Article written by Mark Bruno - October 2023
The escalation of violence in the physical world has seen a parallel escalation in the digital world with hacktivist groups either claiming to be supporting Palestinian causes or retaliating against these actors. To this day, digital threat actors of all stripes attempt to channel the aesthetic, and tactics of Anonymous from the time of the Arab Spring (2011). However, the cyber battlespace has changed since then, and as states’ abilities to withstand these sorts of attacks have grown, so, too has their influence in the space itself.
But given how prepared Israel has become over the past twelve years, how was it seemingly taken by surprise? Was there potential intervention by other nation-state actors? Has the cyber front been more effective as a source of disinformation than as an actual source of disruption?
Two Layers Of Cyberwar
Conclusions about what’s unfolding in Israeli cyberspace are difficult to pin down, despite the conflict coming up on its third week. In part, this is because the cyberwar between Israel and Hamas is made up of a domain that we can see, and a domain that we cannot. It’s almost identical to the one unfolding in Ukraine in this respect.
The first domain consists of the overt actions by hacktivists and more common cyber criminals that are often self aggrandizing but lack the sort of substance that one might expect. This is in large part to the credit of Israel’s own cybersecurity and IT infrastructure.
On October 8th, a proclamation went out over Telegram: “Israeli government, you are to blame for this bloodshed. Back in 2022, you supported the terrorist regime of Ukraine. You betrayed Russia… All government systems of Israel will be subjected to our attacks!” The statement was published by KillNet, a Russian group who have been extremely active since the War in Ukraine became a full scale invasion. They mostly perpetrate low-yield Denial of Service and Defacement (also known as DoS or DDoS) attacks on targets of opportunity: dangerous, yes, especially to smaller and less prepared targets, but regarded in the cybersecurity community as a less significant threat than many others that are aligned with Russia.
The Lawfare Institute’s Maggie Smith, Erica Lonergan, and Nick Starck write, in a 2022 piece about KillNet, that the role of these groups is, “cognitive, not coercive.” That they exist to shape the framing of a conflict, and generate hype around their own propaganda narratives. KillNet’s large platform provides a communication channel for other organizations to organize similar attacks, amplifying their perceived effectiveness. Some cybersecurity professionals speculate that the group is state-sponsored, and it can be firmly established that they are at the very least, state-aligned with Russian interests.
There are a number of higher-powered threat actors that Israel’s Cyber Directorate has on their radar that inhabit the second layer of this space. Many of these are based in Iran and Lebanon, and inhabit a much more threatening categorization: that of the Advanced Persistent Threat. Advanced Persistent Threats (known often as simply ‘APTs’) are a threat actor with less limited resources than most hacktivists or common cyber criminals (often provided through state funding), utilize layered strategies, and tend to have a continuous mission. Some APTs have been active for over a decade.
It takes more time to attribute an attack to an APT. In part, it’s because their plans tend to have a clandestine intent, such as exfiltrating data from a government or military source. Even financially-driven APTs such as North Korea’s Lazarus Group will quietly amass money in the hundreds of millions before being stopped. It’s much more of a “long game” in this layer of the conflict. There is no evidence at this point proving that any of the regionally tracked APTs have intervened in the conflict, but this certainly doesn’t rule out that they might have, as they did in the past.
Before The Attacks
Since the morning of 7/10/2023, there has been a lot of speculation as to whether or not Hamas received aid or intelligence from external organizations, with the most prominent theories being about potential assistance from Iran. Much of this speculation is an understandable response to the seemingly slow reaction from the IDF and the pure shock of the violence that unfolded. That said, there has been a well-established history of attacks on Israel from several Advanced Persistent Threats.
There were several notable cybersecurity incidents in the weeks leading up to the attacks on 7/10/2023. On 09/09/2023, fifteen Israeli lawmakers were surprisingly banned from WhatsApp in what may have been a breach that stemmed from their authentication controls being tripped. The report said that they were locked out of their accounts for three hours, which would have been plenty of time for a data exfiltration. This particular incident was reminiscent of a 2019 phone breach of Netanyahu political rival, Benny Gantz. The incident was explained in the Israeli press as an attempt by Iran.
Ben Gurion Airport, a major target in the current conflict, had one of its most significant disruptions related to a cyberattack on 20/09/2023. The attack involved extremely sophisticated disruption of GPS systems and impacted the ability of pilots to land on shorter runways. The identity of the threat actor responsible still has yet to be revealed, but this is the sort of behavior more broadly associated with an APT rather than common cyber criminals.
On 5/10/2023, there was a report of an attempt via Telegram to hack Israeli president, Isaac Herzog. The findings by Israel’s Shin Bet security security service determined that it was from a low-level group, and likely for the purpose of scamming the president, rather than any “serious” breach. However, in the context of the broader cyberwarfare situation in Israel, it’s difficult to brush this incident off. That same day, Microsoft’s Threat Intelligence department released their 2023 Digital Defense Report. In it, the report outlines the increasing threat posed by Iranian threat actors, though it largely outlines their activities in the capacity of influence in the Global South.
After The October 7th Attacks
Claims
Israel has been under a constant storm of cyberattacks. However, the claims made by the attackers have been of mixed truth value: some outright lies, others exaggerating the effectiveness of their operations, and a few that have been genuinely effective with potentially deadly consequences. Perhaps the most substantial claim that proved fruitless was an alleged series of attempts to shut down Israel’s Iron Dome missile defense system. While some servers associated with Rafael Advanced Defense Systems and Israel Aerospace Industries (the organizations that manage the system) may have been temporarily shut down, there is nothing that substantively suggests that the system’s performance was ever impacted.
RedAlert
Early in the day on 7/10/2023, Russia-supporting cybercriminals, Anonymous Sudan, posted evidence suggesting that Israel’s RedAlert app, an application that tracks reports of rocket attacks in real time, has had outages via what appears to be a Denial of Service attack. The group that would later seem to be responsible was the hacktivist organization, AnonGhost, who explained that they’d found a vulnerability in the application’s API that allowed them to take it down. The immediate impact of this attack was the safety of civilians fleeing to get out of harm’s way.
In the time since, service has been fully restored in the browser version of the application. However, the issues caused by the various Denial of Service attacks have caused the application to be removed from several regions’ app stores for a time. If one needs to download the app again, the way around this would normally be to download the APK file (or IPA file on iOS) and install it directly. In response, some groups have picked up on this workaround, and have created a spyware version of the APK file hosted on a phony version of the developer’s site.
Media And Propaganda
Several news organization websites, but most prominently, the Jerusalem Post, were taken offline on the morning of 8/10/2023. The recovery back to full functionality took at least fifty hours. While attempts were claimed against Keshet Media Group websites, Times of Israel, and others, the disruptions were not nearly as severe, if they happened at all.
Another display of hijacking media was done in at least the city of Holon, and allegedly in Tel Aviv as well. For part of the morning of 12/10/2023, smart billboards were hacked into and played what has been called “pro-Hamas” messages.
A number of these groups have also attempted to spread various messages on social media that prominently featured disinformation and carefully selected old footage. Screenshots of a fake BBC article with AI-generated images reportedly from Bellingcat began circulating on 10/10/2023. The article was attempting to mislead readers into believing that US weapons given to Ukraine were ending up with Hamas, lending credibility to a related conspiracy circulating on Facebook.
Conclusion
It's crucial to differentiate between actual and perceived threats in the cyber realm, especially in the current Israeli scenario. While numerous claims circulate, Israeli services remain adept at identifying and thwarting such attacks. Despite the attention garnered by hacktivist groups like KillNet, their direct harm is mitigated by Israel's robust cybersecurity infrastructure. However, beneath this visible layer lies a more menacing one: the clandestine activities of state-supported Advanced Persistent Threats (APTs). Operating quietly, these entities aim for long-term gains like data exfiltration or system compromise, posing a more significant threat. The dual-layered nature of this cyber conflict necessitates a well-thought-out defense strategy—addressing immediate threats from hacktivist activities while proactively seeking and countering the potentially more dangerous, silent moves by APTs. The unfolding situation underscores a modern warfare paradigm where battles transpire both openly and covertly in the digital domain, carrying real and tangible repercussions for security, civilian safety, and the on-the-ground situation.