Introduction
The threat actor APT Wirte, affiliated with Hamas [1] [2] [4] [5] [8], has transitioned from espionage to conducting disruptive cyber attacks [2], primarily targeting Israeli organizations [2] [8]. Despite a general slowdown in Hamas-related cyber activities due to ongoing conflict [8], Wirte has expanded its operations across the Middle East, including the Palestinian Authority [2] [4] [5] [6] [7] [8], Jordan [2] [4] [5] [6] [7] [8], Iraq [2] [4] [5] [6] [7] [8], Saudi Arabia [2] [4] [5] [6] [7] [8], and Egypt [2] [4]. This escalation highlights persistent threats to Israeli infrastructure amid rising regional tensions.
Description
A longstanding threat actor affiliated with Hamas [1] [4], known as APT Wirte [1], has shifted its focus from espionage to executing disruptive cyber attacks primarily targeting Israeli organizations while also engaging in operations across the Middle East [2], including the Palestinian Authority [2] [4] [5] [6] [7] [8], Jordan [2] [4] [5] [6] [7] [8], Iraq [2] [4] [5] [6] [7] [8], Saudi Arabia [2] [4] [5] [6] [7] [8], and Egypt [2] [4]. Active since at least 2018 [8], Wirte has been involved in politically motivated cyber-espionage and is believed to overlap with TA402. Despite a general slowdown in Hamas-related cyber activities due to ongoing conflict [8], Wirte has continued and even expanded its operations [8], recently executing destructive attacks against Israel [1] [8].
Since October 2023 [2] [5] [8], multiple campaigns linked to Wirte have been observed [5], including espionage operations that utilize malicious RAR files to gather information such as the victim’s Office version [5], operating system version [5], computer name [5], username [5], and a list of installed programs [5]. This initial-stage malware can potentially lead to further attacks with enhanced capabilities. Recently, the group has exploited the ongoing Gaza war to launch phishing attacks against government entities in the region while simultaneously carrying out multiple waves of wiper attacks in Israel [1].
In October 2024 [2] [5] [8], Wirte launched a malicious email campaign from an ESET reseller’s account [8], targeting Israeli organizations such as hospitals and municipalities [8]. The emails falsely claimed that the recipients’ devices were under threat from a state-backed actor and included a link to an updated variant of the SameCoin wiper malware. This evolved version is designed to erase or corrupt critical files and features unique encryption techniques, specifically activated against Israeli targets or systems set to Hebrew [8]. The malware alters victim systems’ backgrounds to display the insignia of Hamas’s military wing [3], the Al-Qassam Brigades [2] [3] [5] [8], highlighting the tailored approach of Wirte’s cyber operations [8]. Notably, in February and October 2024 [5], Wirte targeted Israeli entities with SameCoin wiper malware, which is activated only if the target country is Israel or if the system language is set to Hebrew [5]. The group has employed malicious lures crafted from geopolitical tensions, including an email campaign that impersonated the Israeli National Cyber Directorate and claimed affiliation with ESET [5].
Additionally, a campaign in October 2024 involved emails from a legitimate Israeli cybersecurity partner to entice victims [2], leading to the deployment of an advanced variant of SameCoin that features unique encryption functions and overwrites files [2]. Wirte has utilized the Havoc post-exploitation framework and the IronWind downloader in its operations [2], often disguising malware within seemingly legitimate files and employing DLL sideloading and decoy PDFs to evade detection [2].
This sustained activity underscores that Hamas retains significant cyber capabilities despite the ongoing conflict, complicating the geographical attribution of Wirte’s operations specifically to Gaza [4]. The group’s activities suggest a dual strategy: one aimed at disrupting operations within Israel and another focused on espionage in neighboring countries [8], demonstrating resilience with a versatile arsenal of custom malware, including connections to SameCoin [6], targeting both Windows and Android systems [2] [3]. This escalation in cyber warfare highlights persistent threats to Israeli infrastructure amid rising regional tensions.
Conclusion
The activities of APT Wirte underscore the persistent cyber threat posed by Hamas, particularly against Israeli infrastructure. The group’s ability to adapt and expand its operations despite ongoing conflict suggests a resilient and evolving threat landscape. Mitigation efforts should focus on enhancing cybersecurity measures, particularly in sectors vulnerable to such disruptive attacks. As regional tensions continue to rise, vigilance and preparedness are crucial to countering these sophisticated cyber threats.
References
[1] https://www.darkreading.com/threat-intelligence/hamas-hackers-spy-mideast-govts-disrupt-israel
[2] https://cybermaterial.com/wirte-targets-israel-with-cyber-attacks/
[3] https://www.vpnranks.com/news/hamas-cyber-group-wirte-unleashes-new-samecoin-wiper-on-israel/
[4] https://www.techepages.com/hamas-affiliated-wirte-employs-samecoin-wiper-in-disruptive-attacks-against-israel/
[5] https://insight.scmagazineuk.com/attack-group-linked-to-hamas-and-hits-on-israeli-targets
[6] https://sechub.in/view/2968908
[7] https://blog.netmanageit.com/hamas-affiliated-threat-actor-wirte-continues-its-middle-east-operations-and-moves-to-disruptive-activity/
[8] https://www.ncnonline.net/hamas-linked-threat-group-expands-espionage-and-destructive-operations-check-point/
