Israel-Hamas Conflict: The Escalation Of Cyberwarfare

Uploaded on 2024-07-25 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, INTELLIGENCE--International, FREE TO VIEW

On October 7th, 2023, the world was shocked by the surprise invasion of Israel by the paramilitary wing of Hamas. Hundreds of Israeli hostages were taken by Hamas, more than 1,160 Israelis were killed, and thousands were injured.

The aftermath resulted in the death of tens of thousands of civilians in Gaza. Throughout the conflict, the concept of ‘hybrid warfare’ has materialized, blending kinetic and cyber operations that extend the battlefield beyond traditional geographic lines. 

The Unfolding of Cyberwarfare

In the days following Hamas’ invasion, Iranian state-aligned cyber actors launched a series of attacks to leverage the kinetic military operations of Hamas to support the “Shadow War” against Israel.

  • Phase 1 was launched within the hours and days immediately following the invasion and primarily involved simple opportunistic hack-and-leak efforts against Israeli assets.
  • Phase 2 was initiated by mid-October, during which time the volume of attacks escalated and morphed into more destructive efforts, such as the deployment of wiper malware and the targeting of Industrial Control Systems (ICS), as well as mass influence campaigns against pro-Israeli entities to sow confusion and undermine support for ground operations.
  • Phase 3 began in November and continues today. This phase involves attacks that have become more advanced in capability and capacity as targeting, strategy, and prioritization have developed between both the state and state-aligned groups. 

Cyber-Attack Patterns 

Since the Hamas invasion, Tehran-aligned cyber operations have become more focused on undercutting public support for the war and compromising rival infrastructure. We have assessed this to involve the state objectives of:  

  • Undermining Israel and its allies within the cyber domain.
  • Attempts to shape the information environment.
  • Creating the perception of weakness in Israeli defenses.
  • Diminishing global backing of Israel by emphasizing the damage caused by Israeli counter-distribution efforts against Palestinians within Gaza.

We have noticed a shift towards a more proactive operational approach against Israeli assets as opposed to the reactive posture that was adopted following the initial invasion.

This operational approach involved surging wiper malware, ransomware, and mobile spyware deployment against the Israeli government, finance, technology, and defense sectors.

This tactic likely aimed to sabotage rival Critical National Infrastructure (CNI) and conduct intelligence gathering to bolster the state’s position within the ongoing conflict. Iranian state-aligned cyber actors have also launched phishing campaigns against national security think tanks, diplomats, former military personnel, non-governmental organizations (NGOs), and Middle Eastern affairs experts within the Western education sector to gather intelligence on critical decision-makers. 

Regarding Iranian state-aligned Influence Operations (IO), Iran has demonstrated a significant investment in hack-and-leak operations to compromise victims and release extracted data.

These Influence campaigns have expanded to include masquerading as Tehran’s allies, including the Izz ad-Din al-Qassam Brigades (IQB), the Hamas military division, a phenomenon that previously involved solely impersonating rival entities. 

Psychological warfare components of Iranian state-aligned cyber-IO involve leveraging artificial intelligence (AI) and SMS and email delivery to exaggerate the claims of Tehran-aligned influence campaigns. These components were an attempt to turn global public perception against Israel and manipulate Israeli citizens to engage in on-the-ground activities.

Hacktivist Campaigns

Pro-Iranian hacktivist collectives have launched a series of Distributed Denial-of-Service (DDoS) attacks, web defacement efforts, and data breaches aimed at companies within Israel and its allied states, such as the U.S. These operations, involving numerous hacktivist actors including Anonymous Sudan and Ghosts of Palestine, began immediately following the invasion on October 7th and are still as prominent to the current date.

As the conflict has progressed, we have detected a notable development within the hacktivist threat landscape involving Iranian state-backed advanced persistent threat, or APT, units masquerading as hacktivists as a smoke screen to initiate sophisticated state-level campaigns under the guise of DDoS attacks. We have assessed that this ‘faketivist’ phenomenon has been adopted by the following Tehran-aligned cyber actors:

  • The Karma Power hacktivist persona acting as a front for the BANISHED KITTEN APT unit.
  • The SPECTRAL KITTEN nation-state actor operating under the Malek Team hacktivist identity.
  • The HAYWIRE KITTEN APT operating under the Cyber Toufan hacktivist outfit.

These cyber forces have likely adopted this expanded profile to create plausible deniability for the state and to persuade the public that their attacks are grassroots-inspired, thus intending to boost the morale of their national supporters.

The ‘Axis of Resistance’

As the Middle East conflict progresses, we observe collaborative efforts within the cyber domain by Iranian proxy group members of the ‘Axis of Resistance’ alliance. This informal Iranian state-backed political and military coalition consists of numerous entities, including the Gaza-based Hamas, the Lebanon-based Hezbollah, and the Yemeni Houthi rebel faction. The coalition members are unified by the objective of countering the influence of Israel, the Democratic West, and specific Arab nations within the Gulf region.

Numerous cyber campaigns attributed to the coalition have likely been implemented and synchronized, allowing several threat actors to contribute to completing common anti-Israeli objectives without the requirement to depend on a single toolset. 

