Israel-Hamas Conflict: The Escalation Of Cyberwarfare

On October 7th, 2023, the world was shocked by the surprise invasion of Israel by the paramilitary wing of Hamas. Hundreds of Israeli hostages were taken by Hamas, more than 1,160 Israelis were killed, and thousands were injured.

The aftermath resulted in the death of tens of thousands of civilians in Gaza. Throughout the conflict, the concept of ‘hybrid warfare’ has materialized, blending kinetic and cyber operations that extend the battlefield beyond traditional geographic lines. 

The Unfolding of Cyberwarfare

In the days following Hamas’ invasion, Iranian state-aligned cyber actors launched a series of attacks to leverage the kinetic military operations of Hamas to support the “Shadow War” against Israel.

  • Phase 1 was launched within the hours and days immediately following the invasion and primarily involved simple opportunistic hack-and-leak efforts against Israeli assets.
  • Phase 2 was initiated by mid-October, during which time the volume of attacks escalated and morphed into more destructive efforts, such as the deployment of wiper malware and the targeting of Industrial Control Systems (ICS), as well as mass influence campaigns against pro-Israeli entities to sow confusion and undermine support for ground operations.
  • Phase 3 began in November and continues today. This phase involves attacks that have become more advanced in capability and capacity as targeting, strategy, and prioritization have developed between both the state and state-aligned groups. 

Cyber-Attack Patterns 

Since the Hamas invasion, Tehran-aligned cyber operations have become more focused on undercutting public support for the war and compromising rival infrastructure. We have assessed this to involve the state objectives of:  

  • Undermining Israel and its allies within the cyber domain.
  • Attempts to shape the information environment.
  • Creating the perception of weakness in Israeli defenses.
  • Diminishing global backing of Israel by emphasizing the damage caused by Israeli counter-distribution efforts against Palestinians within Gaza.

We have noticed a shift towards a more proactive operational approach against Israeli assets as opposed to the reactive posture that was adopted following the initial invasion.

This operational approach involved surging wiper malware, ransomware, and mobile spyware deployment against the Israeli government, finance, technology, and defense sectors.

This tactic likely aimed to sabotage rival Critical National Infrastructure (CNI) and conduct intelligence gathering to bolster the state’s position within the ongoing conflict. Iranian state-aligned cyber actors have also launched phishing campaigns against national security think tanks, diplomats, former military personnel, non-governmental organizations (NGOs), and Middle Eastern affairs experts within the Western education sector to gather intelligence on critical decision-makers. 

Regarding Iranian state-aligned Influence Operations (IO), Iran has demonstrated a significant investment in hack-and-leak operations to compromise victims and release extracted data.

These Influence campaigns have expanded to include masquerading as Tehran’s allies, including the Izz ad-Din al-Qassam Brigades (IQB), the Hamas military division, a phenomenon that previously involved solely impersonating rival entities. 

Psychological warfare components of Iranian state-aligned cyber-IO involve leveraging artificial intelligence (AI) and SMS and email delivery to exaggerate the claims of Tehran-aligned influence campaigns. These components were an attempt to turn global public perception against Israel and manipulate Israeli citizens to engage in on-the-ground activities.

Hacktivist Campaigns

Pro-Iranian hacktivist collectives have launched a series of Distributed Denial-of-Service (DDoS) attacks, web defacement efforts, and data breaches aimed at companies within Israel and its allied states, such as the U.S. These operations, involving numerous hacktivist actors including Anonymous Sudan and Ghosts of Palestine, began immediately following the invasion on October 7th and are still as prominent to the current date.

As the conflict has progressed, we have detected a notable development within the hacktivist threat landscape involving Iranian state-backed advanced persistent threat, or APT, units masquerading as hacktivists as a smoke screen to initiate sophisticated state-level campaigns under the guise of DDoS attacks. We have assessed that this ‘faketivist’ phenomenon has been adopted by the following Tehran-aligned cyber actors:

  • The Karma Power hacktivist persona acting as a front for the BANISHED KITTEN APT unit.
  • The SPECTRAL KITTEN nation-state actor operating under the Malek Team hacktivist identity.
  • The HAYWIRE KITTEN APT operating under the Cyber Toufan hacktivist outfit.

These cyber forces have likely adopted this expanded profile to create plausible deniability for the state and to persuade the public that their attacks are grassroots-inspired, thus intending to boost the morale of their national supporters.

The ‘Axis of Resistance’

As the Middle East conflict progresses, we observe collaborative efforts within the cyber domain by Iranian proxy group members of the ‘Axis of Resistance’ alliance. This informal Iranian state-backed political and military coalition consists of numerous entities, including the Gaza-based Hamas, the Lebanon-based Hezbollah, and the Yemeni Houthi rebel faction. The coalition members are unified by the objective of countering the influence of Israel, the Democratic West, and specific Arab nations within the Gulf region.

