Shadowy hacking group targeting Israel shows outsized capabilities

A hacking campaign displaying what researchers say is some of the most advanced publicly known tradecraft targeting Israel in recent years is showing signs of active development and evolution, a troubling development that has so far blended into the noise of near constant cyber operations targeting Israel.

There’s been no shortage of cyberattacks of varying severity targeting Israeli institutions, particularly in the wake of Hamas’ Oct. 7 attack, but the tradecraft and capabilities displayed by the so-far unattributed group is far more sophisticated, said Nicole Fishbein, a researcher with Intezer.

Dubbed “WildCard,” the group in question appears to be linked to a nearly year-long attack targeting the Israel Electric Corporation, which is Israel’s largest electrical supplier, between April 2016 and February 2017 that researchers at the time called “Electric Powder.”

In January 2022, Fishbein’s firm identified a piece of malware called “SysJoker” that impressed the researchers by its quality development, both in C++ and a multi-platform toolkit, which Fishbein explained is “highly unusual for threat actors in the Middle East scene, especially the kinds of actors we normally see attacking Israel.”

The group’s techniques, tactics and procedures are “unusually mature for the Israeli threat landscape,” she said.

In an analysis published Monday and shared exclusively with CyberScoop, Intezer revealed that over the course of 2022 and 2023 WildCard deployed new malware similar to SysJoker and developed a version in the Rust programming language, which experts say can aid in efficiency, cross-platform performance and avoiding detection.

“As we discovered their new operations, we realized that they’d pushed these development capabilities even further, adopting Rust as their new programming language and re-implementing previously reported functionalities,” Fishbein said.

Fishbein added that WildCard appears to be masking its components as legitimate web development packages and that the group may be delivering these components to Israeli developers using trojanized applications spread through social engineering campaigns.

Following Hamas’s Oct. 7 attack on Israel and amid the subsequent fighting, hacking groups have targeted with Israel with a variety of operations, but these have consisted mostly of distributed denial-of-service attacks, the posting of hacked data, and improvised claims of exaggerated access to water treatment facilities and other critical infrastructure from some Iranian-backed cyber groups, experts have said.

Nonetheless, senior Israeli officials have said they’re worried about cyber escalations as the conflict drags on, particularly from the Iranian-linked hacking groups.

Given its sophistication, WildCard appears to be linked to nation state, but it remains unattributed. According to Intezer’s analysis, the group has targeted Israel for at least 8 years, meaning that its operations are not directly linked to the current round of fighting though it continued targeting Israel after the attacks of Oct 7.

A plethora of hacking groups, some with ties to Iran, Hezbollah or Hamas, have been active in the region for years and have been tracked by government agencies and industry experts under names such as Arid Viper, Gaza Cyber Gang (Molerats), Plaid Rain, and more. Check Point, an Israeli cybersecurity firm, said it has also been tracking the updated versions of SysJoker and said it has been “utilized by a Hamas-affiliated APT to target Israel.”

Fishbein cautioned against concluding that WildCard is a Hamas- or Hezbollah-linked operation. “The development capabilities are much better than what we’ve seen with Hamas or Hezbollah affiliated threat actors so far,” Fishbein said.

Researchers have speculated that the Electric Powder attacks to which WildCard is linked were the work of Molerats — a seasoned and effective Palestinian-aligned hacking operation — but Fishbein sees WildCard as a cut above. “What we see now with the WildCard [advanced persistent threat] is a threat actor whose malware development capabilities far exceed those clusters,” she said

Juan Andrés Guerrero-Saade, Associate Vice President of SentinelLabs, SentinelOne’s threat research group, told CyberScoop that what’s known about WildCard suggests a distinct group with outsized capabilities.

“I don’t know of many threat actors doing multi platform C++ dev (and now Rust) in that region,” he said in an online chat. “If their connection with Electric Powder proves out then that’s huge,” he added, calling WildCard an “asymmetrical threat with a greater development capability and interest in critical infrastructure.”

During the Electric Powder campaign, which lasted from April 2016 to at least February 2017, attackers spread malware “via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites,” researchers with ClearkSky wrote in March 2017. The campaign targeted the Israel Electric Company, which at the time provided roughly 75% of the country’s electrical production capacity.

Guerrero-Saade said that on the scale of threats facing Israel, “this is definitely up there. We aren’t seeing them leak what they’re getting,” he said, and noted that the Electric Powder attack was “extremely worrying.”

Fishbein said WildCard is “definitely operating at a more advanced level than the usual threat actors that focus exclusively on Israel,” and that the group, in particular, needs more attention.

“WildCard has been insistent in focusing on Israel for nearly 8 years with intrusions aimed at strategic sectors, without a clear affiliation to a nation-state, and without announcing their successes like low-end hacktivists groups would,” she added. “Their professionalism and intent make them more concerning than the average threat to Israel.”