Pro-Palestinian hacking group evolves tactics amid war

A long-running espionage campaign shows signs of iteration and development amid Gaza fighting, researchers say.
IDF reservists walk through an area near the Gaza border on November 13, 2023 in Southern Israel. (Alexi J. Rosenfeld/Getty Images)

A long-running pro-Palestinian cyber espionage group known for its targeted campaigns has attempted in recent months to spy on governments in the Middle East using a new tool to gain initial access to targeted systems, researchers with cybersecurity firm Proofpoint said Tuesday.

The group’s hacking activities, including highly focused phishing campaigns targeting no more than five entities in any given campaign and the deployment of a new access method, continued through the month of October, indicating that the current conflict in Gaza has not significantly disrupted the group Proofpoint tracks as TA402.

“The ongoing conflict in the Middle East does not appear to have hindered their ongoing operations, as they continue to iterate and use new and clever delivery methods to bypass detection efforts,” Joshua Miller, a senior threat researcher at Proofpoint, said in a statement.

“Using complex infection chains and drumming up new malware to attack their targets, TA402 continues to engage in extremely targeted activity with a strong focus on government entities based in the Middle East and North Africa,” Miller added.


It’s not clear who the hackers are, with whom they are affiliated or where they’re based, but researchers investigating the group in recent years have described it as particularly focused on penetrating Middle Eastern governments and gathering information about Palestinian affairs.

A June 2021 Proofpoint report noted that the group’s primary motivation is to “collect sensitive information and documents from high value targets to gather intelligence.” Based on the group’s targets, lure topics, and historic campaigns, “the activity likely supports military or Palestinian state objectives.”

Researchers have tracked the group for more than a decade as Molerats, Gaza Cybergang, Frankenstein, WIRTE and Proofpoint’s TA402 designation.

The current campaign began in July, continued through October, and relied on a compromised email address at an unnamed foreign ministry to target governmental organizations in the Middle East, Proofpoint’s researchers said.

To compromise victims, the hackers sent emails containing lures. Typically promising information related to economic issues, the emails attempted to trick victims into clicking Dropbox download links containing a file that would then drop three other files onto the targeted computer. These files gave the attacker the option to deliver additional malware, including the new initial access tool the researchers dubbed “IronWind.”


By August, the same campaign shifted its delivery method away from the Dropbox link but used the same compromised Ministry of Foreign Affairs email account. In October, the hackers modified a portion of the infection chain yet again, the researchers said, showing how the operators continued to iterate on their efforts. Later that month, the lure had been updated to reference the war in Gaza.

“TA402 remains a persistent and innovative threat actor that routinely retools its attack methods and malware in support of its cyber espionage mandate,” the researchers concluded. As the conflict between Israel and Hamas drags on, the researchers caution that the group could further “adjust its targeting or social engineering lures.”

Latest Podcasts