olitically motivated cyberterrorism presents an imminent challenge for global governments, businesses, and U.S. leaders. This is particularly relevant for the U.S. as cyberterrorism now ranks highest in critical threats to U.S. vital interests, according to the newest Gallup poll. Hackers play a large role in today’s activism by targeting oil companies, media corporations, and Russia all in the name of righting the world’s wrongs.
Extremist groups in the Middle East are no strangers to weaponizing these digital tools, and now the Palestinian militant Islamist group Hamas has been dubbed the “newest cyber espionage powerhouse” as it expands its cyberespionage and information capabilities. With the inherent asymmetricality of the cyber domain, relatively weak actors are now able to inflict significant damage on adversaries through cyber offensives. Beyond simply organizing an attack online or distributing disinformation, groups can steal classified information from government entities directly.
The specificity of Hamas’ target against Israel and its allies is one reason why Hamas is a perfect case study for cyber threat analysts to understand how to tackle these rising threats, and for any internet user to understand the motivations of those using the internet nefariously. As with most emerging threats, now is the time for cybersecurity teams to implement probabilistic models to predict the next move of these threat groups. For those outside of the cybersecurity sector, understanding the power and presence of these extremist groups online will empower the public to help create a safer and more secure online environment.
Hamas’ Transition to Cyber
Hamas’ use of cyber began at least a decade ago with the intention to pivot from more costly terrorist tactics. Rather than spend financially with more traditional terrorist activities, such as rocket fire, knifings, and civilian kidnappings, Hamas has pivoted to tactics better suited for their information campaigns. With increased cyber capabilities, it is able to improve public perception and influence without sacrificing its reputation or risking military retaliation, infrastructure damage, or internal economic and political pressures, which commonly happens when a non-state actor engages in industrial warfare.
The appeals of using cyber capabilities are obvious: a certain degree of anonymity, global reach, and increased opportunities for a wide range of terrorist activities. But beyond creating operational efficiency, increased dedication to cyber offensive efforts allows Hamas to launch information campaigns and espionage against its adversaries through increasingly sophisticated campaigns, such as duping Israeli military, law enforcement, and emergency service personnel into downloading Trojan-ized applications. Hamas is also able to install spyware on government officials’ phones through targeted campaigns using fitness applications and dating apps, which provide sensitive information, such as Israel Defense Forces base locations, office employee numbers, and military weaponry.
Hamas makes a case for cyber analysts’ use of behavioral analysis to predict cyberterrorist activity, as its clear goals to undermine Israel and the Palestinian Authority and challenge the Palestinian Liberation Organization’s (PLO) sole representation of the Palestinian people offer are obvious and consistent. Because the group never deviates from these objectives, it is easy to make basic assumptions about Hamas cyber activities and determine an unidentified threat group. Is this group solely targeting Israel, the PA, or the PLO, like ViperRAT or Arid Viper? Do operations occur between Sunday and Thursday, a typical work week followed by many Middle Eastern countries? Does the threat actor avoid operations beyond Israel’s borders that could alienate Hamas benefactors, like Qatar and Turkey? If yes, then it’s probably Hamas.
Goals, Objectives = Intentions
The argument for understanding the mens rea of threat actors is not new, but cybersecurity analysts ignoring the usefulness of in-depth behavioral analysis often occurs due to a lack of time or resources. So, as new threat actors relentlessly crop up and efforts to contextualize new human-operated campaigns in the heavily saturated threat market falter, it is necessary to rely more heavily on long-term analysis.
The goals and objectives of the group point to their intentions. What are the narratives that these individuals tell themselves about their history and mission? What are the grievances of the group and how do the tools at their disposal assist enhance capabilities? For Hamas, its mission to undermine Israel and the Palestinian Authority and challenge the Palestine Liberation Organization’s (PLO) standing as the “sole representative of the Palestinian people” is obvious and unwavering, which leads us to believe that its cyber attacks will be directed towards these specific organizations. The next step beyond that for cyber professionals is using probabilistic modeling and behavioral analysis before an attack even appears.
Complex but Crucial
Only a couple of years ago, security professionals at Microsoft applied a probabilistic graphical modeling framework for threat actor tracking and prediction of human-operated ransomware groups. With data collection and statistical and threat analysis, Microsoft stopped one ransomware attack in the middle of the campaign because of the company’s model that tracked threat actors, detected activity, and examined the attack. Researchers were able to attribute the activity to a specific actor and notify the targeted organization to stop the attack. Such tools are particularly relevant for analysts when extremist groups, like Hamas, continually operate with its goals and objectives at the forefront of its campaigns.
This level of threat actor tracking is complex and time-consuming, and this argument in no way erases the importance of active cybersecurity efforts in day to day operations. But combining statistical expertise, threat hunting, and vetting with the tactics, techniques, and procedures of cyber groups in today’s environment is the best tool for cybersecurity professionals to combat future extremist efforts. Once this is implemented, engaging in conversations with the public about extremist groups’ online presence and activity, including recruitment, funding scams, and disinformation, will help every internet user contribute to online security.
a global affairs media network
Confronting Hamas as a Cyber Espionage Powerhouse
Photo by Markus Spiske on Unsplash
May 12, 2023
Recent Gallup polling found that cyberterrorism ranks among the top threats to vital U.S. interests. Hamas is a case in point, and how Hamas has evolved its cyber espionage capabilities can teach us useful, actionable lessons, writes cyber threat intelligence analyst Meagan Dashcund.
