The Hackers of the Islamic Resistance Movement
A Historical Review of Hamas' Hackers, Digital Intelligence and Cyberattacks
The Hackers of the Islamic Resistance Movement
Basil Salahiyya: Qassam commander who established a special unit intended to enhance the movement’s capacity to gather data on the occupation
Introduction
One of the facets of the Islamic Resistance Movement that has been overlooked in popular commentary and scholarship alike is the movement’s technological prowess and the Qassam Brigades’ “Cyber Unit” (Quwwat al-Sāybar) and “Electronic Warfare Unit” (Waḥdat al-Ḥarb al-Iliktrūniyya), also known as its “Cyber Weapon” (Silāḥ al-Sāybar). This is despite the fact that this unit has undertaken significant interventions on occupation soldiers, commanders, politicians, and others within command post structures. These intelligence operations have licensed the Qassam Brigades’ subsequent kinetic operations. Indeed, intelligence successes achieved by these Qassam units enabled the “Great Crossing” on 7 October 2023, which was the culmination of a major security breach and numerous, long-running cyberattacks launched by the movement against the occupation.[1] Indeed, in a recent report published by Cloudflare on 23 October 2023, titled “Cyber attacks in the Israel-Hamas war,” it was confirmed that cyberattacks occurred on 7 October at 3:30 p.m. GMT with the aim of disrupting service to various websites with servers in occupied Palestine. The first attack peaked at 100,000 requests per second and lasted for 10 minutes, while a second, much larger attack lasted 6 minutes and peaked at 1 million requests per second to disrupt service, according to the same report.[2] The report chronicled that:
On October 7, 2023, at 03:30 GMT (06:30 AM local time), Hamas attacked Israeli cities and fired thousands of rockets toward populous locations in southern and central Israel, including Tel Aviv and Jerusalem. Air raid sirens began sounding, instructing civilians to take cover.
Approximately twelve minutes later, Cloudflare systems automatically detected and mitigated DDoS attacks that targeted websites that provide critical information and alerts to civilians on rocket attacks. The initial attack peaked at 100k requests per second (rps) and lasted ten minutes. Forty-five minutes later, a second much larger attack struck and peaked at 1M rps. It lasted six minutes. Additional smaller DDoS attacks continued hitting the websites in the next hours.[3]
According to the investigation, malicious apps targeted Android phones, enabling Hamas hackers to access users’—particularly occupation soldiers’—sensitive information. The investigation noted that in the days following the launch of Tufan al-Aqsa, other websites were targeted by intensive distributed denial-of-service (DDoS) attacks. It revealed that this accounted for 56 percent of all attacks. Additionally, hackers successfully exploited a vulnerability in the “Red Alert” app, which alerts denizens living in occupied Palestine to a possible attack; this enabled the hackers to expose servers and application programming interfaces (APIs) and send users misleading alerts. The banking sector, financial services companies, insurance companies, and government administration websites were exposed. This cyberattack demonstrates a degree of sophistication that justifies a more thorough historical review of Hamas’ cyber-intelligence capabilities. For, although Hamas’ Cyber Unit was only officially announced on 13 October 2022, its infrastructure was developed over multiple decades.[4]
The History of Hamas’ Cyber-Intelligence
Jumʿa al-Ṭaḥla, a Jordanian of Palestinian origin, was born in Jordan in 1962. He participated as a fighter in the Israeli invasion of Beirut in 1982 and subsequently in the war in Afghanistan, before later joining the ranks of the Izz al-Din al-Qassam Brigades in the Gaza Strip. In 2004, he formally joined the Qassam Brigades, leaving his business activities and a construction company he had founded in the United Arab Emirates in order to travel to Syria, where he contributed to the development of the Brigades’ weapons and combat tactics.
2004 was also the year in which Hamas undertook one of its earliest hacking operations. Beginning in 2004, an operative known as “R.” who lived within 1948 occupied Palestine was employed as a software engineer at the telecommunications company, Cellcom. By virtue of his position, he obtained wide access privileges to the company’s computers, information systems, and databases. Over the subsequent decade, he diligently and clandestinely collected information that would later be passed on to Hamas operatives. This report will return to “R.,” whose data, come 2017, was finally utilized by the Hamas Cyber Unit.
