Hamas’ online infrastructure reveals ties to Iran APT, researchers say

An application disseminated by Hamas via the private messaging app Telegram clued security investigators in to a crossover between the militant Palestinian group and cyber infrastructure linked to Iran, as well as links to a known hacker group.

According to a report from cybersecurity company Recorded Future's Insikt Group, the research team first identified the application -- whose core functionality is currently unknown -- on October 11, four days after Hamas' bloody attacks against Israel began.

The application, posted to a Telegram Channel, is designed to communicate with a domain said to act as an outlet for the Al-Qassam Brigade, the military wing of Hamas. The specific addresses used by the application were diverse, popping up in Panama, Lebanon, Ukraine and Russia, but the Insikt Group team was unable to get the app to function in sandbox testing, hypothesizing that its command-and-control servers had been taken down by DoS attacks.

A cluster of domains that shared a Google Analytics code were linked to other domains that, in turn, are associated with Hamas threat actors. Some of those domains, additionally, were linked via naming convention commonalities to an APT (advanced persistent threat) group known as TAG-63, AridViper, APT-C-23, or Desert Falcon, which the team now believes to have ties to Hamas.

"The infrastructure overlaps that were identified between the Hamas application and the cluster of domains we suspect are linked to TAG-63 tradecraft are notable," the report said. "They depict not only a possible slip in operational security but also ownership of the infrastructure shared between groups. One possible hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization."

Another domain linked to the Al-Qassam Brigade's website in a similar way to TAG-63, according to the report, contained naming links suggesting Iranian involvement, including subdomains using the Farsi words for "attendant" or "comrade" and "director."

"[W]e assess it is likely that the newly identified domains ... were operated by threat actors that share an organizational or ideological affiliation with the [Al-]Qassam Brigades," the report's authors wrote. "At the time of writing, Iran’s Islamic Revolutionary Guard Corps (IRGC), and specifically the Quds Force, is the only known entity from Iran that provides cyber technical assistance to Hamas and other Palestinian threat groups."

As the physical conflict between Hamas and Israel intensifies, a variety of experts have pointed out that various hacker groups have engaged in a parallel cyber war. Analysts, for example, have reported instances of DDoS attacks, website defacements, and dark web discussions promulgated by various threat actor groups, in support of one side or the other.