Hamas-linked cyber threat actors have stopped their activities following the terrorist attack in Israel on October 7th, leaving experts puzzled. According to a recently published report by Mandiant, cyber operations have become a “tool of first resort” for nations and nation-aligned groups involved in long-term conflicts. However, while this trend has been observed globally, Hamas has taken an entirely different approach by halting its cyber operations.
Kristen Dennesen, a threat intelligence analyst for Google’s Threat Analysis Group (TAG), noted that the activity of Hamas-linked cyber threat actors was consistent until just before October 7th. However, since then, there has been a significant decrease in their activities. Dennesen could not offer an explanation for this sudden shift and cessation of cyber operations.
One of the main groups behind these cyberattacks is BLACKATOM, which has been known for targeting Israel, Palestine, neighboring countries in the Middle East, the US, and Europe. BLACKATOM launched a social engineering campaign in September, targeting software engineers in the Israeli Defense Forces and Israel’s defense and aerospace industries. The campaign involved posing as employees of various companies on LinkedIn and sending fake freelance job opportunities to the targets. This activity culminated in a malicious code being downloaded onto the affected computers, which consisted of a multiplatform backdoor known as the SysJoker.
The fact that Hamas’ cyber activity did not align with the more conventional use of cyber warfare as seen in conflicts like the Russia-Ukraine war has left experts perplexed. According to Shane Huntley, senior director at Google TAG, Hamas’ approach is entirely different from Russia’s, and therefore not surprising that its use of cyber is distinct. The recent decrease in Hamas-related cyber activity has also highlighted the uncertainty surrounding the future of their cyber operations.
While there is no definitive explanation for Hamas’ decision to cease cyber operations, it is believed that its focus may have shifted towards operational security, especially given the effectiveness of the October 7th attack. The lack of recent cyber activity from Hamas may also be attributed to the significant Internet disruptions in Gaza in recent months. However, experts anticipate that Hamas will eventually resume its cyber activities, likely focusing on intelligence gathering related to intra-Palestinian affairs, Israel, the US, and other regional players in the Middle East.
In conclusion, the unexpected cessation of cyber activities by Hamas-linked threat actors has raised questions about their strategic shift and future intentions. Despite the lack of clarity surrounding this issue, one thing is certain: the cyber landscape in conflict zones continues to evolve, and organizations and experts must remain vigilant to these changing threats.