Hamas's Cyber Soldiers... The First Drop in "Al-Aqsa Flood"

A report from the American newspaper, "The New York Times," has revealed that footage captured from cameras mounted on the helmets of members affiliated with the Islamic Resistance Movement, Hamas, who were martyred in the "Al-Aqsa Flood" operation on October 7th of this year, showed that they possessed significant knowledge and secrets about the Israeli army and its vulnerabilities. The attackers managed to access the server room in one of the Israeli army's facilities based on the information they had.

The newspaper indicates that these images provide horrifying details about how the Al-Qassam Brigades managed to surprise one of the most powerful armies in the Middle East, according to their description.

Experts have presented various theories about how Palestinian resistance obtained this information, with some suggesting that the movement may have spies within the Israeli army.

However, what many have overlooked is that "Hamas" possesses a cyber warfare strategy that it initiated over a decade ago and continues to develop rapidly. Simon P. Handler, in a report prepared for the State Cyber Unit of the Atlantic Council – a member of the Digital Forensic Research Lab – published at the end of 2022, issued a warning regarding this strategy.

What is noteworthy in Handler's report is that he directed his warning to the United States, not Israel. This underscores the significant danger of these cyber capabilities and the potential impact they can have on the balance of power on the ground. Handler emphasizes the necessity of understanding Hamas's strategy and dealing with it in a different manner.

The digital realm typically offers an important opportunity for entities with limited capabilities and resources to compete with their relatively stronger counterparts. Hence, these entities increasingly seek to acquire offensive capabilities and integrate them into their existing tools to advance their strategic objectives.

 Handler's report notes that while the United States' cyber strategy has primarily focused on its four major adversaries, China, Russia, North Korea, and Iran, Washington's and its allies' cyber warfare strategy, including Israel, failed to predict the electronic capabilities and offensive and intelligence capabilities of the Hamas movement.

The Green-Helmeted Warriors

Hamas is known for the green headbands worn by its fighters, bearing the word "Tawhid" (the belief in the oneness of God). Interestingly, this same color green distinguishes them in cyberspace as well.

According to the cybersecurity community's classification, Hamas is considered "Green-Helmeted Warriors," a classification distinct from others like Black-Hat hackers, White-Hat hackers, and Elite hackers.

What sets this green classification apart is that its members are regarded as "cyber warriors" rather than "hackers," despite some tolerance in calling them "green-hat hackers" for the sake of name uniformity. Security experts differentiate the Green-Helmeted Warriors by their continuous development of capabilities to become more powerful. Their motivations are rooted in political and ideological principles rather than financial gain, sabotage, or even personal security concerns.

Why Did Hamas Choose the Cyber Space?

Hamas has its unique motivations for developing offensive cyber capabilities, and examining its operations helps to understand these motivations and their alignment with its broader strategy. The following motivations stand out:

Propaganda and Recruitment

Hamas's strong online presence plays a crucial role in recruiting and gathering information, as well as in other media-related goals, such as drawing attention to the cause it advocates for. These are all primary motivations to maintain the movement's importance and visibility among the public.

The Atlantic Council's report suggests that Hamas uses social media platforms to mobilize the Palestinian population and encourage them to engage in resistance operations against Israel. However, despite the significance of this role of social media and the advanced propaganda tools used by Hamas, the digital threat it poses to Israel in cyberspace goes far beyond mere propaganda.

Striking in the Shadows

Despite Hamas's uncompromising stance toward Israel, the movement's leaders are well aware of Israel's military and technological strength. They understand the arenas where the movement can achieve impactful successes, while practicing strategic restraint to avoid retaliatory actions that could be devastating.

The digital realm, where activities can be conducted anonymously and the actor's identity is difficult to determine, is one of Hamas's preferred arenas. The organization knows that any discovery of its presence in cyberspace would have dire consequences on the ground. As a result, Hamas refrains from some cyber operations that other actors working on behalf of nations, like Russia or China, might conduct.

Hamas avoids targeting Israeli infrastructure with destructive malware because it realizes that such actions could expose it to Israeli retaliation. Additionally, the organization does not propagate ransomware programs seeking financial gain, unlike many other groups.

