A Gaza-based threat actor has been linked to a series of cyber attacks aimed at Israeli private-sector energy, defense, and telecommunications organizations.
Microsoft, which revealed details of the activity in its fourth annual Digital Defense Report, is tracking the campaign under the name Storm-1133.
“We assess this group works to further the interests of Hamas, a Sunni militant group that is the de facto governing authority in the Gaza Strip, as activity attributed to it has largely affected organizations perceived as hostile to Hamas,” the company said.
Targets of the campaign included organizations in the Israeli energy and defense sectors and entities loyal to Fatah, a Palestinian nationalist and social democratic political party headquartered in the West Bank region.
Attack chains entail a mix of social engineering and fake profiles on LinkedIn that masquerade as Israeli human resources managers, project coordinators, and software developers to contact and send phishing messages, conduct reconnaissance, deliver malware to employees at Israeli organizations.
Microsoft said it also observed Storm-1133 attempting to infiltrate third-party organizations with public ties to Israeli targets of interest.
These intrusions are designed to deploy backdoors, alongside a configuration that allows the group to dynamically update the command-and-control (C2) infrastructure hosted on Google Drive.
“This technique enables operators to stay a step ahead of certain static network-based defenses,” Redmond noted.
The development comes as nation-state threats have shifted away from destructive and disruptive operations to long-term espionage campaigns, with the U.S., Ukraine, Israel, and South Korea emerging as some of the most targeted nations in Europe, Middle East and North Africa (MENA), and Asia-Pacific regions.
“Iranian and North Korean state actors are demonstrating increased sophistication in their cyber operations, in some cases starting to close the gap with nation-state cyber actors such as Russia and China,” the tech giant said.
This evolving tradecraft is evidenced by the recurring use of custom tools and backdoors – e.g., MischiefTut by Mint Sandstorm (aka Charming Kitten) – to facilitate persistence, detection evasion, and credential theft.