An application disseminated by Hamas via the private messaging app Telegram clued security investigators in to a crossover between the militant Palestinian group and cyber infrastructure linked to Iran, as well as links to a known hacker group.
According to a report from cybersecurity company Recorded Future’s Insikt Group, the research team first identified the application — whose core functionality is currently unknown — on October 11, four days after Hamas’ bloody attacks against Israel began.
The application, posted to a Telegram Channel, is designed to communicate with a domain said to act as an outlet for the Al-Qassam Brigade, the military wing of Hamas. The specific addresses used by the application were diverse, popping up in Panama, Lebanon, Ukraine and Russia, but the Insikt Group team was unable to get the app to function in sandbox testing, hypothesizing that its command-and-control servers had been taken down by DoS attacks.
A cluster of domains that shared a Google Analytics code were linked to other domains that, in turn, are associated with Hamas threat actors. Some of those domains, additionally, were linked via naming convention commonalities to a hacking group known as TAG-63, AridViper, APT-C-23, or Desert Falcon, which the team now believes to have ties to Hamas.
“The infrastructure overlaps that were identified between the Hamas application and the cluster of domains we suspect are linked to TAG-63 tradecraft are notable,” the report said. “They depict not only a possible slip in operational security but also ownership of the infrastructure shared between groups. One possible hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization.”
Another domain linked to the Al-Qassam Brigade’s website in a similar way to TAG-63, according to the report, contained naming links suggesting Iranian involvement, including subdomains using the Farsi words for “attendant” or “comrade” and “director.”