Iran and Hezbollah Hackers

Hackers backed by Iran and Hezbollah staged cyber attacks designed to undercut public support for the Israel-Hamas war after October 2023.

This includes destructive attacks against key Israeli organizations, hack-and-leak operations targeting entities in Israel and the U.S., phishing campaigns designed to steal intelligence, and information operations to turn public opinion against Israel.

Iran accounted for nearly 80% of all government-backed phishing activity targeting Israel in the six months leading up to the October 7 attacks, Google said in a new report.

"Hack-and-leak and information operations remain a key component in these and related threat actors' efforts to telegraph intent and capability throughout the war, both to their adversaries and to other audiences that they seek to influence," the tech giant said.

But what's also notable about the Israel-Hamas conflict is that the cyber operations appear to be executed independently of the kinetic and battlefield actions, unlike observed in the case of the Russo-Ukrainian war.

Such cyber capabilities can be quickly deployed at a lower cost to engage with regional rivals without direct military confrontation, the company added.

One of the Iran-affiliated groups, dubbed GREATRIFT (aka UNC4453 or Plaid Rain), is said to have propagated malware via fake "missing persons" site targeting visitors seeking updates on abducted Israelis. The threat actor also utilized blood donation-themed lure documents as a distribution vector.


At least two hacktivist personas named Karma and Handala Hack have leveraged wiper malware strains such as BiBi-Windows Wiper, BiBi-Linux Wiper, ChiLLWIPE, and COOLWIPE to stage destructive attacks against Israel and delete files from Windows and Linux systems, respectively.

Another Iranian nation-state hacking group called Charming Kitten (aka APT42 or CALANQUE) targeted media and non-governmental organizations (NGOs) with a PowerShell backdoor known as POWERPUG as part of a phishing campaign observed in late October and November 2023.

POWERPUG is also the latest addition to the adversary's long list of backdoors, which comprises PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), NokNok, and BASICSTAR.

Hamas-linked groups, on the other hand, targeted Israeli software engineers with coding assignment decoys in an attempt to dupe them into downloading SysJoker malware weeks before the October 7 attacks. The campaign has been attributed to a threat actor referred to as BLACKATOM.

"The attackers [...] posed as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for software development freelance opportunities," Google said. "Targets included software engineers in the Israeli military, as well as Israel's aerospace and defense industry."

The California-headquartered company described the tactics adopted by Hamas cyber actors as simple but effective, noting their use of social engineering to deliver remote access trojans and backdoors like MAGNIFI to target users in both Palestine and Israel, which has been linked to BLACKSTEM (aka Molerats).

Adding another dimension to these campaigns is the use of spyware targeting Android phones that are capable of harvesting sensitive information and exfiltrating the data to attacker-controlled infrastructure.

The malware strains, called MOAAZDROID and LOVELYDROID, are the handiwork of the Hamas-affiliated actor DESERTVARNISH, which is also tracked as Arid Viper, Desert Falcons, Renegade Jackal, and UNC718. Details about the spyware were previously documented by Cisco Talos in October 2023.

State-sponsored groups from Iran, such as MYSTICDOME (aka UNC1530), have also been observed targeting mobile devices in Israel with the MYTHDROID (aka AhMyth) Android remote access trojan as well as a bespoke spyware called SOLODROID for intelligence collection.

"MYSTICDOME distributed SOLODROID using Firebase projects that 302-redirected users to the Play store, where they were prompted to install the spyware," said Google, which has since taken down the apps from the digital marketplace.

Google further highlighted an Android malware called REDRUSE – a trojanized version of the legitimate Red Alert app used in Israel to warn of incoming rocket attacks – that exfiltrates contacts, messaging data, and location. It was propagated via SMS phishing messages that impersonated the police.

The ongoing war has also had an impact on Iran, with its critical infrastructure disrupted by an actor named Gonjeshke Darande (meaning Predatory Sparrow in Persian) in December 2023. The persona is believed to be linked to the Israeli Military Intelligence Directorate.

The findings come as Microsoft revealed that Iranian government-aligned actors have "launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners."

Redmond described their early-stage cyber and influence operations as reactive and opportunistic, while also corroborating with Google's assessment that the attacks became "increasingly targeted and destructive and IO campaigns grew increasingly sophisticated and inauthentic" following the outbreak of the war.


Beside ramping up and expanding their attack focus beyond Israel to encompass countries that Iran perceives as aiding Israel, including Albania, Bahrain, and the U.S., Microsoft said it observed collaboration among Iran-affiliated groups such as Pink Sandstorm (aka Agrius) and Hezbollah cyber units.

"Collaboration lowers the barrier to entry, allowing each group to contribute existing capabilities and removes the need for a single group to develop a full spectrum of tooling or tradecraft," Clint Watts, general manager at the Microsoft Threat Analysis Center (MTAC), said.

Last week, NBC News reported that the U.S. recently launched a cyber attack against an Iranian military ship named MV Behshad that had been collecting intelligence on cargo vessels in the Red Sea and the Gulf of Aden.

An analysis from Recorded Future last month also detailed how hacking personas and front groups in Iran are managed and operated through a variety of contracting firms in Iran, which carry out intelligence gathering and information operations to "foment instability in target countries."

"While Iranian groups rushed to conduct, or simply fabricate, operations in the early days of the war, Iranian groups have slowed their recent operations allowing them more time to gain desired access or develop more elaborate influence operations," Microsoft concluded.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.