Hamas' cyber soldiers. The first drop in the "Al-Aqsa Flood"

A report by the American newspaper "The New York Times" revealed that video footage taken from cameras installed on the heads of members of the Islamic Resistance Movement "Hamas" who were martyred in the operation "Al-Aqsa Flood" on October 7, showed that they knew a lot of information and secrets about the Israeli army and its weaknesses. The attackers gained access to the server room of an IDF post with information they had.

The newspaper notes that these footage provides what it described as "terrifying" details about how the Qassam Brigades managed to surprise one of the most powerful armies in the Middle East.

Experts have many theories about how the Palestinian resistance obtained this information, and some have even suggested that the group has spies in the Israeli army.

But what many have overlooked is that Hamas has a cyber warfare strategy that it began a decade ago, and is still developing it rapidly, which writer Simon B. Handler warned about in a report prepared for the Atlantic Council's Cyber State Management Unit – a member of the Digital Forensic Research Laboratory – published at the end of 2022.

It is noteworthy in Handler's report that he directed his warnings to the United States, not to Israel, which confirms the great danger of these cyber capabilities and what they could change in the balance of power on the ground, calling for the need to understand Hamas' strategy and know how to deal with it in a different way.

Cyberspace is often an important opportunity for those with limited capabilities and lack resources to compete with their relatively stronger counterparts. Therefore, they are increasingly interested in acquiring offensive capabilities and integrating them into their tools to further their strategic objectives.

While the U.S. cyber strategy focused on the four of its main enemies: China, Russia, North Korea, and Iran, the cyber warfare strategy of Washington and its allies, including Israel, failed to predict Hamas's cyber capabilities, offensive and intelligence capabilities.

Green Berets

Hamas is known for its banners and Asa'ib al-Khidr on the heads of its fighters that carry the word of monotheism. Coincidentally, the green color is the same as what sets it apart in cyberspace as well.

According to the cyber community's classification, Hamas is considered a "Green Beret Warrior," a different category from other classifications, such as black berets, white hats, and elite hackers.

What is distinctive about this green classification is that its members are considered "cyber warriors", not "pirates" like the rest of the classifications, although some tolerate calling them pirates with green hats in order to unify the name. But security experts distinguish the Green Berets as continuing to develop their capabilities to become stronger, and that their motives have a political and ideological dimension, not financial, subversive, or even security.

Security experts say cyber warriors with green berets develop their capabilities to become more powerful (Medgerny)

Why did Hamas choose cyberspace?

Hamas has its own motives for developing offensive cyber capabilities, and by examining its operations, these motives can be understood and consistent with its grand strategy.

1- Propaganda and recruitment

Hamas's strong online presence contributes to recruitment, information, and other media goals, and attention to the cause the movement defends, all of which are key drivers for maintaining the movement's relevance and presence among the people.

The Atlantic Council report argues that the movement uses social media to mobilize the Palestinian street and urge resistance against Israel. But while this role is important for social media and Hamas's sophisticated propaganda tools, the digital threat it poses in cyberspace to Israel is far greater than propaganda.

2- Beating in the dark

Despite Hamas's hardline stance toward Israel, the movement's leaders recognize Israel's military and technical strength, and know the arenas in which the group can achieve significant successes, while exercising strategic restraint to avoid potentially devastating reprisals.

Cyberspace, where unknown activity is easy and the perpetrator is difficult to identify, is one of Hamas's favorite arenas, as it knows very well that any discovery of its existence will bring it disaster on the ground, so it avoids some cyber operations that may be carried out by other parties working for countries such as Russia or China.

Hamas avoids targeting Israeli infrastructure with subversive malware, knowing that doing so would expose it to Israeli retaliation, and it does not spread ransomware that seeks money as many other organizations do.

The movement's strategic plan is based on two main objectives: first, to gather intelligence on the Israeli army and soldiers or their agents, and second, to spread disinformation that pursues military or propaganda counter-goals to break the morale of Israelis.