The movement's strategic plan revolves around two primary objectives. The first is gathering intelligence on the Israeli army, its soldiers, or their affiliates. The second is disseminating deceptive information aimed at achieving military or counter-propaganda objectives to undermine the morale of Israelis.

This strategy not only shields the movement from Israeli retaliation but also guards it against the wrath of supportive nations. It provides the necessary room for maneuvering in its long-term military plans. As a result, these cyber operations are seen as an effective complement to on-ground military actions, as witnessed in the recent major operation, "The Last Al-Aqsa Tempest."

Cost Efficiency

The Atlantic Council's report cautions against underestimating Hamas's cyber capabilities. While it is considered relatively weak and lacks the advanced tools that other hackers may possess, many security experts have been surprised by its potential. Despite Israel's control over communication frequencies and infrastructure, as well as the chronic electricity shortages in the Gaza Strip, Hamas has managed to harness its cyber potential.

Tel Aviv perceives Hamas's offensive cyber threat as highly dangerous. In 2019, Israel thwarted one of the movement's electronic operations and executed an airstrike targeting what it claimed to be "Hamas's cyber headquarters," hitting a building in the Gaza Strip. This operation was one of the first publicly acknowledged by the Israeli army in response to a cyber operation.

However, despite the Israeli military spokesperson's assertion that "Hamas no longer possesses electronic capabilities after our strike," several reports have highlighted electronic operations conducted by the movement in the months and years following that incident.

Tactical Evolution

Naturally, Israel is the primary target of Hamas's electronic espionage. These operations have become increasingly common over the past few years and have gradually evolved from general and common tactics into more detailed and sophisticated methods.

Initially, the Green-Helmeted Warriors of Hamas had a wide range of targets, including governmental, military, academic, transportation, and infrastructure sectors. They took great care to conceal information that could reveal the breaches of IT departments in these institutions, fearing exposure of their objectives.

Later on, Hamas hackers implemented different tactical updates to increase their chances of success. In September 2015, the group began using link embedding instead of attachments, non-pornographic lures such as car accident videos, and additional data encryption for leaked information.

Another campaign in February 2017 adopted a more targeted approach, utilizing social engineering and different techniques to target individuals within the Israeli Defense Forces with malicious software through fake Facebook accounts.

These operations showcase Hamas's strength on two levels: first, its ability to breach and steal valuable materials from Israel, and second, its audacity to execute attacks in support of the Palestinian national cause.

Disinformation is another tool in Hamas's cyber arsenal. This form of online sabotage, typically involving website hacking to disseminate propaganda, is not as destructive as it is disruptive. Its aim is to embarrass Israel, albeit temporarily, and have a psychological impact on the targeted individuals and the public.

During Israel's "Operation Cast Lead" in 2012, Hamas claimed responsibility for attacks on crucial Israeli sites, including the Israeli military's Home Front Command, affirming that these cyber operations were an integral part of the war against Israel.

These operations have demonstrated their ability to reach a wide audience through disinformation techniques. During the 2014 war in Gaza, Hamas managed to access the satellites of Israel's Channel 10, broadcasting images of injured Palestinians as a result of Israeli airstrikes on Gaza. They accompanied these images with a Hebrew message that read, "If your government does not agree to our conditions, prepare for a long stay in the shelters."

Hamas also sought support from sympathizers worldwide, inspiring individuals to resist Israel and expose its narrative. This led to the defacement of electronic platforms associated with the Tel Aviv Stock Exchange and Israel's "El Al" airline by Arab hackers.

No Iron Dome for Cyber Protection

Similar to Hamas's rocket program, which began with short-range, imprecise Qassam rockets, its cyber program initially relied on rudimentary tools. However, over the years, as the movement acquired advanced, precise, and long-range missiles, its cyber capabilities also evolved in terms of size and complexity.

The recent "The Last Al-Aqsa Tempest" operation demonstrated what security experts had been warning about: the Iron Dome, which is supposed to protect Israel's airspace from resistance rockets, cannot shield it in cyberspace.