From July to October 2023 [2] [7] [8], a pro-Palestinian cyber espionage group known as TA402 [3] [4], also referred to as Molerats or Gaza Cyber Gang [5], conducted targeted cyber-espionage attacks on government entities in the Middle East and North Africa [6], including Israeli entities. This group has a history of targeting the region and has shown increased sophistication in evading security measures [1].
Description
These campaigns involved phishing emails that delivered a new initial access downloader called IronWind. TA402 adjusted its delivery methods during this period [8], transitioning from Dropbox links to XLL and RAR file attachments to avoid detection [8]. The group targeted less than five organizations per campaign [8], specifically individuals and organizations linked to the Israeli government or military institutions [1]. Proofpoint researchers have been monitoring TA402 since 2020 and have recently discovered this new phishing campaign [1].
TA402 used a compromised Ministry of Foreign Affairs email account and employed various delivery methods [1], including Dropbox links and XLL and RAR file attachments [1] [2] [7] [8]. They also used the ongoing Gaza war conflict as a lure in emails [1]. Despite the ongoing conflict in Gaza [3] [4], TA402’s operations have not been significantly disrupted [7]. It is believed that TA402 operates in the interests of the Palestinian Territories and overlaps with other APT groups such as Molerats or Gaza Cyber Gang [8]. The group has avoided using cloud services like Dropbox API and instead used attacker-controlled C2 infrastructure [1].
TA402 has recently developed a sophisticated tool called IronWind to target government agencies in the Middle East and Northern Africa [3]. This group has moved away from using off-the-shelf tools and instead focuses on custom code to target a limited subset of government organizations [3]. They have also modified their attack chain and used geofencing to avoid detection [3]. Another group [1] [3] [4] [6], Extreme Jackal [3], which is similar to Molerats in tactics [3], has also shifted towards using custom malware [3]. While there is some debate about whether these two groups are the same [3], both are considered persistent and innovative threat actors [3] [4].
Conclusion
TA402’s cyber-espionage attacks on government entities in the Middle East and North Africa [4] [6] [8], including Israeli entities, have had significant impacts. Despite the ongoing conflict in Gaza [3] [4], TA402’s operations have not been significantly disrupted [7]. It is important for government entities in the region to implement robust security measures to mitigate the risk of cyber-espionage attacks. The development of custom tools and the use of geofencing by TA402 and other similar threat actors highlight the need for continuous monitoring and adaptation of security measures. The Israel-Hamas conflict may prompt adjustments in targeting or social engineering tactics by threat actors like Molerats.
References
[1] https://www.hackread.com/pro-palestinian-ta402-apt-ironwind-malware-attack/
[2] https://ciso2ciso.com/pro-palestine-apt-group-uses-novel-downloader-in-new-campaign-source-www-infosecurity-magazine-com/
[3] https://www.darkreading.com/dr-global/molerats-group-wields-custom-cyber-tool-to-steal-secrets-in-middle-east
[4] https://cyberscoop.com/gaza-hamas-israel-cyber-hacking-espionage/
[5] https://pressnewsagency.org/new-marketing-campaign-targets-center-east-governments-with-ironwind-malware/
[6] https://cybermaterial.com/ironwind-threat-in-middle-east/
[7] https://www.infosecurity-magazine.com/news/propalestine-apt-group-novel/
[8] https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government
