An application disseminated by Hamas via the private messaging app Telegram clued security investigators in to a crossover between the militant Palestinian group and cyber infrastructure linked to Iran, as well as links to a known hacker group.\n\nAccording to a report from cybersecurity company Recorded Future\u2019s Insikt Group, the research team first identified the application \u2014 whose core functionality is currently unknown \u2014 on October 11, four days after Hamas\u2019 bloody attacks against Israel began.\n\nThe application, posted to a Telegram Channel, is designed to communicate with a domain said to act as an outlet for the Al-Qassam Brigade, the military wing of Hamas. The specific addresses used by the application were diverse, popping up in Panama, Lebanon, Ukraine and Russia, but the Insikt Group team was unable to get the app to function in sandbox testing, hypothesizing that its command-and-control servers had been taken down by DoS attacks.\n\nA cluster of domains that shared a Google Analytics code were linked to other domains that, in turn, \u00a0are associated with Hamas threat actors. Some of those domains, additionally, were linked via naming convention commonalities to an APT (advanced persistent threat) group known as TAG-63, AridViper, APT-C-23, or Desert Falcon, which the team now believes to have ties to Hamas.\n\n\u201cThe infrastructure overlaps that were identified between the Hamas application and the cluster of domains we suspect are linked to TAG-63 tradecraft are notable,\u201d the report said. \u201cThey depict not only a possible slip in operational security but also ownership of the infrastructure shared between groups. One possible hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization.\u201d\n\nAnother domain linked to the Al-Qassam Brigade\u2019s website in a similar way to TAG-63, according to the report, contained naming links suggesting Iranian involvement, including subdomains using the Farsi words for \u201cattendant\u201d or \u201ccomrade\u201d and \u201cdirector.\u201d\n\n\u201c[W]e assess it is likely that the newly identified domains \u2026 were operated by threat actors that share an organizational or ideological affiliation with the [Al-]Qassam Brigades,\u201d the report\u2019s authors wrote. \u201cAt the time of writing, Iran's Islamic Revolutionary Guard Corps (IRGC), and specifically the Quds Force, is the only known entity from Iran that provides cyber technical assistance to Hamas and other Palestinian threat groups.\u201d\n\nAs the physical conflict between Hamas and Israel intensifies, a variety of experts have pointed out that various hacker groups have engaged in a parallel cyber war. Analysts, for example, have reported instances of DDoS attacks, website defacements, and dark web discussions promulgated by various threat actor groups, in support of one side or the other.