Israel-Hamas Conflict: The Escalation Of Cyberwarfare

Uploaded on 2024-07-25 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Iran, INTELLIGENCE--International, FREE TO VIEW

On October 7th, 2023, the world was shocked by the surprise invasion of Israel by the paramilitary wing of Hamas. Hundreds of Israeli hostages were taken by Hamas, more than 1,160 Israelis were killed, and thousands were injured.

The aftermath resulted in the death of tens of thousands of civilians in Gaza. Throughout the conflict, the concept of ‘hybrid warfare’ has materialized, blending kinetic and cyber operations that extend the battlefield beyond traditional geographic lines. 

The Unfolding of Cyberwarfare

In the days following Hamas’ invasion, Iranian state-aligned cyber actors launched a series of attacks to leverage the kinetic military operations of Hamas to support the “Shadow War” against Israel.

  • Phase 1 was launched within the hours and days immediately following the invasion and primarily involved simple opportunistic hack-and-leak efforts against Israeli assets.
  • Phase 2 was initiated by mid-October, during which time the volume of attacks escalated and morphed into more destructive efforts, such as the deployment of wiper malware and the targeting of Industrial Control Systems (ICS), as well as mass influence campaigns against pro-Israeli entities to sow confusion and undermine support for ground operations.
  • Phase 3 began in November and continues today. This phase involves attacks that have become more advanced in capability and capacity as targeting, strategy, and prioritization have developed between both the state and state-aligned groups. 

Cyber-Attack Patterns 

Since the Hamas invasion, Tehran-aligned cyber operations have become more focused on undercutting public support for the war and compromising rival infrastructure. We have assessed this to involve the state objectives of:  

  • Undermining Israel and its allies within the cyber domain.
  • Attempts to shape the information environment.
  • Creating the perception of weakness in Israeli defenses.
  • Diminishing global backing of Israel by emphasizing the damage caused by Israeli counter-distribution efforts against Palestinians within Gaza.

We have noticed a shift towards a more proactive operational approach against Israeli assets as opposed to the reactive posture that was adopted following the initial invasion.

This operational approach involved surging wiper malware, ransomware, and mobile spyware deployment against the Israeli government, finance, technology, and defense sectors.

This tactic likely aimed to sabotage rival Critical National Infrastructure (CNI) and conduct intelligence gathering to bolster the state’s position within the ongoing conflict. Iranian state-aligned cyber actors have also launched phishing campaigns against national security think tanks, diplomats, former military personnel, non-governmental organizations (NGOs), and Middle Eastern affairs experts within the Western education sector to gather intelligence on critical decision-makers. 

Regarding Iranian state-aligned Influence Operations (IO), Iran has demonstrated a significant investment in hack-and-leak operations to compromise victims and release extracted data.

These Influence campaigns have expanded to include masquerading as Tehran’s allies, including the Izz ad-Din al-Qassam Brigades (IQB), the Hamas military division, a phenomenon that previously involved solely impersonating rival entities. 

Psychological warfare components of Iranian state-aligned cyber-IO involve leveraging artificial intelligence (AI) and SMS and email delivery to exaggerate the claims of Tehran-aligned influence campaigns. These components were an attempt to turn global public perception against Israel and manipulate Israeli citizens to engage in on-the-ground activities.

Hacktivist Campaigns

Pro-Iranian hacktivist collectives have launched a series of Distributed Denial-of-Service (DDoS) attacks, web defacement efforts, and data breaches aimed at companies within Israel and its allied states, such as the U.S. These operations, involving numerous hacktivist actors including Anonymous Sudan and Ghosts of Palestine, began immediately following the invasion on October 7th and are still as prominent to the current date.

As the conflict has progressed, we have detected a notable development within the hacktivist threat landscape involving Iranian state-backed advanced persistent threat, or APT, units masquerading as hacktivists as a smoke screen to initiate sophisticated state-level campaigns under the guise of DDoS attacks. We have assessed that this ‘faketivist’ phenomenon has been adopted by the following Tehran-aligned cyber actors:

  • The Karma Power hacktivist persona acting as a front for the BANISHED KITTEN APT unit.
  • The SPECTRAL KITTEN nation-state actor operating under the Malek Team hacktivist identity.
  • The HAYWIRE KITTEN APT operating under the Cyber Toufan hacktivist outfit.

These cyber forces have likely adopted this expanded profile to create plausible deniability for the state and to persuade the public that their attacks are grassroots-inspired, thus intending to boost the morale of their national supporters.

The ‘Axis of Resistance’

As the Middle East conflict progresses, we observe collaborative efforts within the cyber domain by Iranian proxy group members of the ‘Axis of Resistance’ alliance. This informal Iranian state-backed political and military coalition consists of numerous entities, including the Gaza-based Hamas, the Lebanon-based Hezbollah, and the Yemeni Houthi rebel faction. The coalition members are unified by the objective of countering the influence of Israel, the Democratic West, and specific Arab nations within the Gulf region.

Numerous cyber campaigns attributed to the coalition have likely been implemented and synchronized, allowing several threat actors to contribute to completing common anti-Israeli objectives without the requirement to depend on a single toolset. 

Most Hamas-aligned offensive cyber efforts have involved implementing simple techniques, primarily involving the BLACKSTEM nexus threat actor. However, we also detected a minority of Hamas cyber unit campaigns involving advanced techniques, as exemplified by the BLACKATOM threat actor persona, involving the targeting of software engineers in the Israeli military and Israel’s wider aerospace and defense industry. In addition, Hezbollah cyber forces launched a series of offensive efforts against Israel immediately following the invasion, with the GREATRIFT threat actor persona capitalizing on the surging interest in emergency services by impersonating Israel’s Sheba Medical Centre to deploy malware on target systems via phishing campaigns, with the assessed intention of undermining trust in public establishments.  

There will also likely be cyber implications from attacks launched by the Houthi faction against Israeli-linked international cargo ships within the Red Sea. In response, the U.S.-led Operation Prosperity Guardian multi-national military coalition was established to counter threats posed by Houthi forces against maritime commerce within the Red Sea.

This increases the possibility of Iranian state-aligned espionage actors launching the offensive against the U.S. Government and defense sectors to support its Houthi rebel proxy faction as well as to gather intelligence regarding the coalition’s policies. 

A Cyber Aggression Forecast

There will undoubtedly be international ramifications of Middle East-centered cyber aggression that will impact organizations across the industrial spectrum.

Destructive cyber-attacks and IO will likely remain a staple within the arsenal of Iranian cyber actors to demonstrate both hostile intent and capability to the state’s perceived opposition. This will likely be exacerbated in response to any perceived escalation of the ongoing conflict.

Any resumed cyber warfare launched by the Iranian proxy groups would likely impact the U.S. Government, finance, education, and defense sectors, as well as NGOs.

Also, the 2024 Paris Summer Olympics and the 2024 U.S. presidential election will likely be hotbeds for cyber-influence operations. Influence assets will likely target international sporting bodies and Olympic third-party organizations while also accompanying the run-up to the U.S. election with the objective of sowing discord among U.S. voters - resulting in social tensions and the erosion of trust in U.S.-based establishments.

Craig Watt is a Threat Intelligence Consultant at Quorum Cyber, specializing in strategic & geopolitical intelligence.

Image: Ideogram

You Might Also Read: 

The Information War In Gaza & Israel:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Progress In Deepfake Detection
Improving Cyber Resilience Of Frontline Armed Forces In Europe »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

4ARMED

4ARMED

4ARMED services cover the end-to-end experience of securing modern software, from design and build through to deploy and test.

Gamma

Gamma

Gamma is a leading provider of Unified Communications as a Service (UCaaS) into the UK, Dutch, Spanish and German business markets.

ThreatBook

ThreatBook

ThreatBook is dedicated to providing real-time, accurate and actionable threat intelligence to block, detect and prevent attacks.

PQShield

PQShield

PQShield are specialists in Post-Quantum Cryptography. We provide quantum-secure cryptographic solutions for software, software/hardware co-design and data in transit.

Accolite Digital

Accolite Digital

Accolite is an innovative, design thinking software company that guarantees seamless digital experiences with maximum results.

Cyber Security for Europe (CyberSec4Europe)

Cyber Security for Europe (CyberSec4Europe)

CyberSec4Europe is designing, testing and demonstrating potential governance structures for a European Cybersecurity Competence Network.

RMRF Tech

RMRF Tech

RMRF is a team of cybersecurity engineers and penetration testers which specializes in the development of solutions for early cyber threat detection and prevention.

eaziSecurity

eaziSecurity

eaziSecurity has built an eco-system of technology and services that bring enterprise scale security solutions to the SME marketplace.

Luta Security

Luta Security

Luta Security implements a holistic approach to advance the security maturity of governments and organizations around the world.

Opus

Opus

Opus dramatically reduces cloud security risks by enabling teams to define, orchestrate, automate and measure remediation processes across the entire distributed organization.

Irys Technologies

Irys Technologies

Irys Technologies specialize in pioneering digital transformation solutions designed to streamline communications and enhance maintenance and operational efficiency for a variety of sectors.

Wired Assurance

Wired Assurance

Wired Assurance is a testing and assurance company, specialized in software applications and blockchain smart contracts.

AccessIT Group

AccessIT Group

AccessIT Group is a specialized cybersecurity solutions provider offering a full range of advanced security services.

CyberNut

CyberNut

CyberNut are a security awareness training solution built exclusively for schools.

SOCRadar

SOCRadar

SOCRadar is an Extended Threat Intelligence (XTI) SaaS platform that combines External Attack Surface Management (EASM), Digital Risk Protection Services (DRPS), and Cyber Threat Intelligence (CTI).

Securafy

Securafy

At Securafy, we understand how important it is to have the right IT partner by your side. For over 30 years, we’ve helped businesses stay secure, connected, and compliant.