Research (Insikt)

Hamas Application Infrastructure Reveals Possible Overlap With TAG-63 and Iranian Threat Activity

Posted: 19th October 2023
By: Insikt Group
Hamas Application Infrastructure Reveals Possible Overlap With TAG-63 and Iranian Threat Activity

insikt-group-logo-updated-3-300x48.png

Recorded Future's research group, Insikt Group, has identified an application disseminated on a Telegram Channel used by members/supporters of the Hamas terrorist organization.

The application is configured to communicate with Hamas's Izz ad-Din al-Qassam Brigades website. Infrastructure analysis associated with the website led to the identification of a cluster of domains that mimic the domain registration tradecraft of TAG-63 (AridViper, APT-C-23, Desert Falcon), a cyber group that we believe operates at the behest of the Hamas terrorist organization. We also observed that these domains were interconnected via a Google Analytics code. Furthermore, a domain associated with the cluster hosted a website that spoofs the World Organization Against Torture (OMCT). Again, based on domain registration patterns, we observed a likely Iran nexus tied to that domain. It is likely that the newly identified domains were operated by threat actors that share an organizational or ideological affiliation with the Qassam Brigades. At the time of writing, Iran's Islamic Revolutionary Guard Corps (IRGC), and specifically the Quds Force, is the only known entity from Iran that provides cyber technical assistance to Hamas and other Palestinian threat groups.

hamas-application-infrastructure-reveals-possible-overlap-tag-63-iranian-threat-activity-body.png The application has direct links to the website of the Hamas organization (Source: Telegram)

The website has worked intermittently since the start of Hamas’s ground incursion into Israeli territory. From October 11, 2023, onward, we observed the domain point to multiple different IP addresses, which is likely related to attempts to ensure operability, evade website takedowns or, potentially, denial-of-service (DoS) attacks. The infrastructure overlaps that were identified between the Hamas application and the cluster of domains we suspect are linked to TAG-63 tradecraft are notable because they depict not only a possible slip in operational security but also ownership of the infrastructure shared between groups. One hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization.

To read the entire analysis, click here to download the report as a PDF.

Related