A Gaza-based threat actor has been linked to a series of cyberattacks targeting Israeli private sector energy, defense and telecommunications organizations.
Microsoft, which revealed details of the activity in its fourth annual Digital Defense Report, is pursuing the campaign under the name Storm-1133.
“We assess that this group works to promote the interests of Hamas, a Sunni militant group that is the de facto ruling authority in the Gaza Strip, as the activity attributed to it has largely affected organizations perceived as hostile to Hamas. “the company said.
Targets of the campaign included organizations in the Israeli energy and defense sectors and entities loyal to Fatah, a Palestinian nationalist and social democratic political party based in the West Bank region.
The attack chains involve a combination of social engineering and fake LinkedIn profiles that pose as Israeli human resources managers, project coordinators, and software developers to contact and send phishing messages, perform reconnaissance, and deliver malware to employees of organizations. Israelis.
Microsoft said it also observed Storm-1133 attempting to infiltrate third-party organizations with public ties to Israeli targets of interest.
These intrusions are designed to implement backdoors, along with a configuration that allows the group to dynamically update the command and control (C2) infrastructure hosted on Google Drive.
“This technique allows operators to stay one step ahead of certain defenses based on static networks,” Redmond said.
This development comes as threats to nation-states have shifted from destructive and disruptive operations to long-term espionage campaigns, with the United States, Ukraine, Israel and South Korea emerging as some of the most targeted nations in Europe, Middle East and Africa. East and North Africa. (MENA) and the Asia-Pacific regions.
“Iranian and North Korean state actors are demonstrating greater sophistication in their cyber operations, and in some cases are beginning to close the gap with cyber actors from nation states like Russia and China,” the tech giant said.
This evolution of the craft is evidenced by the recurring use of custom tools and backdoors (e.g., Mint Sandstorm’s MischiefTut (aka Charming Kitten)) to facilitate persistence, detection evasion, and credential theft.