The Curated Intelligence community is a group of analysts from around the world that tracks the latest updates on the threat landscape. The latest situation Curated Intel has been following is the Hamas terrorist attack against Israel on 7 October 2023. The attack has subsequently resulted in thousands of civilian casualties on both sides and has destabilized the region.
As with any modern conflict, cyber activity surrounds it from all nature of groups. The most widely recognised and surface-level type has been hacktivism due to the public announcements by threat actors claiming responsibility for attacks. This often takes on social networking sites, like Telegram and Twitter, among others.
There has also been examples of the cybercrime underground exploiting the situation for financial gain. This includes offering databases of stolen data for sale as well as live access to compromised systems. This is typical behaviour for cybercriminals, but it should not be ignored by defenders in the region.
Regional advanced persistent threat (APT) groups are also expected to be launching campaigns following the incident. It should be noted that reporting on APT group activity often lags behind due to the typical covert nature of their operations, but various well-known groups are almost certainly going to be active during this tumultuous time.
- COBALT AZTEC, an Iranian state-sponsored threat group that operates and distributes DarkBit ransomware in destructive cyber attacks.
- COBALT FOXGLOVE, an Iranian threat group that exploits VPN and network appliance vulnerabilities to gain remote access to targets, usually dropping a web shell shortly after successful exploitation.
- COBALT LYCEUM, an Iranian state-sponsored threat group known for targeting critical infrastructure organizations, such as telecommunications, oil and gas companies as well as government entities.
- COBALT MIRAGE, an Iranian state-sponsored threat group known for delivering ransomware attacks using BitLocker and DiskCryptor to encrypt systems
- COBALT SAPLING, an Iranian threat group that uses the Moses Staff persona, styling themselves as a pro-Palestinian hacktivist group with a stated aim of harassing and disrupting businesses and government entities in Israel.
- COBALT SHADOW, an Iranian threat group that uses the BlackShadow persona, that has conducted multiple high-profile hack-and-leak attacks against companies in Israel, involving the distribution of personal information.
- POLONIUM, a Lebanon-based and Hezbollah affiliated APT group that launches cyber-espionage campaigns against Israel and likely collaborates with Iranian intelligence services.
- Volatile Cedar, a Lebanon-based and Hezbollah affiliated APT group that launches cyber-espionage campaigns against Israel and elsewhere.
- Dark Caracal, a state-sponsored APT groups attributed to the Lebanese General Security Directorate that launches cyber-espionage campaigns against Israel and elsewhere.
- Molerats, a Gaza-based and Hamas affiliated APT group that launches cyber-espionage campaigns against Israel.
- AridViper, a Palestine-based APT group that launches cyber-espionage campaigns against Israel.