Most Hamas-aligned offensive cyber efforts have involved implementing simple techniques, primarily involving the BLACKSTEM nexus threat actor. However, we also detected a minority of Hamas cyber unit campaigns involving advanced techniques, as exemplified by the BLACKATOM threat actor persona, involving the targeting of software engineers in the Israeli military and Israel’s wider aerospace and defense industry. In addition, Hezbollah cyber forces launched a series of offensive efforts against Israel immediately following the invasion, with the GREATRIFT threat actor persona capitalizing on the surging interest in emergency services by impersonating Israel’s Sheba Medical Centre to deploy malware on target systems via phishing campaigns, with the assessed intention of undermining trust in public establishments.  

There will also likely be cyber implications from attacks launched by the Houthi faction against Israeli-linked international cargo ships within the Red Sea. In response, the U.S.-led Operation Prosperity Guardian multi-national military coalition was established to counter threats posed by Houthi forces against maritime commerce within the Red Sea.

This increases the possibility of Iranian state-aligned espionage actors launching the offensive against the U.S. Government and defense sectors to support its Houthi rebel proxy faction as well as to gather intelligence regarding the coalition’s policies. 

A Cyber Aggression Forecast

There will undoubtedly be international ramifications of Middle East-centered cyber aggression that will impact organizations across the industrial spectrum.

Destructive cyber-attacks and IO will likely remain a staple within the arsenal of Iranian cyber actors to demonstrate both hostile intent and capability to the state’s perceived opposition. This will likely be exacerbated in response to any perceived escalation of the ongoing conflict.

Any resumed cyber warfare launched by the Iranian proxy groups would likely impact the U.S. Government, finance, education, and defense sectors, as well as NGOs.

Also, the 2024 Paris Summer Olympics and the 2024 U.S. presidential election will likely be hotbeds for cyber-influence operations. Influence assets will likely target international sporting bodies and Olympic third-party organizations while also accompanying the run-up to the U.S. election with the objective of sowing discord among U.S. voters - resulting in social tensions and the erosion of trust in U.S.-based establishments.

Craig Watt is a Threat Intelligence Consultant at Quorum Cyber, specializing in strategic & geopolitical intelligence.

Image: Ideogram

You Might Also Read: 

The Information War In Gaza & Israel:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Progress In Deepfake Detection
Improving Cyber Resilience Of Frontline Armed Forces In Europe »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Security Weekly

Security Weekly

Security Weekly provides free content within the subject areas of IT security news, vulnerabilities, hacking, and research.

National Cyber Directorate Israel

National Cyber Directorate Israel

The Israeli National Cyber Directorate provides incident handling services for civilian entities and critical infrastructures and works to increase national resilience against cyber threats.

US Secret Service

US Secret Service

The US Secret Service has a pivotal role in securing the nation’s critical infrastructures, specifically in the areas of cyber, banking and finance.

PAX Momentum

PAX Momentum

PAX Momentum is the Mid-Atlantic’s premier startup accelerator, specializing in cyber, enterprise software, telecom, CleanTech, FinTech, InsureTech, and AI.

Australian Cyber Collaboration Centre (Aus3C)

Australian Cyber Collaboration Centre (Aus3C)

The Australian Cyber Collaboration Centre (Aus3C) is committed to building cyber capacity and securing Australia's digital landscape.

Antares NetlogiX

Antares NetlogiX

Antares Netlogix are a leading Austrian service provider for IT security, critical infrastructures and managed security services.

Query.ai

Query.ai

At Query.AI, we are committed to helping companies unlock the power of their security data, so they are empowered to meet security investigation and response goals while simultaneously reducing costs.

Kalima Systems

Kalima Systems

Kalima’s mission is to securely collect, transport, store and share Industrial IoT (IIoT) trusted data in real time with devices, services and mobile workers.

Otorio

Otorio

OTORIO delivers industrial cybersecurity and digital risk-management solutions and services. We help our customers to keep their revenue-generating operations resilient, efficient, and safe.

Jit

Jit

Jit empowers developers to own security for the product they are building from day zero.

Centroid

Centroid

Centroid is a cloud services and technology company that provides Oracle enterprise workload consulting and managed services across Oracle, Azure, Amazon, Google, and private cloud.

Splashtop

Splashtop

Splashtop’s cloud-based, secure, and easily managed remote access solution is increasingly replacing legacy approaches such as virtual private networks.

Beyon Cyber

Beyon Cyber

Beyon Cyber offer a complete portfolio of advanced solutions & services for cyber security in Bahrain.

DIGISOC

DIGISOC

DIGISOC, a leader in Latin America in Cybersecurity solutions, combines machine learning with human intelligence to be effective in detecting cyber threats.

TRM Labs

TRM Labs

TRM enables risk management and compliance for a global community of financial institutions, cryptocurrency businesses and government agencies.

SiyanoAV

SiyanoAV

SiyanoAV's range of antivirus products delivers strong protection against various cyber threats, including malware, ransomware, phishing schemes, and beyond.