Meanwhile, al-Tahla continued his work from Damascus until 2009, when, at the request of the movement’s leadership, he set out for the Gaza Strip. During this journey, he was arrested by Egyptian security forces and remained in Abū Zaʿbal Prison until 2011, following the fall of the Mubarak regime. Upon his arrival in Gaza thereafter, the Qassam Brigades initiated the first phase in the formation of the Cyber Unit.[5]
The establishment of this unit followed the Brigades’ first electronic attack during the “Battle of Ḥijārat al-Sijjīl” in 2012, during which more than 5,000 mobile phones belonging to officers and soldiers in the occupation army were penetrated. This operation was accompanied by the hacking of an Israeli television channel and the broadcast of threatening messages in Hebrew, constituting an important turning point.
During the approximately ten years that al-Ṭaḥla spent in the Gaza Strip, he became a close confidant of Mohammed Deif and contributed his expertise in cybersecurity through the development of programs related to electronic warfare and scientific development within the Qassam Brigades. In 2014, al-Tahla oversaw the establishment, formation, and structuring of the Electronic Warfare Unit and the “Cyber weapon” (Silāḥ al-Sāybar), personally leading numerous attacks targeting the occupation’s critical infrastructure.
Also in 2014, Basil Salahiyya, a member of Hamas’ military wing, established a special unit intended to enhance the movement’s capacity to gather data on the occupation. This development, as noted by Netanel Flamer, preceded what he identifies as Hamas’ “2014 operation known in Israel as Battle of Hunters.”[6] In the course of this operation, Hamas operatives adopted online personas of attractive women; while some of these identities were fictitious, others were based on real Jewish women living in occupied Palestine whose online profiles had been appropriated. Through these accounts, operatives contacted IDF soldiers—primarily those serving in combat units—via Facebook, communicating in Hebrew and employing colloquial expressions characteristic of online exchange.
Following an initial phase of correspondence, which in certain instances included the exchange of photographs, the soldiers were induced to continue communication through a chat application developed by Hamas.[7] As these exchanges became more personal, the application functioned as spyware. Soldiers were directed to an application store, which was also constructed by Hamas and populated with ostensibly innocuous programs, to download the chat application. Upon installation, the program enabled Hamas to obtain near-complete access to the soldier’s device, including the ability to activate the camera to capture surrounding images, to monitor audio through the microphone as a “roving bug,” and to determine the device’s location via GPS.[8] It further provided access to contacts, messages, emails, photographs, and videos. After this access was secured, operatives were able to remove the visible application and implant what Flamer calls “low-signature” tracking spyware.[9]
The occupation’s own reporting indicates that their military identified dozens of mobile devices as having been compromised by such software, with these activities continuing over a period of roughly two years before the IDF moved to expose Hamas’ cyber operations.[10]
During the 2014 Battle of al-ʿAṣf al-Maʾkūl (Dry Grass), the Qassam Brigades revealed their success in infiltrating Israeli civilian and military systems, including satellite and radio broadcasts of Hebrew channels and stations, as well as phones and email accounts, and in obtaining important information. The occupation acknowledged the Qassam Brigades’ attempt to penetrate the warship systems and the Cyber Unit’s involvement in cyberattacks targeting vital systems. At the time, Hebrew media reported that Hamas had tricked a number of army soldiers through fake accounts and had obtained important information, including photos of military bases, by eavesdropping on communications, after deceiving soldiers with “cat-fishing” techniques using photos of attractive women; one soldier believed that he was chatting with a Brazilian girl and revealed operational details to a Qassam hacker.
Salahiyya recounted that, during the 2014 war, members of the Cyber Unit established contact with the occupation’s Artillery Corps soldier using a fictitious online profile, through which they gained access to his phone and determined his location; this information was relayed to the commander of the Qassam Brigades’ Gaza City Southern Brigade, who ordered a rocket unit to strike the identified position. It was later revealed, by a hacked message sent by the soldier to his family indicating that he had been wounded, that the strike had been successful.
Flamer provides an illustrative account of how, exactly, the cat-fishing took place; it is worth quoting him at length:
One story that demonstrates this manner of attack is that of a soldier who was contacted on Facebook by a woman who introduced herself as having once served in the Israel Prisons Service. At first, the conversation was general and revolved around the soldier’s current activities in the army. After a few days of back-and-forth, the woman asked the soldier to download an app where they could continue chatting. He tried, but was unable to open it on his device, so the two maintained their correspondence on Facebook. Eventually, IDF personnel identified the woman as a fictitious profile operated by Hamas and informed the soldier, who then cut off all contact.
[…] At first, the [cat-fishing] profile engages the soldier on the other side to exchange basic information.
[…]
The profile learns where the soldier’s unit is stationed and determines its activities in the sector. The profile sends the soldier encouragement, and attaches a photo of an attractive young woman in order to sustain believability and keep the soldier engaged[.]
[…]
After establishing her cover story, the Hamas profile asks the soldier to download the app that will allow Hamas to access his device[.]
[…]
In this way, Hamas successfully targeted dozens of active-duty soldiers, some of whom indeed took the bait. The organization made use of this tactic throughout the entire wave of attacks, which continued for approximately two years until the IDF resolved to expose Hamas’s cyber activity.
[…]
The targets were asked to download applications called GrixyApp, ZatuApp, and Catch&See using a direct link rather than from an app store – presumably, the lesson learned from the previous attack was that this would reduce their risk of exposure. After the victim downloaded the app to their smartphone and tried to open it, he or she would get an error message saying that the software was unsupported by the device; the software would appear to be deleted from the device. In practice, however, the software continued to operate behind the scenes. The malware itself was equipped with all the capacities demonstrated by the malware in previous attacks, such as transferring files from the device, taking photographs remotely, accessing the device’s location, contacts, and text messages, and carrying out remote eavesdrop ping through a roving bug on the device’s microphone. According to the IDF’s analysis […] Hamas succeeded in infecting dozens of IDF servers in this wave. [11]
Salahiyya’s method of digitally ambushing occupation soldiers, referred to as the “Ḥasnawāt Ambush,” was repeated in 2017, when the occupation intelligence revealed a large-scale espionage operation carried out by Hamas against dozens of Israeli soldiers through the use of fake accounts on the social media platform Facebook, in which photos of attractive women were used to lure the soldiers. Also in 2017, the aforementioned “R.” operative helped, at the request of Hamas officials in Gaza, transfer sensitive information concerning the occupation’s communications infrastructure—information to which he had access through his work and which was not available to the public. This assisted Hamas operatives in targeting communications infrastructure during military confrontations with the occupation in the 2021 war. In 2017, the Israeli Broadcasting Authority disclosed details of a serious security case involving three Palestinians from within 1948 occupied Palestine who, like “R.,” were accused of leaking sensitive information about Cellcom to Hamas. According to the Hebrew channel, these individuals were able to carry out a “test” cyber-attack to determine whether it would be viable to disrupt the infrastructure of the cellular communications company. An Israeli official stated at the time: “We were on the verge of disaster,” adding that, in the aftermath of the case, senior employees at Israeli telecommunications companies would be subjected to security examination.[12]
In 2012, a group known by the name “Molerats” and several other monikers, including Gaza Cybergang, Frankenstein, WIRTE and TA402, became active.[13] Thought to be associated with Hamas, the group undertook its first major operation beginning in May 2015, creating various backdoors and undertaking spear-phishing emails. As Flamer recounts:
ClearSky’s first report, issued on January 7, 2016, noted that the company had identified one of the hackers but had decided not to publish his name. On January 18, a member of the hacker group, using an email ostensibly from the IDF, contacted ClearSky to request information about the individual identified by the company. Several days later, one of the hackers called the company on the phone, introduced himself as a victim of the attack, and asked for information about the identity discovered by the company. He was asked to send an email with his request, which arrived on January 23. The company did not accede to either of the two requests, but used the data it had collected to verify the identity of the hacker. In its second report, issued in June 2016, the company identified the individual as Muʿaiya ʿAyish, a young man from the Gaza Strip, based on an in-depth online investigation.[14]
According to a video reported produced by Salahiyya, beginning in January 2016, the Qassam Cyber Unit began recording the locations of soldiers’ mobile phones within the Gaza Strip, including the identification of individual soldiers, while also collecting correspondence between them.[15] Through an exchange between an occupation soldier and a fictitious profile run by a Cyber Unit operative, Hamas identified that the occupation soldiers were engaged in work related to underground tunneling. On the basis of the geolocation data derived from the phished devices, Salahiyya mapped the positions of the occupation’s military personnel and determined that tunnel excavation was being conducted from occupied Palestine into the Gaza Strip. As Flamer writes:
At this point, Salahiyyah decided to add geospatial intelligence to his arsenal. Using an UAV, he identified sites that would seem to indicate the digging of tunnels in the locations obtained by the cyberattacks. Salahiyyah reported that the UAV’s flight showed considerable digging, with dozens of trucks appearing to cart sand or mud from mobile structures – to Salahiyyah’s mind, further evidence that Israel was digging tunnels. In mid-2017, Hamas obtained a device that could sense digging, apparently by identifying metals such as copper. Thus, according to Salahiyyah, more than a few tunnels were found, and photos of these tunnels were obtained by hacking the soldiers’ phones. Counterintelligence operations also contributed to the effort. According to Salahiyyah, some of the tunnels were located using the confessions of Palestinian collaborators with Israel arrested by Hamas’s internal security forces: They revealed that their handlers had instructed them to buy certain tracts of land and structures in the Gaza Strip that could serve as tunnel exits. All of this information led Salahiyyah to conclude that these tunnels were meant to serve the IDF in Israel’s next large-scale operation in the Gaza Strip. After an opening air strike, familiar from prior operations, Israeli forces would then emerge from these tunnels dressed like Hamas fighters to confuse the real Hamas operatives and attack deep inside Gaza.[16]
In 2016, Hamas also expanded its use of Facebook by creating profiles that presented as occupation soldiers, in part through the appropriation of identities belonging to real individuals.[17] Through these accounts, operatives sought entry into informal online groups associated with occupation units, particularly those composed of reservists, including groups that were closed but to which access was nonetheless granted. Once inside these forums, Hamas operatives were exposed directly to exchanges among group members concerning the composition of the units and their activities across different time frames. Within this setting, operatives posed inquiries regarding both prior and anticipated training and exercises, and in certain instances received substantive information in response.
Between 2016 and 2018, the Qassam Brigades carried out what they designated as Operation “Sarab,” which they describe as one of their most significant security operations. During this period, they report achieving a tightly executed infiltration of the Israeli intelligence apparatus, thwarting an attempt to recruit an agent for espionage and producing confusion within the resistance’s missile and security systems. In connection with this operation, the Brigades state that they developed an integrated plan to deceive the occupation’s intelligence services, through which they obtained the names of Israeli officers responsible for monitoring Gaza within the Internal Security Agency (al-Shābāk) by monitoring phone calls, and seized technical items sent to the “supposed agent,” who was receiving instructions and direction from “Resistance Security” in order to mislead the enemy. They further indicate that they documented an audio recording that captures the reaction of the Israeli officer responsible upon discovering the duality of the source.
In a subsequent phase, the Qassam Brigades released a documentary entitled “An Engineer in the Footsteps of al-ʿAyyāsh,” in which they disclosed selected details of this operation. In this account, they attribute responsibility for the ambush to Commander Sāmi Riḍwān, an engineer who was later assassinated by the occupation during the Battle of the Sword of Jerusalem. According to the material authorized for publication, the information obtained by Riḍwān contributed to the planning of operations and altered the means of conflict with the occupation, in addition to his role in establishing the internal military communications network and securing it against penetration.
In 2018, the occupation admitted that the various Hamas cyber-operations conducted up to the point included penetration of the siren system operated by the Evgilo company, with hackers activating the sirens in multiple areas of occupied Palestine; hacking into the occupation’s army’s radio frequencies along the Gaza border on several occasions and eavesdropping on them; hacking into various devices operated by the cyber division at Israel Aerospace Industries; extracting 19 gigabytes of security and military data from the occupation; and hacking the “Egged” bus network system.[18]
In April 2018, according to the outlet “News 1,” the Mossad targeted Dr. Fadi al-Batsh, identified as one of the leaders of Hamas’s “Cyber Weapon.” In the same year, reporting cited by the Hebrew-language website “i24” indicates that the Israeli army initiated Operation “Broken Heart” in response to a penetration attributed to Hamas, which it described as the outcome of a tightly executed operation that enabled the acquisition of information and images relating to army headquarters, military camps, and command rooms. This penetration was said to have been conducted through chat applications that functioned as spyware, while the army denied that these efforts produced any tangible security damage.
