The Israeli war in Gaza, which was declared after the horrendous massacre of 1,400 Israeli civilians and the kidnapping of 240 others at the hands of Gaza’s ruling faction Hamas, has also seen a surge in activity in cyberspace. However, thus far, it has failed to impact critical services and systems or cause strategic damage, thus maintaining cyber capabilities’ role as ‘secondary’ to the kinetic and physical war effort.
As of this writing, most of the offensive cyber activity targeting Israel is carried out by hacktivist groups, showing support and solidarity with the Palestinian cause and originating in Muslim and Arab countries. Most of this activity took the form of Distributed Denial of Service (DDoS) attacks against online platforms and websites, website defacement, and data leaks of various organizations.
Many of these groups claimed to have hacked sensitive military systems and critical infrastructure and to have leaked sensitive, defense-related data. However, these claims remain mostly unverified as none of the mentioned organizations reported any disruption and as leaked data appeared to be ‘recycled’ (i.e. has leaked as part of old data breaches and presented as new).
Another type of activity observed is cyber-enabled influence and fear-spreading attacks. On October 8, a pro-Palestinian hacktivist group dubbed AnonGhost exploited an API vulnerability in the Israeli Red Alert missile warning application and sent fake missile warnings to users. On October 12, hackers accessed a server that operates smart billboards in Tel Aviv and changed the commercials to pro-Hamas content, as well as footage of the Israeli flag burning.
However, the lack of success or diminished presence of state-sponsored threat groups seems to be attributed to the proactive cyber defensive approach adopted by the Israeli National Cyber Directorate (INCD) as well as the mobilization of the country’s cyber security ecosystem. According to the Director of the INCD, Gabi Portnoy, more than fifteen state-sponsored and Advanced Persistent Threat (APT) groups related to Iran and Hezbollah have been attempting to target critical services and infrastructure. The INCD’s approach includes lessons learned from the war in Ukraine, such as close cooperation with the private industry and international partners, and the sharing of cyber threat intelligence. An example of such information sharing is the proactive disconnection of several Israeli hospitals from the external network as a precaution, based on early warnings regarding impending cyberattacks.
However, despite the current lack of significant successful strategic cyberattacks, two things are worth keeping in mind. First, the current conflict is not limited to local actors but represents regional and global rivalries between the United States, Israel, and the Sunni Gulf states on the one hand, and Iran and the Shiite axis on the other. It also relates to the U.S.-Russia rivalry, the tightening Russia-Iran alliance, and Russia’s interest in deflecting arms shipments and media attention from Ukraine. Russia’s siding with Iran and the Shiite axis could be translated to increasing Russian cyber activity targeting Israel.
As of the time of writing, two pro-Russian hacktivist groups, Killnet and Anonymous Sudan, have targeted Israeli organizations since the war’s outbreak. Some of these hacktivist groups maintain some level of coordination with the Russian intelligence agencies, such as the Russian Main Intelligence Directorate (GRU).
Given these ties, there is a risk that hacking groups affiliated with the Russian intelligence agencies, that maintain a much higher level of technical prowess, would participate, directly or indirectly, in the attempts to destabilize the Israeli digital environment or carry out influence operations aimed at the Israeli public. Given the tightening cyber cooperation between Russia and Iran, which started before the war in Ukraine, there is also a chance that Russian technical capabilities will be transferred to Iranian hacking groups and their proxies.
Second, the October 7 attack on Israel marks the end of the conception of Israel’s intelligence superiority and its ability to deter its rivals. Another known long-standing conception, albeit grounded in facts, is that Israel is a world leader in cybersecurity and maintains top-tier cyber capabilities, and thus is superior to its rivals in cyberspace. While this conception has been highlighted in research, it could also lead to complacency. The risk level of complacency may even grow if Israeli cyber defenders get used to the new routine given high levels of strain and fatigue.
The Hamas attack on Israel and the subsequent war in Gaza have been accompanied by a myriad of threat actors seeking to turn cyberspace into an additional front. Despite failing so far to cause a strategic impact, the persistence of the war is likely to attract more threat actors of varying sophistication levels, whereas strain and fatigue on the Israeli side should be carefully considered and mitigated.
Omree Wechsler is a researcher at the Blavatnik Interdisciplinary Cyber Research Center and the Yuval Ne’eman Workshop for Science, Technology, and Security at Tel Aviv University. Mr. Wechsler has served in the Israeli military intelligence branch and he’s a graduate of the CISO & DPO training program of Bar Ilan University.
Image: Creative Commons.