Israel-Hamas Conflict: The Escalation Of Cyberwarfare

Uploaded on 2024-07-25 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, INTELLIGENCE--International, FREE TO VIEW

On October 7th, 2023, the world was shocked by the surprise invasion of Israel by the paramilitary wing of Hamas. Hundreds of Israeli hostages were taken by Hamas, more than 1,160 Israelis were killed, and thousands were injured.

The aftermath resulted in the death of tens of thousands of civilians in Gaza. Throughout the conflict, the concept of ‘hybrid warfare’ has materialized, blending kinetic and cyber operations that extend the battlefield beyond traditional geographic lines. 

The Unfolding of Cyberwarfare

In the days following Hamas’ invasion, Iranian state-aligned cyber actors launched a series of attacks to leverage the kinetic military operations of Hamas to support the “Shadow War” against Israel.

  • Phase 1 was launched within the hours and days immediately following the invasion and primarily involved simple opportunistic hack-and-leak efforts against Israeli assets.
  • Phase 2 was initiated by mid-October, during which time the volume of attacks escalated and morphed into more destructive efforts, such as the deployment of wiper malware and the targeting of Industrial Control Systems (ICS), as well as mass influence campaigns against pro-Israeli entities to sow confusion and undermine support for ground operations.
  • Phase 3 began in November and continues today. This phase involves attacks that have become more advanced in capability and capacity as targeting, strategy, and prioritization have developed between both the state and state-aligned groups. 

Cyber-Attack Patterns 

Since the Hamas invasion, Tehran-aligned cyber operations have become more focused on undercutting public support for the war and compromising rival infrastructure. We have assessed this to involve the state objectives of:  

  • Undermining Israel and its allies within the cyber domain.
  • Attempts to shape the information environment.
  • Creating the perception of weakness in Israeli defenses.
  • Diminishing global backing of Israel by emphasizing the damage caused by Israeli counter-distribution efforts against Palestinians within Gaza.

We have noticed a shift towards a more proactive operational approach against Israeli assets as opposed to the reactive posture that was adopted following the initial invasion.

This operational approach involved surging wiper malware, ransomware, and mobile spyware deployment against the Israeli government, finance, technology, and defense sectors.

This tactic likely aimed to sabotage rival Critical National Infrastructure (CNI) and conduct intelligence gathering to bolster the state’s position within the ongoing conflict. Iranian state-aligned cyber actors have also launched phishing campaigns against national security think tanks, diplomats, former military personnel, non-governmental organizations (NGOs), and Middle Eastern affairs experts within the Western education sector to gather intelligence on critical decision-makers. 

Regarding Iranian state-aligned Influence Operations (IO), Iran has demonstrated a significant investment in hack-and-leak operations to compromise victims and release extracted data.

These Influence campaigns have expanded to include masquerading as Tehran’s allies, including the Izz ad-Din al-Qassam Brigades (IQB), the Hamas military division, a phenomenon that previously involved solely impersonating rival entities. 

Psychological warfare components of Iranian state-aligned cyber-IO involve leveraging artificial intelligence (AI) and SMS and email delivery to exaggerate the claims of Tehran-aligned influence campaigns. These components were an attempt to turn global public perception against Israel and manipulate Israeli citizens to engage in on-the-ground activities.

Hacktivist Campaigns

Pro-Iranian hacktivist collectives have launched a series of Distributed Denial-of-Service (DDoS) attacks, web defacement efforts, and data breaches aimed at companies within Israel and its allied states, such as the U.S. These operations, involving numerous hacktivist actors including Anonymous Sudan and Ghosts of Palestine, began immediately following the invasion on October 7th and are still as prominent to the current date.

As the conflict has progressed, we have detected a notable development within the hacktivist threat landscape involving Iranian state-backed advanced persistent threat, or APT, units masquerading as hacktivists as a smoke screen to initiate sophisticated state-level campaigns under the guise of DDoS attacks. We have assessed that this ‘faketivist’ phenomenon has been adopted by the following Tehran-aligned cyber actors:

  • The Karma Power hacktivist persona acting as a front for the BANISHED KITTEN APT unit.
  • The SPECTRAL KITTEN nation-state actor operating under the Malek Team hacktivist identity.
  • The HAYWIRE KITTEN APT operating under the Cyber Toufan hacktivist outfit.

These cyber forces have likely adopted this expanded profile to create plausible deniability for the state and to persuade the public that their attacks are grassroots-inspired, thus intending to boost the morale of their national supporters.

The ‘Axis of Resistance’

As the Middle East conflict progresses, we observe collaborative efforts within the cyber domain by Iranian proxy group members of the ‘Axis of Resistance’ alliance. This informal Iranian state-backed political and military coalition consists of numerous entities, including the Gaza-based Hamas, the Lebanon-based Hezbollah, and the Yemeni Houthi rebel faction. The coalition members are unified by the objective of countering the influence of Israel, the Democratic West, and specific Arab nations within the Gulf region.

Numerous cyber campaigns attributed to the coalition have likely been implemented and synchronized, allowing several threat actors to contribute to completing common anti-Israeli objectives without the requirement to depend on a single toolset. 

Most Hamas-aligned offensive cyber efforts have involved implementing simple techniques, primarily involving the BLACKSTEM nexus threat actor. However, we also detected a minority of Hamas cyber unit campaigns involving advanced techniques, as exemplified by the BLACKATOM threat actor persona, involving the targeting of software engineers in the Israeli military and Israel’s wider aerospace and defense industry. In addition, Hezbollah cyber forces launched a series of offensive efforts against Israel immediately following the invasion, with the GREATRIFT threat actor persona capitalizing on the surging interest in emergency services by impersonating Israel’s Sheba Medical Centre to deploy malware on target systems via phishing campaigns, with the assessed intention of undermining trust in public establishments.  

There will also likely be cyber implications from attacks launched by the Houthi faction against Israeli-linked international cargo ships within the Red Sea. In response, the U.S.-led Operation Prosperity Guardian multi-national military coalition was established to counter threats posed by Houthi forces against maritime commerce within the Red Sea.

This increases the possibility of Iranian state-aligned espionage actors launching the offensive against the U.S. Government and defense sectors to support its Houthi rebel proxy faction as well as to gather intelligence regarding the coalition’s policies. 

A Cyber Aggression Forecast

There will undoubtedly be international ramifications of Middle East-centered cyber aggression that will impact organizations across the industrial spectrum.

Destructive cyber-attacks and IO will likely remain a staple within the arsenal of Iranian cyber actors to demonstrate both hostile intent and capability to the state’s perceived opposition. This will likely be exacerbated in response to any perceived escalation of the ongoing conflict.

Any resumed cyber warfare launched by the Iranian proxy groups would likely impact the U.S. Government, finance, education, and defense sectors, as well as NGOs.

Also, the 2024 Paris Summer Olympics and the 2024 U.S. presidential election will likely be hotbeds for cyber-influence operations. Influence assets will likely target international sporting bodies and Olympic third-party organizations while also accompanying the run-up to the U.S. election with the objective of sowing discord among U.S. voters - resulting in social tensions and the erosion of trust in U.S.-based establishments.

Craig Watt is a Threat Intelligence Consultant at Quorum Cyber, specializing in strategic & geopolitical intelligence.

Image: Ideogram

You Might Also Read: 

The Information War In Gaza & Israel:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Progress In Deepfake Detection
Improving Cyber Resilience Of Frontline Armed Forces In Europe »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Tresorit

Tresorit

Tresorit helps teams to collaborate securely and easily by protecting their data with end-to-end encryption.

Japan Information Security Audit Association (JASA)

Japan Information Security Audit Association (JASA)

JASA is non-profit association active in developing and managing the quality of Information Security Auditing and Auditors in Japan.

Kingsley Napley

Kingsley Napley

Cyber crime is an area of growing legal complexity. Our team of cyber crime lawyers have vast experience of the law in this area.

Rule4

Rule4

Rule4 is a global professional services firm that provides practical, real-world knowledge and solutions in areas including cybersecurity, AI, Machine Learning and industrial control systems.

TechRate

TechRate

Techrate is an analytics agency focused on blockchain technology and engineering. Or expertise includes security and technical audits of projects.

CyberSec Hub - The Kosciuszko Institute

CyberSec Hub - The Kosciuszko Institute

The goal of CyberSec Hub is to create a centre of excellence for cybersecurity in Krakow, a new European “Cyber-Silicon Valley”.

Tokio Marine HCC

Tokio Marine HCC

Tokio Marine HCC is a leading specialty insurance group with a Financial and Professional product line including Tech and Cyber.

WisePlant

WisePlant

WisePlant's portfolio of solutions and services includes process measurement, secure automation, industrial cybersecurity, functional safety and more.

Cryptyk

Cryptyk

CRYPTYK CLOUD is the first complete enterprise-class cloud security solution that includes cloud storage and broad protection against all external and internal threats.

LeadingIT

LeadingIT

Leading IT provides IT support, cloud computing, email support, cybersecurity, networking and firewall services to Chicagoland businesses.

GuardDog.ai

GuardDog.ai

guardDog.ai has developed a cloud-based software service with a companion device that work together to simplify network security.

Oasis Technology

Oasis Technology

Oasis Technology are experts in cyber security. In addition to pioneering the game-changing TITAN anti-hacking device, we provide extensive cyber security consulting services.

Positiwise Software Pvt Ltd

Positiwise Software Pvt Ltd

Positiwise Software offers end-to-end software development solutions to accelerate the digital growth of businesses.

Professional Labs

Professional Labs

Professional Labs specialize in simplifying complex problems for our customers with Cloud Services, Managed Services and Cyber Security.

Google Safety Engineering Center (GSEC)

Google Safety Engineering Center (GSEC)

GSEC Málaga is an international cybersecurity hub where Google experts work to understand the cyber threat landscape and to create tools that keep users around the world safer online.

NinjaOne

NinjaOne

The NinjaOne Platform was built to help IT and MSP teams efficiently manage, patch, and support all endpoints.

SPYROS Information & Technology Consulting

SPYROS Information & Technology Consulting

SPYROS specializes in providing highly qualified professionals in Computer Network Operations, Signals Intelligence, Technical Training and Certifications, Network Administration and Security.