Share this article on:
Researchers have uncovered a cluster of Palestinian hackers using an Android app that appears to use infrastructure with links to the Iranian Quds Force.
The app was shared on a Telegram channel used by Izz ad-Din al-Qassam Brigades, Hamas’ main military organisation, also simply known as the Al-Qassam Brigades.
Since the app was designed to communicate with and serve information from the Al-Qassam Brigades’ website, researchers at Recorded Future’s Insikt Group were able to map out some of the infrastructure the app calls upon.
Part of that infrastructure – which uses a range of domain names, probably to remain operational in the face of active cyber operations aimed at taking the app down – appears to belong to a Hamas-related hacking group that Insikt calls TAG-63 but is also known as AridViper, Desert Falcon, and APT-C-23, depending on the reporting. The same “domain registration tradecraft”, which is shared by the app and TAG-63, suggests a strong link.
Insikt “also observed that these domains were interconnected via a Google Analytics code”, the group said in a report on the activity.
“The threat actors also employed CloudFlare content distribution network (CDN) services for all domains after they were registered using the NameCheap domain registration and hosting provider.”
However, a number of subdomains in the set-up seem to link to Iranian infrastructure, with “iran” added to the domain name. Other subdomains include the Farsi words for “attendant” or “director”.
“In relation to the Iran-nexus infrastructure link, we assess it is likely that the newly identified domains were operated by threat actors that share an organisational or ideological affiliation with the Qassam Brigades,” Insikt said in its research.
“At the time of writing, Iran’s Islamic Revolutionary Guard Corps (IRGC), and specifically the Quds Force, is the only known entity from Iran that provides cyber technical assistance to Hamas and other Palestinian threat groups.”
Iran is the main backer and sponsor of Hamas, though it has denied it assisted the terrorist organisation in its recent attacks on Israel and Israeli citizens.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.