Growing Concern Over Role of Hacktivism in Israel-Hamas Conflict

Cyber Security Threat Summary:
Like the Russia-Ukraine conflict, Hacktivism has appeared on the threat landscape as a result of the ongoing Israel-Hamas crisis. While early attacks were focused on DDoS and defacement, cybersecurity experts are now warning of signs that more impactful attacks are being attempted.

“Researchers from Radware found that Israel endured 143 DDoS attacks between October 2 and October 10, making it the most targeted nation state during that period. These attacks were all claimed by hacktivists on the messaging service Telegram. Activity began on Saturday, October 7, the day Hamas launched its shock attack on Israel that began the conflict. On this day, 30 DDoS attacks were claimed by various groups. Subsequently, more than 40 claims were made on both October 9 and 10.” (Info Security Magazine, 2023).

According to Radware, attacks against Israeli government agencies made up 36% of the claimed DDoS attempts. This was followed by news and media (10%) and travel (9%). Claims were primarily made by pro-Palestinian hacktivist groups, including Indonesian threat actor Garnesia_Team, Moroccan Black Cyber Army and Anonymous Sudan. Pro-Russian threat group Killnet, which engaged in DDoS attacks targeting websites in countries that supported Ukraine following the Russian invasion, also claimed several attacks.

On October 9th, Group-IB reported that a pro-Palestinian hacktivist group called AnonGhost had exploited an API vulnerability in the “Red Alert” app, which provides real-time rocket alerts for Israeli citizens. In a post on X, Group IB explained: “In their exploit, they successfully intercepted requests, exposed vulnerable servers and APIs, and employed Python scripts to send spam messages to some users of the app. According to the group’s chat logs detected by Group-IB’s Threat Intelligence system, they also dispatched fake messages about a “nuclear bomb’.”

Meanwhile, SecurityScorecard’s threat intelligence team noted that on October 10, hacktivist group SiegedSec claimed responsibility for a series of attacks against Israeli infrastructure and industrial control systems (ICS). Attacks on ICS could have severe consequences, with these systems used in essential services like energy and water. However, as of October 11, there is no indication that the IP addresses SiegedSec listed as targets have experienced denial of service attacks. “This could mean that these attempts were likely unsuccessful, though other explanations merit consideration,” SecurityScorecard said.

Security Officer Comments:
We expect cyber threat activity to continue as the Israel-Hamas conflict unfolds. While many attacks have been low-level DDoS and web defacements, it is clear that threat actors are looking to carry out higher impact attacks. “There is a lot of information being shared on underground forums and Telegram channels about ‘exposed infrastructure' but much of that turns out to be false, outdated or incomplete” (Info Security Magazine, 2023). That being said, with so many groups looking to make an impact, we can expect some to eventually be successful.

Russia has historically used destructive malware attacks against its adversaries. Ukraine especially has seen it’s fair share of destructive attacks. Back in 2015, the Russian based Sandworm group successfully attacked the Ukrainian power grid. In 2017, they used a piece of wiper malware called NotPetya in a series of costly attacks against Ukraine. This malware was wormable and spread quickly, impacting organizations across the globe.

While Israel has been in the cross-hairs of cyber actors, organizations globally should prepare for potential cyber threats coming from the region. Especially organizations that have publicly sided with Israel or Hamas.