P
olitically motivated cyberterrorism presents an imminent challenge for global governments, businesses, and U.S. leaders. This is particularly relevant for the U.S. as cyberterrorism now ranks highest in critical threats to U.S. vital interests, according to the newest Gallup poll. Hackers play a large role in today’s activism by targeting oil companies, media corporations, and Russia all in the name of righting the world’s wrongs.
Extremist groups in the Middle East are no strangers to weaponizing these digital tools, and now the Palestinian militant Islamist group Hamas has been dubbed the “newest cyber espionage powerhouse” as it expands its cyberespionage and information capabilities. With the inherent asymmetricality of the cyber domain, relatively weak actors are now able to inflict significant damage on adversaries through cyber offensives. Beyond simply organizing an attack online or distributing disinformation, groups can steal classified information from government entities directly.
The specificity of Hamas’ target against Israel and its allies is one reason why Hamas is a perfect case study for cyber threat analysts to understand how to tackle these rising threats, and for any internet user to understand the motivations of those using the internet nefariously. As with most emerging threats, now is the time for cybersecurity teams to implement probabilistic models to predict the next move of these threat groups. For those outside of the cybersecurity sector, understanding the power and presence of these extremist groups online will empower the public to help create a safer and more secure online environment.
Hamas’ Transition to Cyber
Hamas’ use of cyber began at least a decade ago with the intention to pivot from more costly terrorist tactics. Rather than spend financially with more traditional terrorist activities, such as rocket fire, knifings, and civilian kidnappings, Hamas has pivoted to tactics better suited for their information campaigns. With increased cyber capabilities, it is able to improve public perception and influence without sacrificing its reputation or risking military retaliation, infrastructure damage, or internal economic and political pressures, which commonly happens when a non-state actor engages in industrial warfare.
The appeals of using cyber capabilities are obvious: a certain degree of anonymity, global reach, and increased opportunities for a wide range of terrorist activities. But beyond creating operational efficiency, increased dedication to cyber offensive efforts allows Hamas to launch information campaigns and espionage against its adversaries through increasingly sophisticated campaigns, such as duping Israeli military, law enforcement, and emergency service personnel into downloading Trojan-ized applications. Hamas is also able to install spyware on government officials’ phones through targeted campaigns using fitness applications and dating apps, which provide sensitive information, such as Israel Defense Forces base locations, office employee numbers, and military weaponry.
Hamas makes a case for cyber analysts’ use of behavioral analysis to predict cyberterrorist activity, as its clear goals to undermine Israel and the Palestinian Authority and challenge the Palestinian Liberation Organization’s (PLO) sole representation of the Palestinian people offer are obvious and consistent. Because the group never deviates from these objectives, it is easy to make basic assumptions about Hamas cyber activities and determine an unidentified threat group. Is this group solely targeting Israel, the PA, or the PLO, like ViperRAT or Arid Viper? Do operations occur between Sunday and Thursday, a typical work week followed by many Middle Eastern countries? Does the threat actor avoid operations beyond Israel’s borders that could alienate Hamas benefactors, like Qatar and Turkey? If yes, then it’s probably Hamas.
Goals, Objectives = Intentions
The argument for understanding the mens rea of threat actors is not new, but cybersecurity analysts ignoring the usefulness of in-depth behavioral analysis often occurs due to a lack of time or resources. So, as new threat actors relentlessly crop up and efforts to contextualize new human-operated campaigns in the heavily saturated threat market falter, it is necessary to rely more heavily on long-term analysis.
The goals and objectives of the group point to their intentions. What are the narratives that these individuals tell themselves about their history and mission? What are the grievances of the group and how do the tools at their disposal assist enhance capabilities? For Hamas, its mission to undermine Israel and the Palestinian Authority and challenge the Palestine Liberation Organization’s (PLO) standing as the “sole representative of the Palestinian people” is obvious and unwavering, which leads us to believe that its cyber attacks will be directed towards these specific organizations. The next step beyond that for cyber professionals is using probabilistic modeling and behavioral analysis before an attack even appears.
Complex but Crucial
Only a couple of years ago, security professionals at Microsoft applied a probabilistic graphical modeling framework for threat actor tracking and prediction of human-operated ransomware groups. With data collection and statistical and threat analysis, Microsoft stopped one ransomware attack in the middle of the campaign because of the company’s model that tracked threat actors, detected activity, and examined the attack. Researchers were able to attribute the activity to a specific actor and notify the targeted organization to stop the attack. Such tools are particularly relevant for analysts when extremist groups, like Hamas, continually operate with its goals and objectives at the forefront of its campaigns.
This level of threat actor tracking is complex and time-consuming, and this argument in no way erases the importance of active cybersecurity efforts in day to day operations. But combining statistical expertise, threat hunting, and vetting with the tactics, techniques, and procedures of cyber groups in today’s environment is the best tool for cybersecurity professionals to combat future extremist efforts. Once this is implemented, engaging in conversations with the public about extremist groups’ online presence and activity, including recruitment, funding scams, and disinformation, will help every internet user contribute to online security.
