The unprecedented assault by Hamas on Israel over the weekend brought with it cyberattacks by a number of known threat groups, echoing what was seen in the runup and aftermath of Russia’s invasion of Ukraine early last year.
It’s a reminder that wars going forward will be fought on multiple fronts, not only on the ground but also in cyberspace.
Julian Botham, a security consultant with Valencia Risk, pulled together a timeline showing that within an hour of the first sirens warning of incoming missiles into southern Israel the morning of October 7, a number of threat groups became cyberattacks on Israeli organizations.
Anonymous Sudan, a group that reportedly has links to Russia and has raised in profile in recent months, launched distributed denial-of-service (DDoS) attacks against emergency warning systems, including applications alerting Israelis to incoming missiles.
Hours later, the same group launched a DDoS attack against The Jerusalem Post, knocking its website offline. In a posting on X (formerly Twitter) on October 8, the news site said it was targeted by multiple cybrerattacks, causing the site to crash.
“We’ll be back soon and will continue to be the top source of information on Operation Swords of Iron and the murderous attacks by Hamas,” the new site wrote.
That same night, another group, Cyber Av3ngers, a group aligned with Iran, claimed to have hacked the Israel Electric Corp., while Anonymous Sudan said they are continuing to target emergency alert systems.
On October 8, Cyber Av3ngers claim to have compromised the DORAD power plant – the second largest such facility in Israel – and then leak confidential documents on the Telegram messaging app.
Later in the day, Killnet – another Russia-aligned group – claims that a DDoS attack took the Israeli government’s website offline and takes responsibility for another attack that takes down the website of the Israel Discount Bank, which is based in Tel Aviv and has 112 branches throughout the country.
Around the same time, a Palestinian hacker group, Ghosts of Palestine, sent out a Telegram message urging other cybercriminals to attack Israeli and U.S. private and public infrastructure.
Another hacktivist group, AnonGhost, exploited an API flaw in Israel’s RedAlert app, which deliver real-time alerts of incoming missiles to Israelis, according to cybersecurity firm Group-IB.
“In their exploit, they successfully intercepted requests, exposed vulnerable servers and APIs, and employed Python scrips to send spam messages to some users of the app,” Group-IB wrote in an X post, adding that the group’s chat logs indicated it also sent fake messages about a nuclear bomb.
Group-IB added today that the app was removed from the Google Play store. The threat researchers wrote that after exploiting the API vulnerability, AnonGhost hackers said “all 10k to 20k users of this application” should have received the messages.
Group-IB said that “confirming the success of this attack would require exploiting the vulnerability, which is illegal. Such actions should only be conducted as part of a security assessment of the app and with the owner’s written consent.”
The researchers warned that while hacktivists typically conduct small-scale DDoS attacks and defacement, their actions can be devastating and costly and that organizations should examine and fortify all of their web-facing applications. Hactivists see web and mobile APIs as “softer targets” compared to product APIs.
On the other side, a group called ThreatSec said it compromised the infrastructure of AlfaNet, an ISP based in Gaza. Other groups reportedly supporting Israel include India Cyber Force, Garuna Ops, Team UCC Ops and SilenOne.
A cybersecurity professional responding to Botham’s timeline noted that non-kinetic – or cyber – actions can have an impact in the real world.
“While cyber operations have been, historically, non-kinetic, I’m thinking we may see a shift,” he wrote. “A cyberattack on a power plant has the potential to product kinetic results which will not only degrade operations amongst the local populaces, but it can also cause extensive chaos if there is any collateral damage in the event, [such as if] they were able to successfully destroy any of the regulators or anything that controls the natural gas systems.”
Another commentator, cybersecurity professional Raymond Razafimamonjy, noted that cyberthreats are now a part of any conflict.
“Most of those guys are APT [advanced persistent threat],” Razafimamonjy wrote. “It’s a war, and cyberwarfare are integrated as a permanent part of destabilization tools. And [a] DDoS attack is easy to do with the IoT increase currently, and open source malware for DDoS as MIRAI or/and PERSIRAI are still available and easy to use, thanks to Hacker As A Service.”
There also were reports about Palestinian cybergroups targeting Israel before the attacks. In a recent report, Microsoft threat intelligence researchers wrote that such a group, dubbed Storm-1133, was target energy, defense, and telecommunications firms in Israel’s private sector.
The group’s work is aimed at promoting Hamas interests in the Gaza Strip, according to the report.
Other targets include “entities loyal to Fatah, the dominant Palestinian political faction in the West Bank, which were historically targets of Hamas cyberattacks,” they wrote, adding they saw Storm-1133 “attempting to compromise third party organizations with public ties to Israeli targets of interest.”
In addition, Israeli President Isaac Herzog’s Telegram account was hacked in the days before the attack as part of an apparent online scam, which Herzog’s office suggesting it wasn’t tied to either a nation-state group or to the ongoing tensions with Palestine.
At a conference in June, Gaby Portnoy, director general of Israel National Cyber Directorate, outlined efforts the country was undertaking to strengthen its cyber defenses and noted cyberattacks that were being carried out against Israel by groups linked to Iran and Hezbollah, a militant group in Lebanon. He warned that such attacks would bring retribution.
Recent Articles By Author