Israeli cyber researchers revealed that what for years had appeared to be a criminal hacker group operating for profit - attacking hundreds of organizations, demanding ransom and selling malicious tools - was in fact an attack and financing arm of Hezbollah.
According to the study, the hackers concealed their ideological activity under the cover of ordinary digital crime, and operatives worked in civilian companies without arousing suspicion. At the center of the exposure was a young student from Lebanon who served as a programmer at technology firms while simultaneously running an attack network for Hezbollah.
The research was carried out by Israeli cyber firm DOS-OP and the Alma Center for the Study of Security Challenges in the Northern Arena, and identified Karim Fiad, a man from southern Lebanon in his twenties, as the operator of the BQTLock ransomware network.
According to the researchers, Fiad and his group operated a clearly criminal model that included theft of funds, ransom demands and the sale of attack tools - a model called "ransomware-as-a-service". But, the study alleges, behind the criminal cyber activity there was a coordinated system with Hezbollah's cyber force that served both for financing and for achieving ideological aims. Fiad's group succeeded in encrypting more than 540 servers worldwide and stealing sensitive information on a large scale.
Fiad, a computer engineering student at the American University of Beirut, simultaneously worked in civilian high-tech companies and specialized in developing artificial intelligence systems. The researchers note that behind this civilian activity there were "double lives": Fiad was active in the Imam al-Mahdi Scouts, Hezbollah's youth wing, and used the professional tools he learned to run an international attack network for the organization.
According to the study, the group also attacked infrastructure in Israel, including Ben-Gurion Airport and telecommunication providers like Bezeq and Partner, and took responsibility for attacks on defense companies, although cyber researchers question some of those latter claims. Outside Israel the group attacked medical systems in India, mining servers in Saudi Arabia and schools in the United Arab Emirates.
According to Tal Bari, research director at the Alma Center, the serious implication of the exposure is that "ransomware attacks are not only digital crime but part of a system that links security, ideological and economic interests."