Researchers at Recorded Future have uncovered potential indications of collaboration between the Palestinian organization Hamas and a long-standing Arabic-speaking hacker group.
Recorded Future’s report suggests that during the conflict with Israel, Hamas turned to external operators and “third parties” to ensure the continued operation of its military wing’s news site, al-Qassam.
Shortly after the conflict began, a Telegram channel used by Hamas members and supporters announced the release of an application related to al-Qassam, intended to disseminate Hamas messaging.
Maintaining the functioning of the site or application in Gaza is challenging. Air strikes have damaged the region’s internet infrastructure and caused power outages. Additionally, the area is constantly targeted by politically motivated hackers, and some service providers may refuse to host Hamas-related sites.
Researchers believe that Hamas is attempting to circumvent this issue by sharing its infrastructure with those who can assist in its maintenance. Since the conflict began, the al-Qassam website has operated across various providers.
When analyzing Hamas’ infrastructure, researchers observed suspicious redirects to the al-Qassam website and discovered that the site’s Google Analytics code was also present on about 90 other domains.
The researchers were able to identify two alleged clusters of domains. The first cluster employed registration techniques similar to those used by the hacker group TAG-63 (Aridviper, APT-C-23), which is believed to be a state-supported cyber espionage group acting on behalf of Hamas. TAG-63 is known for its operations against Arabic-speaking individuals in the Middle East.
The second group of domains was purportedly linked to Iran and contained several subdomains with ties to Iran, including the use of Persian terms such as “Director” and “Comrade.”
One of the pages associated with Iran was used to mimic the website of the Committee against Torture (World Organisation Against Torture, OMCT). However, it is unclear whether this site was employed by hackers for phishing or social engineering purposes.
Iran maintains close ties with Hamas, and only Iran’s elite Quds Force (Al-Quds brigades, AQB) is known to provide support in cyberspace to Hamas and other Palestinian hacker groups. While concrete evidence of cooperation between the two parties is lacking, this report offers insight into how groups may assist each other.