This strategy not only protects the movement from Israeli retaliation, but also from the resentment of the countries that support it, and allows it to margin of maneuver needed in its long-term military plan, and therefore these operations are an effective complement to military operations on the ground, as we witnessed in the last major operation: the "last Al-Aqsa flood."

Hamas does not target Israeli infrastructure with malicious and destructive software, because it knows that doing so could expose it to Israeli retaliation (Al Jazeera)

3- Low costs

The Atlantic Council report warns against underestimating Hamas's cyber capabilities, as although it is considered relatively weak and lacks the sophisticated tools that other hackers might have, many security experts were surprised by its capabilities, despite Israel's control over communications frequencies and infrastructure, as well as the chronic shortage of electricity in the Gaza Strip.

Tel Aviv views Hamas's offensive cyber threat as a high-risk threat, and in 2019 it thwarted a Hamas cyber operation, and the Israeli army carried out a strike to destroy what it said was Hamas's "cyber headquarters," targeting Amara in the Gaza Strip, one of the first operations recognized by the army in response to a cyber operation.

However, despite the IDF Spokesperson's claim that "Hamas no longer possessed cyber capabilities after our strike," numerous reports highlighted cyber operations carried out by the group in the following months and years.

The Israeli army announced after the bombing of a Hamas headquarters that it no longer had electronic capabilities (Israel Defense Forces)

4- Tactical development

Of course, Israel is the main target of Hamas's cyber espionage, and these operations have become commonplace over the past few years, gradually evolving from general and common tactics to more detailed and complex methods.

The victims of Hamas's green hats were initially from a variety of targets, including the government, military, academic, transportation and infrastructure sectors, and they were keen to withhold information revealing the existence of hacking incidents of the IT departments of these institutions, for fear that their targets would be exposed.

Later, Hamas hackers implemented various tactical updates to increase their chances of success. In September 2015, the group began using embedding technology instead of attachments, non-pornographic temptations such as car accident videos, and additional encryption of leaked data.

Another campaign in February 2017 included a more personalized approach using social engineering and various techniques to target IDF personnel themselves with malware from fake Facebook accounts.

These operations demonstrate Hamas's strength on two levels: first, its ability to penetrate and steal valuable materials from Israel, and second, its audacity to carry out attacks in support of the Palestinian national cause.

Distortion is another tool in Hamas's cyber arsenal. This type of operation—a form of online sabotage that usually involves hacking a website to spread propaganda—is not so much destructive as it is disturbing, and aims to embarrass Israel, even temporarily, and to have a psychological impact on the targets and the public.

In 2012, during Israel's Operation Cast Lead in the Gaza Strip, Hamas claimed responsibility for attacks on important Israeli positions, including the IDF's Home Front Command, asserting that these cyber operations were "an integral part of the war against Israel."

These operations have proven their ability to reach wide audiences through distortion techniques. During the war on Gaza in July 2014, Hamas gained access to Israel's Channel <> satellites, broadcasting for a few minutes images of Palestinians injured in Israeli airstrikes on the Gaza Strip and a threat in Hebrew that read, "If your government does not agree to our terms, prepare for a long stay in shelters."

Hamas has also turned to sympathizers around the world, inspiring individual hackers to resist Israel and debunk its narrative, leading to the defacing of websites belonging to the Tel Aviv Stock Exchange and the Israeli airline El Al by Arab hackers.

No dome in cyberspace

Like Hamas's rocket program, which began with primitive short-range, inaccurate Qassam rockets, Hamas's cyber program began with unsophisticated tools. But over the years, as the group has acquired advanced, accurate, long-range missiles, so has its cyber capabilities in terms of scale and complexity.

The recent "Al-Aqsa Flood" operation showed what security experts were warning about: that the Iron Dome, which is supposed to protect Israel's atmosphere from resistance missiles, can never protect it in cyberspace.