After Gaza ceasefire, MoleRATs hacking group continues to target Middle Eastern governments

It’s an example of how, alongside the violence that has long marked the Israel-Palestine conflict, there are often much subtler efforts by digital spies to access networks.
A Palestinian man walks past a destroyed building in Gaza City on May 16, 2021, after an Israeli bombardment of the Hamas-controlled territory. (Photo by MOHAMMED ABED/AFP via Getty Images)

Days after Israel and Gaza-based militant group Hamas agreed to a ceasefire in May, Arabic-speaking hackers resumed an effort to break into government networks in the Middle East, according to research published Thursday.

The hacking group, known as MoleRATs, sent target organizations a malware-laced PDF claiming to be a report on Hamas members meeting with the Syrian government, security firm Proofpoint said. The malicious code is able to access files and take screenshots on a victim’s computer in furtherance of a spying campaign.

It’s an example of how, alongside the violence that has long marked the Israel-Palestine conflict, there are often much subtler efforts by digital spies to access networks.

It’s unclear what caused the hacking group to take a two-month break starting in March, or why it resumed activity in early June. Proofpoint analysts speculated that either the Muslim holy month of Ramadan or the latest Israel-Hamas conflict, which left hundreds dead, may have played a part. But analysts couldn’t “confirm either hypothesis with high confidence.”


MoleRATs is one of the more opportunistic hacking units in the Middle East, and often seizes on headlines of regional conflict to try to dupe targets into clicking on links. After the U.S. military killed Iran’s top general in January 2020, MoleRATs sent malicious emails to targets purporting to contain news of the general’s funeral.

Proofpoint says the group appears to support “military or Palestinian state objectives.” And while Israeli firm ClearSky has linked MoleRATs to Hamas, Proofpoint said it didn’t have evidence tying MoleRATs to a specific militant group.

The latest MoleRATs spearphishing campaign uses an updated version of hacking tool first noticed in December by security firm Cybereason. Then and now, the attackers are using the popular file-sharing platform Dropbox to siphon off data from targets.

Proofpoint declined to reveal the targets of the recent MoleRATs hacking.

The Israeli government, known for its own hacking prowess, singled out Hamas’ alleged cyber capabilities during the recent fighting. The Israeli Air Force on May 19 said that it had attacked an apartment in Gaza that Hamas members used for offensive cyber capabilities.


Security analysts have exposed multiple hacking operations linked with Palestinian organizations in recent months. Facebook’s security team in April said they had taken down accounts and blocked internet domains associated with separate groups linked with Hama and the Palestinian Authority.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts