT.Wins.Wirte.ta.A/B/C/D/E/F

Harmony End Point :

  • ransom.win.honey
  • infoastealer.win.blackguard.d