AridViper: Unveiling Hamas-Linked Cyber Espionage Amidst Recent Attacks in Israel

AridViper Steps Up as a Major Cyber Threat Amidst Hamas’s Recent Operations

On October 7, 2023, Hamas, the Palestinian politico-military organization, orchestrated a military and terrorist operation in Israel.

This has prompted cybersecurity analysts to delve into the activities of AridViper, an intrusion set suspected to be linked with Hamas.

Sekoia.io’s recent investigation uncovers the group’s persistent cyber espionage campaigns targeting both Israel and other Middle-Eastern countries, as well as internal Palestinian entities.

The Hamas-AridViper Connection: A Brief Background

Hamas, officially known as the Islamic Resistance Movement, governs the Gaza Strip and is a significant player in the Palestinian political landscape.

Supported by Iran and the Lebanese-based Hezbollah, Hamas has been involved in various conflicts with Israel.

AridViper, alternatively known as APT C-23, MoleRATs, Gaza Cyber Gang or Desert Falcon, is believed to be a cyber-espionage arm of Hamas. The group has been active since at least 2012 and was first exposed by Trend Micro in February 2015¹.

Arsenal of Tools: Malwares and Trojans

AridViper predominantly employs Windows-based, iOS, and Android malwares² to compromise its targets.

One of their notorious tools is the PyMICROPSIA Trojan, an evolved Python version of the original Delphi-based Micropsia³. The group also uses the Arid Gopher backdoor for its operations. ESET recently discovered a new Rust-developed backdoor called Rusty Viper, indicating the group’s ongoing efforts to enhance its cyber capabilities.

Victimology: Targets Inside and Outside Israel

AridViper has been implicated in multiple cyber-espionage campaigns focusing on various sectors like telecommunications, insurance, retail, media, academics, and government in the Middle-East. The group has primarily impacted Israel but has also targeted organizations in Bahrain, Algeria, and individuals in Turkey. Recent campaigns have specifically aimed at collecting intelligence on Israeli law enforcement, military, and emergency services, according to a 2022 report by Cyber Reason.

AridViper’s Internal Palestinian Operations

Interestingly, AridViper has not restricted its operations to external entities.

The group has also been observed targeting high-value individuals in the Palestinian banking sector, political parties, and NGOs operating in Gaza and the West Bank.

Sekoia.io posits that the group likely serves Hamas’s objectives in collecting intelligence against political opposition within Palestine, focusing on entities like Fatah, the Palestinian Authority, and various civil society organizations.

The Escalating Threat Landscape

Sekoia.io⁴ assesses that AridViper is a potent cyber threat contributing to Hamas’s intelligence collection efforts against its geopolitical adversaries and possibly against internal political opposition.

In light of the recent military operations conducted by Hamas, the activities of AridViper cannot be overlooked⁵. The group’s advanced arsenal and the broad spectrum of its targets make it a significant player in the evolving cybersecurity landscape in the Middle-East.

1. https://www.trendmicro.com/vinfo/es/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome ↩︎
2. https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/ ↩︎
3. https://www.virusbulletin.com/conference/vb2023/abstracts/reinventing-steal-arid-viper-now-rusty-flavour/ ↩︎
4. https://blog.sekoia.io/aridviper-an-intrusion-set-allegedly-associated-with-hamas/ ↩︎
5. https://www.idf.il/en/mini-sites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/ ↩︎