In August 2018, during a period of intensified fighting in which Hamas launched hundreds of rockets towards the occupation, the organization also conducted a cyber operation. In preparation for such moments, it had developed an application modeled on “RedAlert,” a program used to provide real-time warnings of rocket launches within Israel’s Red Color early warning system. The Hamas-developed application, referred to as “IsraelAlert,” was designed to resemble the original in order to enhance its credibility and encourage users to download it. The distribution of this application was carried out through social media platforms, including WhatsApp, as well as through bots and fabricated profiles on Facebook and Twitter, accompanied by a download link hosted at the website “israelalerts[.]us.” The software was produced as a ready-made tool, intended for deployment alongside rocket fire during escalatory periods, and activated when such conditions arose.[19]
Following the “IsraelAlert” operation, the cyber security firm, Clearsky, undertook an investigation into how the cyber-scheme was prepared. CEO Boaz Dolev stated that:
As part of our monitoring activities, we discovered the fake websites leading to the download of malicious software. When the app is downloaded, it takes control of the mobile phone and allows the operator to track the device, determine its location, take photos, record audio, and use it to make calls, send messages, and perform any other action the device is capable of […] Based on a series of data collected, it appears that Hamas timed the attack as the cyber arm of the current rocket offensive against Israel. […] Unfortunately, it appears that if the software has already been downloaded, deleting the app will not help and will not remove the malware from the devices, and the phone will continue to transmit all its data to the operator.[20]
In the period that followed, Qassam’s “Cyber Weapon” succeeded in controlling the occupation army’s sirens system. In May 2019, under al-Ṭaḥla’s leadership, this unit carried out a major attack targeting 30,000 Israeli targets, most of them security facilities and military bases.
According to a security source in Al-Qassam, the backbone of this unit consists of engineers, programmers, technicians, and specialists in information security and technology, who apply their knowledge in service of the resistance project and work around the clock to feed the “Resistance Information Bank” in order to expose and thwart the occupation’s plans. Al-Ṭaḥla also established an army he named the “Jerusalem Electronic Army,” the concept of which is based on mobilizing as many young, active, and experienced individuals in the cyber field as possible and directing them to launch cyber attacks against the occupation’s interests and systems.
Just as he helped establish a unit that penetrated the depth of the occupation through cyber attacks, al-Tahla also laid the groundwork for penetrating the occupation from the air using drones. He worked alongside the Tunisian martyr, Muḥammad al-Zawārī, on developing the first versions of Qassam’s drones.[21] He also worked on manufacturing and developing rockets to increase their destructive power, as well as manufacturing reconnaissance and surveillance aircraft.
In 2020, the occupation’s army reported that its Information Security Department had identified repeated attempts by Hamas to penetrate the mobile phones of occupation soldiers, conducted through contact via social media platforms and efforts to induce them to download malicious applications. In a contemporaneous statement, the army further indicated that, in coordination with the “General Security Service,” Hamas had thwarted a technological attack directed at the resistance’s server networks, which were used for communication with soldiers and the collection of information from them. The occupation noted that this constituted the first instance in which Hamas had successfully foiled this type of attack. The occupation subsequently summoned hundreds of soldiers whose phones had been penetrated, with the stated aim of questioning them and removing the threat from their devices. It further stated that Hamas had expanded its capabilities and started directing its activity toward other segments, in contrast to earlier instances in which its focus had been exclusively on soldiers. Hamas also began employing additional social media means, using Telegram, Facebook, WhatsApp, and Instagram to phish soldiers.
According to an InterNews report, in 2020, a “Hamas secret intelligence and cyber unit was established” in Turkey, with “[t]he unit allegedly operated on instructions from the Hamas leadership in Gaza, without the knowledge of the Turkish authorities.”[22] This also coincided with Omar al-Balbisi, a computer specialist focused on penetrating Android devices and described as one of the leaders of Qassam’s “Cyber Weapon,” relocating from Gaza to Turkey, with a Hamas Cyber Unit established in Turkey in 2020.
