Palestinian Hackers Hit 100 Israeli Organizations in Destructive Attacks

Cyber Threat Summary:
Cyber Toufan, a sophisticated threat actor claiming to be formed of Palestinian state cyber warriors, has managed to target over 100 entities in Israel in the last couple of months. These series of attacks have been fueled by geopolitical tensions between Israel and Hamas, a pro-Palestinian militant group. The latest intrusions carried out by Cyber Toufan have led to the exfiltration of large amounts of data which is being released to the public web. In some cases, the actors are also intensifying their attacks by wiping the data off targeted systems, leaving them inoperable. Based on the tactics employed by this group, researchers suspect Cyber Toufan is likely sponsored by a government entity, with evidence pointing to a potential Iranian involvement.

Security Officer Comments:
Cyber Toufan’s intrusions mainly involve breaching servers, databases, and leaking information. According to cyber security researcher Kevin Beaumont, this group to date has leaked the data of 59 organizations on its telegram channel. This number increases to almost 100 as the group likely compromised 40 more organizations in a recent attack targeting a managed service provider. Based on observations of the data leaked, this includes complete server disk images, SSL certificates, SQL and CRM dumps, and even WordPress backups.

As mentioned above, in addition to exfiltrating data, the attackers are also employing data wipers. According to Beaumont, the actors are employing a legitimate tool called Shred, which is capable of deleting files in an unrecoverable fashion. What’s more, to prevent the process from being killed by administrators, the actors will run Shred using their own shell script. Due to these destructive attacks, Beaumont says that some of the victims have not been able to fully recover and have been offline for several weeks.

Suggested Correction(s):
It is unclear how exactly these actors are breaching servers and databases. However, this is likely through the exploitation of known vulnerabilities. As such organizations should regularly patch their systems when updates are readily available and maintain backups of mission-critical data.