Gaza-Based Threat Actor ‘Storm-1133’ Targeting Israeli Energy, Defense, and Telecom Firms Unveiled in Microsoft’s Digital Defense Report

(https://www.cyber-oracle.com/p/gaza-based-threat-actor-storm-1133)

A threat actor originating from Gaza, identified as “Storm-1133,” has been uncovered in a series of cyber attacks primarily targeting private-sector organizations in Israel, with a focus on energy, defense, and telecommunications companies. Microsoft disclosed these details in its fourth annual Digital Defense Report.

Microsoft’s assessment links this group to furthering the interests of Hamas, a Sunni militant organization that holds de facto authority in the Gaza Strip. The majority of their activities have been directed toward organizations perceived as hostile to Hamas.

The campaign involved a range of targets, including entities within the Israeli energy and defense sectors, as well as those aligned with Fatah, a Palestinian political party based in the West Bank.

The attack strategy employed by Storm-1133 is multifaceted, incorporating social engineering and the creation of fake profiles on LinkedIn. These fraudulent profiles masquerade as Israeli human resources managers, project coordinators, and software developers. The goal is to initiate contact with employees at Israeli organizations, send phishing messages, conduct reconnaissance, and deliver malware.

Microsoft also observed attempts by Storm-1133 to infiltrate third-party organizations with known links to Israeli entities of interest. These intrusions aim to establish backdoors and configure a command-and-control (C2) infrastructure hosted on Google Drive, allowing the group to dynamically update their C2 infrastructure.

This tactic serves to stay one step ahead of static network-based defenses and enhances their evasion capabilities, as noted by Microsoft.

The disclosure coincides with an increase in hacktivist operations amid the escalation of the Israeli-Palestinian conflict. Groups like “Ghosts of Palestine” have conducted malicious activities targeting government websites and IT systems in Israel, the United States, and India.

The evolving threat landscape also reveals a shift in nation-state cyber activities, moving from destructive and disruptive operations to long-term espionage campaigns. Nations such as the United States, Ukraine, Israel, and South Korea have become prominent targets in Europe, the Middle East, North Africa, and the Asia-Pacific regions.

Iranian and North Korean state actors are demonstrating heightened sophistication in their cyber operations, inching closer to the capabilities of cyber actors from nations like Russia and China.

This evolution in tradecraft is exemplified by the repeated use of custom tools and backdoors, such as “MischiefTut” employed by Mint Sandstorm (also known as Charming Kitten), which are designed to facilitate persistence, evade detection, and steal credentials.