Numerous cyber campaigns attributed to the coalition have likely been implemented and synchronized, allowing several threat actors to contribute to completing common anti-Israeli objectives without the requirement to depend on a single toolset. 

Most Hamas-aligned offensive cyber efforts have involved implementing simple techniques, primarily involving the BLACKSTEM nexus threat actor. However, we also detected a minority of Hamas cyber unit campaigns involving advanced techniques, as exemplified by the BLACKATOM threat actor persona, involving the targeting of software engineers in the Israeli military and Israel’s wider aerospace and defense industry. In addition, Hezbollah cyber forces launched a series of offensive efforts against Israel immediately following the invasion, with the GREATRIFT threat actor persona capitalizing on the surging interest in emergency services by impersonating Israel’s Sheba Medical Centre to deploy malware on target systems via phishing campaigns, with the assessed intention of undermining trust in public establishments.  

There will also likely be cyber implications from attacks launched by the Houthi faction against Israeli-linked international cargo ships within the Red Sea. In response, the U.S.-led Operation Prosperity Guardian multi-national military coalition was established to counter threats posed by Houthi forces against maritime commerce within the Red Sea.

This increases the possibility of Iranian state-aligned espionage actors launching the offensive against the U.S. Government and defense sectors to support its Houthi rebel proxy faction as well as to gather intelligence regarding the coalition’s policies. 

A Cyber Aggression Forecast

There will undoubtedly be international ramifications of Middle East-centered cyber aggression that will impact organizations across the industrial spectrum.

Destructive cyber-attacks and IO will likely remain a staple within the arsenal of Iranian cyber actors to demonstrate both hostile intent and capability to the state’s perceived opposition. This will likely be exacerbated in response to any perceived escalation of the ongoing conflict.

Any resumed cyber warfare launched by the Iranian proxy groups would likely impact the U.S. Government, finance, education, and defense sectors, as well as NGOs.

Also, the 2024 Paris Summer Olympics and the 2024 U.S. presidential election will likely be hotbeds for cyber-influence operations. Influence assets will likely target international sporting bodies and Olympic third-party organizations while also accompanying the run-up to the U.S. election with the objective of sowing discord among U.S. voters - resulting in social tensions and the erosion of trust in U.S.-based establishments.

Craig Watt is a Threat Intelligence Consultant at Quorum Cyber, specializing in strategic & geopolitical intelligence.

Image: Ideogram

You Might Also Read: 

The Information War In Gaza & Israel:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Progress In Deepfake Detection
Improving Cyber Resilience Of Frontline Armed Forces In Europe »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Sintef Digital

Sintef Digital

Sintef Digital carries out research in Information and Communication Technology for industry and the public sector.

CyberStream

CyberStream

CyberStream, a division of the TechStream Group, is an information & cybersecurity talent acquisition solution provider.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

Adyta

Adyta

Adyta specializes in cybersecurity solutions adapted to the needs of sovereign institutions, business groups and other organizations that handle information and sensitive or classified data.

SurePassID

SurePassID

SurePassID is a provider of highly secure, highly extensible multi-factor authentication (MFA) solutions.

Quantum Security Solutions (QSec)

Quantum Security Solutions (QSec)

QSec is an innovative information security consultancy based in Ghana. We can provide your organisation with information security products and services that assure against information risk.

Pelion

Pelion

Pelion Connected Device Services are the easiest way to securely connect and manage your devices, allowing you to focus on forging your future.

ChaosSearch

ChaosSearch

ChaosSearch is a massively scalable ELK-compatible log analysis platform delivered as a fully managed service with high-performance and low cost.

Soteria

Soteria

Soteria is a global leader in the development, integration and implementation of advanced cyber security, intelligence and IT solutions, delivering complete end-to-end solutions.

TPx Communications

TPx Communications

TPx is a leading managed services provider offering a full suite of managed IT, unified communications, network connectivity and security services.

ZINAD IT

ZINAD IT

ZINAD is an information security company offering state-of-the-art cybersecurity awareness products, solutions and services.

BitLyft

BitLyft

BitLyft is a managed detection and response provider that is dedicated to delivering unparalleled protection from cyber attacks for organizations of all sizes.

ClearSky Cyber Security

ClearSky Cyber Security

ClearSky cyber security provides cyber solutions, focused on threat intelligence services, mainly for the financial sector, critical infrastructure, public sector and the pharma sector.

Databarracks

Databarracks

Databarracks deliver award winning IT resilience and continuity services. We help organisations get the most out of the cloud and protect their data, wherever it lives.

Proaxiom

Proaxiom

Proaxiom are focused on erasing cyber driven panic paralysis for Small and Medium Enterprises through brilliant cyber technologies which drive productivity and support growth.

SPYROS Information & Technology Consulting

SPYROS Information & Technology Consulting

SPYROS specializes in providing highly qualified professionals in Computer Network Operations, Signals Intelligence, Technical Training and Certifications, Network Administration and Security.