##### CYBER THREAT ### By Insikt Group® ##### ANALYSIS October 19, 2023 # Hamas Application Infrastructure Reveals Possible Overlap with TAG-63 and ----- ## Executive Summary Insikt Group identified an application disseminated on a Telegram Channel used by members or supporters of the Hamas terrorist organization. The application is configured to communicate with Hamas’s Izz ad-Din al-Qassam Brigades website — alqassam[.]ps. The website has worked intermittently since the start of Hamas’s ground incursion into Israeli territory on October 7, 2023. From October 11, 2023, onward, we observed the domain point to multiple different IP addresses, which is likely related to attempts to evade website takedowns or, potentially, denial-of-service (DoS) attacks. Infrastructure analysis associated with alqassam[.]ps led to the identification of a cluster of domains that mimic the domain registration tradecraft of TAG-63 (AridViper, APT-C-23, Desert Falcon), a cyber group that we believe operates at the behest of the Hamas terrorist organization. We also observed that these domains were interconnected via a Google Analytics code. The domains were also configured to redirect to alqassam[.]ps. Last but not least, a domain associated with the cluster hosted a website that spoofs the World Organization Against Torture (OMCT). Again, based on domain registration patterns, we observed a likely Iran nexus tied to that domain. Recorded Future Network Intelligence revealed a significant uptick in network traffic to the IP addresses hosting alqassam[.]ps, which overlapped with the start of Hamas's attack on October 7, 2023, as well as a significant reduction in traffic by late on October 10 (all times in this report are in UTC). This is potentially due to website outages or denial-of-service (DoS) attacks directed at the website by third parties. ## Key Findings - The application dropped in a Telegram Channel claiming affiliation to Hamas’s Izz ad-Din al-Qassam Brigades was designed to enhance the dissemination of the organization's message via that application. - Multiple domains identified through Insikt Group infrastructure research revealed that they shared a specific Google Analytics code; various domains were also identified redirecting to the Izz ad-Din al-Qassam Brigades website. - We observed domain registration tradecraft commonly associated with TAG-63, which shared the website redirect to the Izz ad-Din al-Qassam Brigades website. - Our analysis suggests that infrastructure likely operated by the same threat actors revealed an Iran nexus based on subdomain naming registration conventions. One of the subdomains associated with this cluster hosted a spoofed page associated with the World Organization Against Torture. - Recorded Future Network Intelligence observed an influx of network traffic to IP addresses hosting the Izz ad-Din al-Qassam Brigades website at the start of Hamas’s incursion into Israeli territory on October 7, 2023. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Analysis #### The Al Qassam Application The Al Qassam application was posted on October 10, 2023, via a Telegram Channel called1 ##### "القسام الدين عز الشهيد كتائب" (Martyr Izz ad-Din al-Qassam Brigades) (Figure 1), where it was disseminated to be shared with the group's membership base. **Figure 1: The application was advertised on the Telegram Channel of the Qassam Brigade on October 10, 2023. The statement** reads: "Download now the trial version of the ‘Al-Qassam Media’ application for ‘Android’ devices, so you can follow the news of the Martyr Izz al-Din al-Qassam Brigades". (Source: Telegram) The application is configured to communicate with the domain that acts as an outlet for the Qassam Brigade — alqassam[.]ps — which, at the time of this analysis, resolved to the IP address 5.45.81[.]22 and is owned by a Panamanian entity called "IROKO Networks Corporation" (AS12722). We observed the domain point to multiple different IP addresses from October 11, 2023, onward (Table 1). 1 https[:]//t[.]me/qassambrigades/28465 Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- **Figure 2: The application has direct links to the website of the Hamas organization (Source: Telegram)** The domain — alqassam[.]ps — resolved to 176.114.6[.]214 from May 2021 until October 11, 2023. On October 11, the domain changed its resolution to 185.209.31[.]193, an IP address owned by a Russian entity, "VDSINA VDS Hosting" (AS48282). According to public reports, this ASN is associated with "Hosting Technology LTD'', an entity located in Moscow, Russia. