APT-C-23 / Gaza Cybergang Operations
2018 – 2022 (ongoing, landmark incidents)
Executive Summary
Hamas-linked threat actor conducting espionage against Palestinian Authority officials, Israeli military and security personnel, and regional governments using sophisticated mobile malware and social engineering. Operations demonstrate that non-state armed groups in conflict zones have developed persistent cyber espionage capabilities comparable to some state programmes.
Why This Matters
Gaza Cybergang operations demonstrate that non-state armed groups can develop persistent cyber espionage capabilities, complicating the state-centric framework of international cyber norms and raising questions about accountability in asymmetric conflict.
Escalation Profile
7-Dimension Profile
Escalation Ladder
Phases
Mobile espionage campaigns
Deployed custom Android spyware through fake messaging and dating applications targeting Israeli military personnel and Palestinian Authority officials.
Evolved tradecraft
Updated mobile malware with improved evasion techniques; expanded targeting to include regional diplomatic targets in Egypt and Gulf states.
Threshold Crossings
- •Non-state armed group maintaining a persistent, multi-year cyber espionage programme
- •Targeting of an occupying military's personnel through social engineering at scale
Restraint Factors
- •Operations remained focused on intelligence collection, not disruption
- •Mobile malware designed for stealth and persistence rather than destruction
Attribution Assessment
Threat actor mapped to Palestinian Territories (Hamas-linked) based on infrastructure analysis, malware attribution, and operational patterns.
Evidence: ESET: APT-C-23 targets Middle Eastern users with fake messaging apps; Check Point: Gaza Cybergang Threat Intelligence Report
- •Israeli security services reported disruption of some campaigns
- •Google and Apple removed malicious applications from app stores upon vendor notification
No dedicated journalistic sources in dataset. See sources section for full references.
“Moderate Confidence” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.
Unpeace Position
Unpeace Score
Composite severity rating on the peace–conflict spectrum
Contributing Dimensions
Coercive Function
Espionage
Intelligence collection — coercive value lies in the information advantage gained and the implicit signal that the adversary can access sensitive systems.
Observed coercive effects
- •Non-state armed group maintaining a persistent, multi-year cyber espionage programme
- •Targeting of an occupying military's personnel through social engineering at scale
Entanglement Risk
Sectors affected
Countries / regions
Impact summary
Sustained espionage against Israeli military personnel and PA officials; intelligence value of exfiltrated data unknown.
Infrastructure Meaning
Malware / tooling
Capability profile
Sustained espionage against Israeli military personnel and PA officials; intelligence value of exfiltrated data unknown.
3 ATT&CK techniques mapped — see ATT&CK mapping below.
Governance Analysis
Governance Flags
Norms invoked
- •Application of cyber norms to non-state armed groups in conflict zones
- •Dual-use mobile surveillance capabilities
Policy responses
- •Israeli security services reported disruption of some campaigns
- •Google and Apple removed malicious applications from app stores upon vendor notification
Regulatory changes
- •Informed Israeli military mobile device security policies
Governance impact assessment
Demonstrated that non-state armed groups in protracted conflict zones can develop and sustain cyber espionage capabilities, challenging the state-centric framing of most international cyber norm discussions.
Sources
ESET: APT-C-23 targets Middle Eastern users with fake messaging apps
Check Point: Gaza Cybergang Threat Intelligence Report
Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.
Related Cases
India–Pakistan Cyber
2016 – 2019 (multiple incidents) · India / Pakistan (reciprocal)
India-Pakistan cyber operations represent the most documented case of sustained reciprocal cyber espionage between regional nuclear-armed adversaries, demonstrating that cyber conflict dynamics extend well beyond the US-Russia-China axis.
SolarWinds
March 2020 – December 2020 · Russia
SolarWinds exposed systemic supply chain risk in government IT and triggered the most sweeping US cybersecurity executive order in a decade, reshaping federal procurement and zero-trust policy.
Exchange/Hafnium
January – March 2021 · China
Hafnium demonstrated how a targeted espionage operation can metastasize into a mass-compromise event affecting tens of thousands, and prompted the widest coalition cyber attribution ever directed at China.
Australia Parliament
January – February 2019 · Unknown (officially); China (widely assessed)
The compromise of a parliament and major parties during an election cycle demonstrated that cyber espionage against democratic institutions is a live risk, even when the collected intelligence is never publicly weaponized.