FlagThis

The WIRTE threat actor, previously associated with the Hamas-affiliated Gaza Cybergang, continues to be active in the Middle East despite the ongoing war in the region. The conflict has not disrupted their operations, and they are leveraging recent events in the region for espionage operations, likely targeting entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia. WIRTE has expanded its activities beyond espionage and is now conducting disruptive attacks. Research has identified links between custom malware used by the group and SameCoin, a wiper malware targeting Israeli entities in two waves in February and October 2024. The group’s operations are characterized by consistent patterns, including domain naming conventions, communication via HTML tags, responses limited to specific user agents, and redirection to legitimate websites. While their tools have evolved, these core aspects remain consistent, making them a persistent threat in the Middle East.

References:

• Malware Analysis, News and Indicators - Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity - 8d
• Check Point Research - Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity - 8d
• lab52.io - This blog post highlights the WIRTE group's targeting of Middle Eastern entities. - 8d
• www.sentinelone.com - This article discusses the connection between WIRTE and the Gaza Cybergang. - 8d
• securelist.com - This article discusses the WIRTE group's activities in the Middle East since 2019. - 8d

Classification:

• HashTags: CyberEspionage MiddleEast Cyberwarfare
• Target: Entities in the Middle East
• Attacker: WIRTE
• Type: Espionage
• Severity: Medium