During the Battle of the Sword of Jerusalem of May 2021, the Cyber Unit undertook several intelligence-collecting operations. This was revealed when the occupation’s military communicated with settlers residing within the Gaza envelope, advising them to disconnect webcams in order to prevent potential penetration of their computers by Hamas operatives, which could enable access to images or facilitate control over the devices.[23] This guidance, however, was not issued as a general directive to private individuals; rather, it was specifically addressed to community-based observation systems, each of which operates within a local security arrangement designed to guard against external penetration. During the 2021 war, the occupation martyred Al-Ṭaḥla along with the founder of “Shadow Unit,” Bassem Issa, alongside the head of the Development and Projects Department, Jamāl Zubda, and the head of the Engineering Department in the Production Division, Ḥāzem al-Khaṭīb. The Prime Minister of the occupation, Benjamin Netanyahu, commented on the assassination at the time, saying: “We have eliminated senior leaders in the Hamas General Staff.”[24] Al-Ṭaḥla was martyred in Gaza in May 2021, but the operational framework he facilitated continued.
In July 2022, the occupation reported a penetration attempt carried out by the Cyber Unit of the Qassam Brigades. According to a spokesman for the occupation army, Hamas repeatedly attempted to hack various soldiers’ phones by using fake accounts designed to persuade them to download game applications that would completely control their phones.
On 28 September 2022, the Mossad attempted to abduct al-Balbisi. After several years based in Turkey, Al-Balbisi had relocated to Kuala Lumpur; Al-Balbisi and another Qassam computer scientist (who went unnamed) were the targets of this Mossad operation. As the New Straits Times recounted:
In a brazen snatch-and-grab operation in the heart of Kuala Lumpur, the team intercepted the two Palestinian high-value targets just after 10pm on Sept 28, when the duo, both computer programming experts, were about to enter their vehicle parked near Jalan Yap Kwan Seng here after having dinner at a nearby mall.
[…]
For the next 24 hours, the victim was interrogated and beaten by the Malaysian operatives when his answers were not to the Israelis’ satisfaction.[25]
Al-Balbisi’s Malaysian captors allegedly tied him to a chair, blindfolded him, and connected him to two men believed to be Mossad operatives via video call. The answers al-Balbisi provided were reported to be inadequate for the Mossad. However, the Malaysian police were made aware of al-Balbaisi’s kidnapping and managed to raid the house he was being held, interrupting the kidnapping mid-video interrogation.[26] A few months thereafter, on 13 October 2022, Hamas officially announced the formation of its Cyber Unit.
In addition to MoleRats, several other TA402 groups and cluster offshoots have undertaken hacking operations and espionage campaigns. These have included the use of loaders like IronWind to enable communication with command-and-control C2 servers and execute code embedded in HTML elements. Such hacks have taken place as recently as the September 2024 “Havoc delivery” labyrinthine infection email chain and a October 2024 email campaign “sent from the email address of a legitimate email of Israeli ESET reseller, targeting multiple Israeli organizations.”[27]
Conclusion
This overview report, which has not elaborated on all of Hamas’ cyber-intelligence operations, demonstrates the significant and increasing complexity of Qassam’s Cyber Unit and offshoot hacker clusters. A subsequent analysis ought to take into account the use of Artificial Intelligence (AI) by these groups and their response to the occupation’s use of AI-assisted targeting programs such as “Where’s Daddy,” Lavendar, and Gospel.
The resistance movement is clearly privy to these methods, evidenced by a recent security communiqué published by the al-Hares (”the guardian”) Telegram channel reviewing five digital tools in the wake of the (at the time of this article’s writing) ongoing war with Iran, reproduced below:
Five Digital Tools […]
They didn’t need an army on the ground.
All they needed was an internet connection.
🔹 The first tool… Street and store cameras
▪️ Ordinary internet-connected cameras, hacked remotely.
▪️ They went from being a local security tool to intelligence eyes.
▪️ Every camera connected to the internet is a potential target at any time.
🔹 Tool #2: The Internet of Things
▪️ Internet-connected home and industrial devices were easily hacked.
▪️ An entire infrastructure has been exposed through its smart devices.
