A cybersecurity group has revealed that a pro-Palestinian hacking group known for its highly targeted campaigns has been using a new tool to gain access to government systems in the Middle East. The group, identified as TA402, has continued its hacking activities despite the ongoing conflict in the region.
According to researchers at cybersecurity firm Proofpoint, TA402 has been conducting highly focused phishing campaigns targeting no more than five entities in any given campaign. The group has also deployed a new access method to gain entry into targeted systems, showing a high level of sophistication in its tactics.
The ongoing conflict in the Middle East has not hindered TA402’s operations, as they have continued to develop new and clever delivery methods to bypass detection efforts. The group has been using complex infection chains and developing new malware to attack their targets, with a strong focus on government entities based in the Middle East and North Africa.
While the identity and affiliations of the hackers remain unclear, researchers have described the group as particularly focused on penetrating Middle Eastern governments and gathering information about Palestinian affairs. Their primary motivation is to collect sensitive information and documents from high-value targets to gather intelligence, likely in support of military or Palestinian state objectives.
TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, has been tracked by researchers for more than a decade. The group’s latest campaign, which began in July and continued through October, relied on a compromised email address at an unnamed foreign ministry to target governmental organizations in the Middle East.
The hackers used email lures promising information related to economic issues to trick victims into clicking Dropbox download links containing a file that would then drop three other files onto the targeted computer. These files gave the attacker the option to deliver additional malware, including the new initial access tool the researchers dubbed “IronWind.”
As the conflict between Israel and Hamas continues, the researchers caution that TA402 could further adjust its targeting or social engineering lures. The group remains a persistent and innovative threat actor that routinely retools its attack methods and malware in support of its cyber espionage mandate.
The fact that TA402 was able to adapt its tactics amid the ongoing conflict in Gaza shows the group’s resilience and determination to continue its operations despite the challenging geopolitical situation. With the potential for further adjustments to its targeting and lures, cybersecurity experts will need to remain vigilant in monitoring and responding to the group’s activities to prevent further breaches and data theft.