The Iron Swords War – Cyber Perspectives from the First 10 Days of the War in Israel

Highlights:

1. Increased Cyber Activity: Various hacktivist groups, aligning with different geopolitical interests, have intensified their cyber operations aiming to influence the narratives and disrupt online entities associated with Israel.
2. Rise in attacks: Check Point Research noted an 18% rise in cyberattacks targeting Israel recently. Specifically, there’s a marked increase in attacks on the government/military sector – a 52% surge compared to the weeks leading up to October 7.
3. Diverse Cyber Threats: The cyber threats are multifaceted, ranging from Distributed Denial of Service (DDoS) attacks by hacktivist groups to hack and leak activities against Israeli websites.
4. Emerging Concerns and Players: The article underlines three escalating trends that might intensify the cyber conflict: Russian-affiliated hacktivist groups shifting their focus to Israel, the introduction of Iranian government-backed hacktivist groups, and the participation of cybercriminals eyeing financial gains amidst the conflict. Moreover, sophisticated cyber actors with significant capabilities are entering the scene, heightening risks and tensions in the cyber battleground.

On October 7th, at 6:37 AM, Hamas invaded Israel, triggering significant unrest. Within an hour, by 07:33 AM, the Russian-affiliated group, Anonymous Sudan, purportedly claimed responsibility for potentially disabling an Israeli civilian app designed to alert citizens about missile attacks.

Background

The war that began on the morning of October 7 between Israel and Hamas, known as “Iron Swords”, has also attracted the attention of many threat actors in cyberspace. Much like the Russian-Ukrainian war, there are many individuals and groups trying to leverage cyberspace as an added battlefield, aiming not just to inflict harm but often to orchestrate information campaigns and mould global narratives.

The cyber domain mirrors global diplomatic alignments. With both Russia and Iran publicly supporting Hamas, various Middle Eastern, Islamic, and Russian-affiliated hacktivist groups began reporting hundreds of attacks on Israeli digital entities. However, as of this writing, the effects of these attacks on Israel and affiliated entities have been minimal.

Data collected from Check Point sensors shows that as the war continues, cyberattack attempts increase.  During the past few days, Check Point Research observed an 18% increase in cyberattacks on targets in Israel, compared to the first few days of the war. We see a special focus on the government/military sector, with a 52% increase in the number of cyberattacks compared to the average in the weeks before October 7. The global trend in this specific sector shows a 4% decrease in the same timeframe.

This analysis delves into cyber activities as shared by self-proclaimed collectives on platforms like Telegram, the Dark Web, and various open-source intelligence (OSINT) channels.

So far, only a handful of attacks have had a tangible impact. However, three evolving trends that could turn the tide of the cyberwar against Israel are becoming evident:

1. Russian-affiliated hacktivist groups are now focusing on Israel

2. Iranian government-backed hacktivist groups are entering the conflict

3. Opportunistic cybercriminals are exploiting the war to launch ransomware attacks

DDoS Attacks

Since the war began, we have registered hundreds of claims of DDoS attacks by dozens of hacktivist groups. Active groups in this area include pro–Islamic groups like “Ghosts of Palestine”, “Team_insane_Pakistan”, and more. The impact of the vast majority of those attacks was very limited in terms of disruption, as these were executed against either very small websites in Israel or lasted for mere seconds to minutes.

Claims of DDoS attacks have included government entities and major companies, such as the Bank of Israel, the Cellcom cellular company, the Israeli Parliament (known as the Knesset), and more. However, most disturbances had only minor effects, if at all.

One relatively successful DDoS attack has been against the Jerusalem Post website desktop version and was claimed by both Team_insane_Pakistan and Anonymous Sudan. Disruptions to the Jerusalem Post website continued for approximately two days.

Hack and Leak and Disruptive Activities

Since the beginning of the war, multiple claims of hack-and-leak, and defacement activities against Israeli websites and organizations have been posted on various Telegram channels. However, most of the cases have been proven to be reposts of old leaks, or of publicly available data. The successful cases have mostly been against very small websites and organizations.

Of the claimed activities in this area, the most noteworthy are the “Ono Academic College” hack and leak, and the hacking of electronic billboards.

On October 8, a new Telegram channel belonging to a previously unknown group called “Malek Team” appeared and posted claims of hacking into “Ono Academic College”, a private college in Israel. They displayed personal data allegedly stolen from staff and students, including campus CCTV videos. The college subsequently had to take some of its systems offline.

Another successful attack took control of a few electronic billboards in Israel for a short time and used them to post images supporting Gaza. No one claimed responsibility for this attack.

Following is how the attack looked on the CTV billboard with a Palestine flag (screenshot from the Cyber News Telegram channel):

Several groups claimed to have hacked, stolen, and published data from various Israeli entities, including Israeli hotel chains. Most of those claims were not confirmed.

Forward Outlook:

As mentioned earlier, we are currently observing the beginning of three developments that if continued, can lead to increased risks and tension in the cyber battleground. In addition, we see the emergence of more mature cyber actors with highly significant capabilities. Among these are various Russia-affiliated hacktivist groups, Iranian-affiliated groups and ransomware cybercrime groups.