▪️ Every internet-connected device is a potential entry point.
🔹 The third tool.. Artificial Intelligence
▪️ Lavender classifies individuals and automatically places them on target lists.
▪️ Gospel pinpoints locations by analyzing satellite imagery.
▪️ “Where’s Daddy?” tracks targets all the way to their family homes.
🔹 The Fourth Tool: Remote Assassination
▪️ A satellite-controlled machine gun carried out an assassination inside Iran without any human presence on the ground.
▪️ Small drones guided by artificial intelligence data reach their targets with absolute precision.
▪️ War has moved from the battlefield to the screen.
🔹 The fifth tool: Linking the digital and the physical
▪️ Digital data drives real-world operations on the ground.
▪️ Whoever possesses the information controls both decision-making and execution.
▪️ Cyberspace is no longer separate from reality; rather, it drives it.
The most important lesson: Every device connected to the internet is a real threat.[28]
[1] Nidaa Basoumi, “The al-Qassam Brigades’ Cyber Unit: A Jordanian Founder and a Flood of Results,” NoonPost, 11 November 2024; retrieved online (19 March 2026): https://shorturl.at/hlGhr.
[2] Jorge Pacheco and Omer Yoachimik, “Cyber attacks in the Israel-Hamas war,” CloudFlare (blog), 23 October 2023; retrieved online (19 March 2026): https://blog.cloudflare.com/cyber-attacks-in-the-israel-hamas-war/. Also see João Tomé et al., “Cyber attacks in the Israel-Hamas war, DDoS threat trends, and Internet disruptions,” CloudFlare TV, 6 February 2023; retrieved online (19 March 2026): https://cloudflare.tv/this-week-in-net/cyber-attacks-in-the-israel-hamas-war-d-do-s-threat-trends-and-internet-disruptions/oZK2BJa4.
[3] Jorge Pacheco and Omer Yoachimik, op. cit.
[4] Kawthar Zantour, “How ‘Cyber Hamas’ Hacked Into the Israeli Military’s Secrets,” Al Majalla, 1 November 2023; retrieved online (19 March 2026): https://tinyurl.com/33s4uh5c.
[5] Basoumi, op. cit.
[6] Netanel Flamer, The Hamas Intelligence War Against Israel (Cambridge: Cambridge University Press, 2014), 84
[7] Basil Salahiyya, “Israeli Tunnels Under Gaza: Basil Salehiya,” YouTube, January 7, 2021; retrieved online (19 March 2026):
.
[8] Flamer, op. cit, 84.
[9] Ibid.
[10] Yoav Zeitun, “Nihsefah matkefet rigul neged hayyalim: Haprofilim hamefatim shel hamas,” Ynet, 11 January 2017; Noam Amir and Yossi Melman, “Tiud: Peilei hamas hithazu lezeirot vehistaltu al telefonim nayyadim shel hayyalim,” Maariv, 11 January 2017.
[11] Flamer, op. cit., 86-87, 93; also see “Kakh hasaf zahal nisayon hamas lehistalet al telefonim shel hayyalim,” IDF, undated, for partial transcripts of the chatroom discussions, segments of which are reproduced in Flamer’s text.
[12] Quoted in Basoumi, op. cit.
[13] Aj Vicens, “Pro-Palestinian hacking group evolves tactics amid war,” Cyberscoop, 14 November 2023; retrieved online (19 March 2026): https://cyberscoop.com/gaza-hamas-israel-cyber-hacking-espionage/.
[14] Flamer, op. cit.,95.
[15] Salahiyya, “Israeli Tunnels Under Gaza: Basil Salehiya,” op. cit.
[16] Flamer, op. cit., p. 88.
[17] Zeitun, op. cit.
[18] Zantour, op. cit.
[19] Flamer, op. cit., p. 90; Sagi Cohen, “Hamas Distributes Spyware Disguised as “Red Alert”,” Ynet, 9 August 2018; retrieved online (19 March 2026): https://shorturl.at/hCspK; Amitai Ziv, “Zehirut: hehamas mefiz aplikaziyat zeva adom mithazeh,” The Marker, 9 August 2018, www.themarker.com/technation/1.6364227;
[20] Dolev quoted in Cohen, op. cit.
