Palestinian Hackers Are Getting Smarter. When Will They Enter the War With Israel?

The Israel-Hamas war hasn’t slowed down a group of hackers with ties to the Palestinian territories who are continuing to spy on their usual targets, like government agencies throughout the Middle East. In fact, the group has recently shown that it gotten savvier about hiding its malicious activity.

“This threat actor has consistently engaged in extremely targeted activity, pursuing less than five organizations with any single campaign,” researchers at the security firm Proofpoint said in a report published on Tuesday. “They have also maintained a strong focus on government entities based in the Middle East and North Africa.”

The hacking unit — which various researchers track with names like “Gaza Cybergang,” “Frankenstein” and “Molerats” but which Proofpoint simply calls TA402 — “operates in support of Palestinian espionage objectives with a focus on intelligence collection,” according to the new report. The group has continued to send phishing emails since the Oct. 7 start of the new Israel-Hamas war, Proofpoint said, “indicating the conflict has not significantly disrupted the group’s operations.”

Israel’s retaliation against Hamas for the militant group’s terrorist attack has prompted a surge in activity by pro-Palestinian hackers, although the results have mostly been minor and temporary. When it comes to sophisticated hacker groups that could actually unleash destructive attacks on Israel, cybersecurity experts have mostly focused on Iran, which has a history of using digital attacks in its mission to destabilize the region. But Proofpoint’s new report serves as a reminder that Palestinian hackers themselves could also play an important role in the digital frontlines of the Gaza conflict.

Security researchers generally don’t consider Palestinian hackers as advanced as their Russian and Chinese counterparts, but TA402’s recent activities suggest a new level of sophistication. The group has changed how it distributes its malware to make it harder to spot and shut down, according to Proofpoint.

In July, Proofpoint saw the hackers use a compromised email account belonging to an unidentified foreign ministry to send a phishing email that referenced economic cooperation between Arab states to distribute a link to a malicious PowerPoint file hosted on Dropbox. In August, the hackers, who were still using the same foreign-ministry email address, began embedding their malware in Excel files attached directly to their phishing emails — perhaps realizing that relying on Dropbox to share links could hamper their operations if the company discovered and blocked them. Then in October, the hackers changed tactics yet again, switching from an Excel file to a RAR file, which archives and compresses data.

In addition, the hackers mostly stopped using cloud services as middlemen for sending instructions to hacked computers, relying instead on command-and-control servers that they directly operated — reducing their dependence on popular commercial platforms that could quickly freeze them out. And in a continuation of a strategy that the group has employed since 2020, it blocks computers based outside of its target region from accessing the links to its malware, hoping to prevent Western security researchers from downloading and studying it. This “geofencing” technique redirects unwanted computers to “decoy documents” hosted on popular file-sharing sites, Proofpoint researchers wrote.

So far, the Palestinian hackers haven’t shifted their attention to focus on Israeli targets, although they have referenced the new war in Gaza in their phishing messages. But with the war continuing to escalate, researchers said the group “could find itself under direction to adjust its targeting” in response to the conflict.

If that happens, Proofpoint said, the Israeli government and its Western allies should be on alert: The group represents a more serious threat than the hacktivists who have occasionally been taking down websites — a “persistent and innovative threat,” as the researchers put it.