Hamas-linked hackers exploit current events to spy on rival Palestinian officials, researchers say

Enticing emails come with PDF files that contain a new remote access trojan, according to Cybereason.
Gaza City at night
Gaza City at night. (Getty Images)

Hackers associated with Hamas, the Islamist militant group that rules the Gaza Strip, are combining new malware with a timeless trick in an espionage campaign against Palestinian officials, private-sector researchers said Thursday.

Like many attackers before them, they’re sending emails on enticing topics, ranging from the U.S. killing of Iranian general Qassem Soleimani to the Trump administration’s Middle East peace proposal. The messages come with malicious PDF files that contain a new remote access trojan (RAT), code that gives them a foothold onto a computer, according to Boston-based security company Cybereason.

The hackers have in recent weeks attempted to breach carefully selected targets associated with the Palestinian government in the West Bank, the researchers said. Many of the malware samples analyzed by Cybereason appear to have targeted Fatah, the ruling party in the West Bank and a longtime rival of Hamas. It is unclear how the group was using the information it gathered on Fatah, but it’s just the latest example of geopolitical rivalries taking on a cyber dimension.

“They’re really stepping up their game,” a Cybereason researcher, who declined to be named, said of the hackers. “They’re learning from past mistakes,” he added, developing some of their own tools and acquiring others in the process.


Cybereason did not point the finger directly at Hamas or its affiliates, rather the broad set of hackers known as the Gaza Cybergang that some security companies have linked with Hamas. The Cybergang consists of multiple subgroups that have overlapping tools and targets, complicating analysts’ efforts to distinguish the hacking campaigns and definitively trace them to their source.

The attackers are using new malicious code  — commonly referred to as backdoors – that allow them persistent access to their targets. The remote access trojan has Ukrainian language embedded in it, raising the possibility that the Arabic-speaking group acquired the tool on an underground forum.

The Gaza Cybergang has been exploiting current events for years to break into computer networks in Israel and the Palestinian territories, at one point even posing as a spokesperson for the Israel Defense Forces. Given how effective the tactic has been, the group has every reason to keep doing so.

In the latest activity, the hacking group uses PDF file purporting to be a report from a popular Egyptian newspaper mentioning the leader of Hamas attending Soleimani’s funeral. Once opened, the PDF eventually drops its malicious code in two different places on the victim’s operating system. The code doesn’t run unless Arabic language keyboard settings are found on the machine.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts