Israel-Hamas Conflict: The Escalation Of Cyberwarfare

On October 7th, 2023, the world was shocked by the surprise invasion of Israel by the paramilitary wing of Hamas. Hundreds of Israeli hostages were taken by Hamas, more than 1,160 Israelis were killed, and thousands were injured.

The aftermath resulted in the death of tens of thousands of civilians in Gaza. Throughout the conflict, the concept of ‘hybrid warfare’ has materialized, blending kinetic and cyber operations that extend the battlefield beyond traditional geographic lines. 

The Unfolding of Cyberwarfare

In the days following Hamas’ invasion, Iranian state-aligned cyber actors launched a series of attacks to leverage the kinetic military operations of Hamas to support the “Shadow War” against Israel.

  • Phase 1 was launched within the hours and days immediately following the invasion and primarily involved simple opportunistic hack-and-leak efforts against Israeli assets.
  • Phase 2 was initiated by mid-October, during which time the volume of attacks escalated and morphed into more destructive efforts, such as the deployment of wiper malware and the targeting of Industrial Control Systems (ICS), as well as mass influence campaigns against pro-Israeli entities to sow confusion and undermine support for ground operations.
  • Phase 3 began in November and continues today. This phase involves attacks that have become more advanced in capability and capacity as targeting, strategy, and prioritization have developed between both the state and state-aligned groups. 

Cyber-Attack Patterns 

Since the Hamas invasion, Tehran-aligned cyber operations have become more focused on undercutting public support for the war and compromising rival infrastructure. We have assessed this to involve the state objectives of:  

  • Undermining Israel and its allies within the cyber domain.
  • Attempts to shape the information environment.
  • Creating the perception of weakness in Israeli defenses.
  • Diminishing global backing of Israel by emphasizing the damage caused by Israeli counter-distribution efforts against Palestinians within Gaza.

We have noticed a shift towards a more proactive operational approach against Israeli assets as opposed to the reactive posture that was adopted following the initial invasion.

This operational approach involved surging wiper malware, ransomware, and mobile spyware deployment against the Israeli government, finance, technology, and defense sectors.

This tactic likely aimed to sabotage rival Critical National Infrastructure (CNI) and conduct intelligence gathering to bolster the state’s position within the ongoing conflict. Iranian state-aligned cyber actors have also launched phishing campaigns against national security think tanks, diplomats, former military personnel, non-governmental organizations (NGOs), and Middle Eastern affairs experts within the Western education sector to gather intelligence on critical decision-makers. 

Regarding Iranian state-aligned Influence Operations (IO), Iran has demonstrated a significant investment in hack-and-leak operations to compromise victims and release extracted data.

These Influence campaigns have expanded to include masquerading as Tehran’s allies, including the Izz ad-Din al-Qassam Brigades (IQB), the Hamas military division, a phenomenon that previously involved solely impersonating rival entities. 

Psychological warfare components of Iranian state-aligned cyber-IO involve leveraging artificial intelligence (AI) and SMS and email delivery to exaggerate the claims of Tehran-aligned influence campaigns. These components were an attempt to turn global public perception against Israel and manipulate Israeli citizens to engage in on-the-ground activities.

Hacktivist Campaigns

Pro-Iranian hacktivist collectives have launched a series of Distributed Denial-of-Service (DDoS) attacks, web defacement efforts, and data breaches aimed at companies within Israel and its allied states, such as the U.S. These operations, involving numerous hacktivist actors including Anonymous Sudan and Ghosts of Palestine, began immediately following the invasion on October 7th and are still as prominent to the current date.

As the conflict has progressed, we have detected a notable development within the hacktivist threat landscape involving Iranian state-backed advanced persistent threat, or APT, units masquerading as hacktivists as a smoke screen to initiate sophisticated state-level campaigns under the guise of DDoS attacks. We have assessed that this ‘faketivist’ phenomenon has been adopted by the following Tehran-aligned cyber actors:

  • The Karma Power hacktivist persona acting as a front for the BANISHED KITTEN APT unit.
  • The SPECTRAL KITTEN nation-state actor operating under the Malek Team hacktivist identity.
  • The HAYWIRE KITTEN APT operating under the Cyber Toufan hacktivist outfit.

These cyber forces have likely adopted this expanded profile to create plausible deniability for the state and to persuade the public that their attacks are grassroots-inspired, thus intending to boost the morale of their national supporters.

The ‘Axis of Resistance’

As the Middle East conflict progresses, we observe collaborative efforts within the cyber domain by Iranian proxy group members of the ‘Axis of Resistance’ alliance. This informal Iranian state-backed political and military coalition consists of numerous entities, including the Gaza-based Hamas, the Lebanon-based Hezbollah, and the Yemeni Houthi rebel faction. The coalition members are unified by the objective of countering the influence of Israel, the Democratic West, and specific Arab nations within the Gulf region.

Numerous cyber campaigns attributed to the coalition have likely been implemented and synchronized, allowing several threat actors to contribute to completing common anti-Israeli objectives without the requirement to depend on a single toolset. 

Most Hamas-aligned offensive cyber efforts have involved implementing simple techniques, primarily involving the BLACKSTEM nexus threat actor. However, we also detected a minority of Hamas cyber unit campaigns involving advanced techniques, as exemplified by the BLACKATOM threat actor persona, involving the targeting of software engineers in the Israeli military and Israel’s wider aerospace and defense industry. In addition, Hezbollah cyber forces launched a series of offensive efforts against Israel immediately following the invasion, with the GREATRIFT threat actor persona capitalizing on the surging interest in emergency services by impersonating Israel’s Sheba Medical Centre to deploy malware on target systems via phishing campaigns, with the assessed intention of undermining trust in public establishments.  

There will also likely be cyber implications from attacks launched by the Houthi faction against Israeli-linked international cargo ships within the Red Sea. In response, the U.S.-led Operation Prosperity Guardian multi-national military coalition was established to counter threats posed by Houthi forces against maritime commerce within the Red Sea.

This increases the possibility of Iranian state-aligned espionage actors launching the offensive against the U.S. Government and defense sectors to support its Houthi rebel proxy faction as well as to gather intelligence regarding the coalition’s policies. 

A Cyber Aggression Forecast

There will undoubtedly be international ramifications of Middle East-centered cyber aggression that will impact organizations across the industrial spectrum.

Destructive cyber-attacks and IO will likely remain a staple within the arsenal of Iranian cyber actors to demonstrate both hostile intent and capability to the state’s perceived opposition. This will likely be exacerbated in response to any perceived escalation of the ongoing conflict.

Any resumed cyber warfare launched by the Iranian proxy groups would likely impact the U.S. Government, finance, education, and defense sectors, as well as NGOs.

Also, the 2024 Paris Summer Olympics and the 2024 U.S. presidential election will likely be hotbeds for cyber-influence operations. Influence assets will likely target international sporting bodies and Olympic third-party organizations while also accompanying the run-up to the U.S. election with the objective of sowing discord among U.S. voters - resulting in social tensions and the erosion of trust in U.S.-based establishments.

Craig Watt is a Threat Intelligence Consultant at Quorum Cyber, specializing in strategic & geopolitical intelligence.

Image: Ideogram

You Might Also Read: 

The Information War In Gaza & Israel:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Progress In Deepfake Detection
Improving Cyber Resilience Of Frontline Armed Forces In Europe »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Information Security Research Association (ISRA)

Information Security Research Association (ISRA)

ISRA is a non-profit organization focused on various aspects of Information Security including security research and cyber security awareness activities.

Cycura

Cycura

Cycura provide advanced, customized, and confidential cyber security services, cyber investigation services, and digital forensic services to governments, companies, and organizations.

Turkish Accreditation Agency (TURKAK)

Turkish Accreditation Agency (TURKAK)

TURKAK is the national accreditation body for Turkey. The directory of members provides details of organisations offering certification services for ISO 27001.

National Cybersecurity Student Association (NCSA) - USA

National Cybersecurity Student Association (NCSA) - USA

The National Cybersecurity Student Association is a one-stop-shop to enhance the educational and professional development of cybersecurity students through activities, networking and collaboration.

HITRUST Alliance

HITRUST Alliance

HITRUST provides widely-adopted common risk and compliance management frameworks, related assessment and assurance methodologies.

YouWipe

YouWipe

Scandinavian Data Erasure Leader YouWipe is the number one choice of European Ministries, European Central Banks, Swiss Pharmaceuticals and Major Electronics Retail Chains.

ScienceSoft

ScienceSoft

ScienceSoft is a provider of software development and IT consulting services including Information Security.

UTMStack

UTMStack

UTMStack is a Unified Security Management system that includes SIEM, Vulnerability Management, Network and Host IDS/IPS, Asset Discovery, Endpoint Protection and Incident Response.

Two Six Technologies

Two Six Technologies

Two Six Technologies delivers R&D, innovation, productization and implementation expertise in cyber, data science, mobile, microelectronics and information operations.

NTT Group

NTT Group

NTT offers agile, scalable technology services to bring it all together seamlessly, securely, and sustainably. We help you adopt a holistic security approach across your network, clouds, applications.

TwoThreeFour

TwoThreeFour

ThreeTwoFour provide tailored cyber security solutions, delivered by highly-skilled, experienced consultants who respond to the real needs of you and your business.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

DarkFeed

DarkFeed

DarkFeed is a Threat Intelligence provider that monitors the darknet in real-time, where hackers and Cyber criminals are most active.

LetsData

LetsData

LetsData uses AI to provide governments, intergovernmental organizations, civil society, and businesses with data-empowered decisions on communication in the age of online disinformation.

Convergint

Convergint

Convergint is a service-based systems integrator working alongside a global network of partners and manufacturers to deliver a range of solutions including cybersecurity.

BeckTek

BeckTek

BeckTek specialize in IT Cyber Security & Support, helping clients run their businesses faster, easier and more profitably.