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- |Domain|IP Address|ASN|Registrar|WHOIS Data|First Seen|Last Seen| |---|---|---|---|---|---|---| |alqassam[.]ps|5.45.81[.]22|IROKO Networks Corporation (Panama) (AS12722)|"Maktab"|ahmed.alqassa m@gmail[.]com omar_mano@m sn[.]com "Ehab Ahmad" "Mohammed"|10-15-2023|10-17-2023| ||45.142.137[.]107|Energy Bridge Sarl (Lebanon) (AS56902)|||10-16-2023|10-17-2023| ||85.202.95[.]107|Khodor Kanso Access Lebanon (Lebanon) (AS199239)|||10-15-2023|10-16-2023| ||185.209.31[.]193|Hosting Technology LTD (Russia) (AS48282)|||10-11-2023|10-14-2023| ||176.114.6[.]214|Oleksandr Siedinkin (Ukraine) (AS56485)|||05-28-2021|10-11-2023| Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- |SHA256 Hash File Name|File Name|Creation Timestamp|First Seen (Analysis)| |---|---|---|---| |04880196c8927d7fcaf32d6cc 55f5b7a33858f65de70a968ef c0ea8d9f7221c2|alqassam_app.apk|01-01-1981|10-10-2023| ||Kasman_1001.apk||| ||198972||| Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- |Domain|IP Address First Resolved|ASN|Registrar|First Seen (UTC)| |---|---|---|---|---| |isabeljwade[.]icu|198.54.117[.]2102|AS22612|NameCheap|04-27-2023 9:20 AM| |francescatmorrison[.]icu|198.54.117[.]210|AS22612|NameCheap|04-27-2023 9:20 AM| |jayyburrows[.]icu|198.54.117[.]210|AS22612|NameCheap|04-27-2023 9:20 AM| |jessicakphillips[.]icu|198.54.117[.]210|AS22612|NameCheap|04-27-2023 9:20 AM| **Table 3: Newly identified domains matching TAG-63 domain registration tradecraft linked to the Qassam Brigades websites** (Source: Recorded Future and DomainTools) 2 This IP address is hosting legitimate domains and should not be assessed as attacker-controlled infrastructure. This IP address is linked to the TAG-63 domains, however, via “First Seen” domain registration data. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- |Domain|IP Address First Resolved|ASN|Registrar|First Seen| |---|---|---|---|---| |nikanps[.]top|91.107.188[.]236|AS24940|CSL Computer Service Langenbach GmbH|05-09-2023 1:59 AM| Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- **Figure 6: (Left) Qassam Brigades flag observed in the background of an uploaded video to the compromised website;** (Right) Anonymous Gaza defacement page (Source: DomainTools) #### Network Intelligence Recorded Future Network Intelligence revealed an increased level of traffic to alqassam[.]ps and associated IP addresses that we investigated, which overlapped with the start of the ground attack into Israeli territory on October 7, 2023. The sustained traffic peaked and started to decline by October 10. We observed expected network traffic to a website that included connections to ports 80 and 443 from globally dispersed IP addresses. **Figure 7: Visualization of network communications to IP addresses hosting alqassam[.]ps (Source: Recorded Future)** Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Appendix A — Indicators[3] 3 Please note that this infrastructure is not entirely reflective of malicious attacker controlled infrastructure. In some instances, such as with 198.54.117[.]210 the infrastructure highlighted was purely to indicate a "First Seen" record. Researchers should evaluate each indicator for malicious activity within their networks. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- About Insikt Group[®] Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for clients, enables tangible outcomes, and prevents business disruption. About Recorded Future Recorded Future is the world’s largest threat intelligence company. Recorded Future’s Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure, and targets. Indexing the internet across the open web, dark web, and technical sources, Recorded Future provides real-time visibility into an expanding attack surface and threat landscape, empowering clients to act with speed and confidence to reduce risk and securely drive business forward. Headquartered in Boston with offices and employees around the world, Recorded Future works with over 1,700 businesses and government organizations across more than 75 countries to provide real-time, unbiased, and actionable intelligence. [Learn more at recordedfuture.com.](http://www.recordedfuture.com/) Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group -----