[21] “Muḥammad al-Zawārī: Ṭayyār al-Muqāwama,” Mā Khafiya Aʿẓam, Al Jazeera TV, 30 April 2017. Also see Ahmed Qasem Hussein, “The Evolution of the Military Action of the Izz al-Din al-Qassam Brigades: How Hamas Established its Army in Gaza,” Al-Muntaqa, Vol.1, No.2, September/October 2021, pp. 78-97; Tamer al-Mishʿal, “Ma Khafi Aʿzam – Muhammad al-Zuary, Taiyyar al-Muqawama,” Al Jazeera 30 April 2017.
[22] “A dramatic kidnap case in Malaysia may point to changes in Mossad’s tactics,” IntelNews, 24 October 2022; retrieved online (19 March 2026): https://intelnews.org/2022/10/24/01-3229
[23] Ran Bar-Zik, “Why did the IDF recommend that communities in the Gaza border area disconnect their security cameras, and what can we learn from this?”, HaAretz, 16 May 2021; retrieved online (19 March 2021): https://shorturl.at/itCuf.
[24] Quoted in Basoumi, op. cit.
[25] “Mossad used locals to kidnap Palestinian,” New Straits Times, 17 October 2022; retrieved online (19 March 2026): https://www.nst.com.my/news/crime-courts/2022/10/841460/mossad-used-locals-kidnap-palestinian.
[26] Intelnews, op. cit., goes on to report that:
“[…] indictments were filed against 11 people, who now stand accused of third-degree kidnapping. In Malaysia this crime can be punishable by up to life imprisonment, or even the death penalty. It was also claimed that a local woman in her 30s headed the Mossad network in the country. It was said that ‘she has trained abroad, including in Europe’, and received 2,000 euros a month from her handlers. Several men worked under her, according to the report.
It is also claimed that the same woman was employed by Mossad agents in 2018, when Israeli intelligence allegedly killed Palestinian engineer Fadi al-Batsh in Malaysia. Al-Batsh, an electrical engineering lecturer at a Malaysian university, was gunned down by two men on a motorcycle, as he was on his way to a mosque on Saturday.”
[27] “Hamas-affilitaed threat actor WIRTE continues its middle east operations and moves to disruptive activity,” Check Point Research (cp<r>), 12 November 2024; retrieved online (19 March 2026): https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/. Joshua Miller and the Proofpoint Threat Research Team, “TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities,” Proofpoint, 14 November 2023; retrieved online (19 March 2026): https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government. The Proofpoint report notes that:
In mid-2023, Proofpoint researchers first identified TA402 (Molerats, Gaza Cybergang, Frankenstein, WIRTE) activity using a labyrinthine infection chain to target Middle Eastern governments with a new initial access downloader Proofpoint has dubbed IronWind. From July through October 2023, TA402 utilized three variations of this infection chain—Dropbox links, XLL file attachments, and RAR file attachments—with each variant consistently leading to the download of a DLL containing the multifunctional malware. In these campaigns, TA402 also pivoted away from its use of cloud services like Dropbox API, which Proofpoint researchers observed in activity from 2021 and 2022, to using actor-controlled infrastructure for C2 communication. As of late October 2023, Proofpoint researchers had not observed any changes in targeting by TA402, an APT group that historically has operated in the interests of the Palestinian Territories, nor identified any indications of an altered mandate despite the current conflict in the region. It remains possible that this threat actor will redirect its resources as events continue to unfold.
It should be noted that these, according to the Proofpoint report, these operations have targeted the Zionist occupation and North Africa/Middle Eastern governments; though unnamed, it is likely that the latter consist of those with diplomatic and/or financial relations with the occupation.
[28] Al-Hares (Telegram channel), 19 March 2026.
At the time, Hebrew media reported that Hamas had tricked a number of army soldiers through fake accounts and had obtained important information, including photos of military bases, by eavesdropping on communications, after deceiving soldiers with “cat-fishing” techniques using photos of attractive women; one soldier believed that he was chatting with a Brazilian girl and revealed operational details to a Qassam hacker.
---
This is clever, funny, and awesome!!
Fascinating! Thank you for chronicling this. Can’t believe little has been reported, at least in the West.