Attention Shift of Russia-Affiliated Hacktivists Groups

Since the first hours of the war, we have observed a gradual shift of attention of major Russian-affiliated hacktivists group like Killnet and Anonymous Sudan away from their regular narrative against Ukraine and Western countries, to an extreme narrative against Israel.

These groups (and groups directly linked with them) post, repost and quote a variety of abusive content against Israel and Israeli interests, and associate and draw parallels between Israel and Zionism and Nazism; a narrative that previously was widely used by such groups about Ukraine.

In the first days of the war, Killnet used Google Translate to post an alleged explanation in Hebrew for the shift in their attention from Ukraine to Israel:

It is worth noting that of all the hacktivist groups, the Russian-affiliated Anonymous Sudan was the first to jump onto the battlefield. They claimed that as early as Saturday morning October 7 at 07:33am, that the Israeli public alarm system Tzeva Adom was down. The group fully committed to the anti-Israeli effort and later announced their successful takedown of the Jerusalem Post site.

In addition, Anonymous Sudan and Killnet opened a shared channel for the purpose of activity against Israel, still without any claims of actual attacks posted there.

Cybercriminals Trying to Leverage the War for Financial Purposes

The war has also drawn financially motivated entities into the cyber battlefield. Ransomed.vc, a ransom group that recently began operations and has had a dozen high-profile victims in the last month, announced that the security situation in the region makes commercial entities more vulnerable to attacks and requested to buy initial access to entities in Israel, Palestine and Iran. The group later posted what they claimed was a healthcare-related data dump of Palestinian patients as an example of what they are looking for.

Iranian Government Affiliated Groups Entering the Battlefield ?

Adl Ali, a hacktivist group that emerged in late September 2022 during widespread protests against the Iranian regime following the death of Mahsa Amini, jumped into the fray on October 10, claiming to target Israeli infrastructure.

The group clearly represents the interests of the Iranian regime and presents itself as “Iran’s freedom-loving youth.” Their primary objectives until now have been to conduct informational operations targeting opposition entities and individuals. The group initially gained attention by asserting that they had obtained documents and chat records through a cyberattack on the Komala Party of Iranian Kurdistan and alleging the party’s involvement in a plot to sabotage the Iranian state in the “Mahsa Amini case.”

Until now, they have focused their efforts on a wide range of targets, including the family of Reza Pahlavi, the son of the last Shah of Iran and a leader of an exiled opposition group; Masih Alinejad, an Iranian-American women’s rights activist; and Nazanin Boniadi, a British actress with Iranian roots known for her activism for Iranian youth and women’s rights.
Currently, there seems to be a shift in their focus, with an announcement that they “launched a cyberattack on the vital infrastructure” of Israel. However, one week later, no specific targets or damage were publicly disclosed.

Conclusion and a look forward

The cyber implications of the Russian incursion into Ukraine and vice versa were significant, underscoring that wars in the digital age can impact a broader spectrum of entities beyond the primary parties involved. Roughly 20 months later, we observe an increase in activity by third-party groups that are taking a stance in the conflict, some of whom have taken measures that impact civilian digital infrastructure.

As the current conflict unfolds, it’s clear that various actors, like Hezbollah and Iran, are evaluating their strategic positions. Cyber warfare is anticipated to be a tool utilized by multiple entities on both fronts, regardless of their direct involvement in the ground conflict.

A question that arises is how entities such as Hamas, facing infrastructural challenges like power outages in the Gaza Strip, will navigate the cyber domain. While they may have operational units outside the Gaza Strip, maintaining consistent cyber operations with challenges at their core locations is indeed a hurdle.

Cyber warfare will undoubtedly play a pivotal role in shaping the trajectory of this conflict. Organizations, regardless of their geographic location, should take this time to enhance their cyber defenses, prioritize system updates, and refine their cybersecurity protocols.

 Do’s and don’ts in times of War

A time of regional war and conflict calls for individuals and organization to take extra special care and attention in any online activity.

We are calling for all to remain alert and aware. Here are some basic recommendations for such awareness:

• Awareness: Be aware of any medium and surface you interact with and remain vigilant and smart when receiving messages whether via email, text messages or online. Any message could be malicious or contain a link to malicious malware. Interact only with known senders
• Download software or apps from trusted sources only: Download your apps for either iOS or Android from trusted official sources only. Many threat actors will try and send out their malware disguised as a legitimate app
• Don’t click on unfamiliar links: Never click on links originating from unfamiliar sources, nor should you go online to links you are not familiar with. Pay attention to the URLs, is there anything usual or unfamiliar about them? By taking a minute to look for signs that a website may be fraudulent you can quickly identify its legitimacy.
• Up-to-Date Patches: Keeping computers & software up-to-date and applying security patches, especially those labelled as critical, can help to limit an organization’s vulnerability to attacks as such patches are usually overlooked or delayed too long to offer the required protection.
• Strengthening User Authentication: Enforcing a strong password policy, requiring the use of multi-factor authentication, and educating employees about various attacks designed to steal login credentials are all critical components of an organization’s cybersecurity strategy.