Open warfare returned to the Middle East in the early hours of Saturday 7 October, when Hamas operatives stormed the border between Israel and the Palestinian enclave of Gaza. In common with other modern kinetic conflicts, the developing conflict between Hamas and Israel has brought with it a corresponding and escalating online cyber war, raising the prospect of organisations around the world being caught up in cyber incidents arising from the conflict.
Meanwhile, organisations with links to the conflict, such as non-governmental organisations, defence contractors, government bodies, and even unrelated companies with branch offices in Israel, will be at heightened risk of targeted malicious activity from different threat actors, from hacktivists to nation state-backed advanced persistent threat (APT) groups.
With these thoughts in mind, we set out to examine what this new cyber war looks like, examine the patterns of threat activity that are being seen, and ask what steps security teams can take to ensure their resilience should they find their organisations a target.
Much of the observed activity to date has centred on hacktivist groups conducting website defacement or distributed denial of service (DDoS) attacks, and disinformation and misinformation campaigns online – such bot-driven campaigns have been running rampant on X (formerly Twitter) in recent months.
According to SecurityScorecard’s Strike Threat Intelligence team, the majority of malicious cyber activity to date has comprised actors physically apart from the conflict, and without known links to Hamas.
The international scope of this activity has been particularly of note, including hacktivist groups backing both sides – SecurityScorecard found evidence of hacktivists in countries such as India and Ukraine taking Israel’s side and attacking Palestinian targets, while Russian and Iran-linked groups tended to go for Israeli targets, alongside others countries including Bangladesh, Indonesia and Morocco.
Among the known groups to have involved themselves on Hamas’s side are the Russia-linked Killnet DDoS group and its affiliated Anonymous Sudan collective, which is neither related to Anonymous, nor Sudanese. Among targets they have hit have been Israeli government websites, the Shin Bet/Shabak security agency, and the Jerusalem Post newspaper.
Regardless of the target, the majority of these attacks have had little long-term disruptive impact – Israeli targets can appropriately defend themselves, and Palestinian ones are less numerous and operate less sophisticated systems.
There is also clear evidence that the direction in which the current cyber war in the Middle East seems to be unfolding is following a similar pattern to how the ongoing cyber war between pro-Russian and pro-Ukrainian actors began in the spring of 2022.
Indeed, Jeremiah Fowler of WebsitePlanet, who has been tracking both wars, said that he was seeing many of the same techniques in use now that were used against Russia by pro-Ukrainian hacktivists, including Ukraine’s so-called IT Army.
“However, they seem to be less effective now,” he said. “The one major factor that makes these cyber war tactics different is the time between conflicts.
“In the 19 months since hacktivists declared cyber war against Russia, cyber security experts and intelligence services around the world have had time to analyse, prepare and try to insulate themselves by learning from the failures of Russia’s cyber defences.
“After all, it’s a fact that cyber warfare will play a significant role in any current and future conflicts,” said Fowler. “Cyber space acts now as a second front with no defined rules of engagement. Hacktivists and government-affiliated groups can choose a side and launch numerous attacks based on their specific skill sets, tipping the scales of the conflict with seemingly just a few clicks.”
Hamas’ attention to OpSec
One substantial difference observed between the two conflicts is a lack of cyber activity before the initial Hamas attack. Prior to Russia’s invasion of Ukraine, which had been signalled months in advance by the Russian government, Ukraine was bombarded with a widespread campaign of cyber intrusions designed to soften up critical targets in advance.
This was not the case in the Gaza war, and this is not much of a surprise, because out of necessity, Hamas spent months – maybe years – plotting its initial attack with exceptional attention paid to operational security (OpSec). Indeed, it has been suggested that some senior members of Hamas were kept in the dark entirely, in case they were compromised by Israeli intelligence.
Therefore, for the incursion to take Israel by complete surprise, it may have been necessary for pro-Palestinian groups and Hamas-affiliated actors to confine their activity to normal levels. According to SecurityScorecard’s intel team, this was almost certainly the case.
“SecurityScorecard’s recently expanded collections of Hamas-affiliated messaging channels contain no evidence of how or when Hamas’s operation would begin prior to the start of the conflict,” said the Strike Threat Intelligence team.
“This suggests that, in contrast to other contemporary wars, the frequency or impact of cyber and information operations did not increase leading up to the war.
“A Russian hacktivist group may, for example, oppose Israel and be capable of attempting attacks against Israeli targets following the start of the war, but such a group would be unlikely to have a relationship with Hamas that could have offered it the early indications necessary to conduct cyber operations as a prelude to physical attacks,” the Strike team pointed out.
The isolation of Hamas and Israel’s clear technological superiority in this instance may also go some way to explaining why no cyber activity preceded the physical conflict.
Given the most widespread form of impactful cyber attack seen to date has been DDoS attacks, defenders should consider implementing DDoS mitigations as a priority. Radware, a specialist supplier of DDoS mitigation services, suggests the following checklist as a strong basis for a defensive strategy:
- Gather up-to-date intelligence on active threat actors that can be used to implement pre-emptive protection, for example, adding IP ranges associated with their activity to deny lists;
- Implement behavioural-based detection to quickly and accurately spot and block traffic anomalies while allowing genuine traffic through;
- Implement real-time signature creation to quickly guard against novel threats and zero-days;
- Draw up a cyber security emergency response plan, making sure it accounts for DDoS attacks on connected systems and devices, and test it;
- Add hybrid mixes of on-premise and cloud DDoS protection services to enable real-time attack prevention that can address higher-volume attacks, and protect from pipe saturation.
Operators of critical infrastructure may additionally wish to harden defences around their operational technology (OT), such industrial control systems (ICS). Security teams may wish to review whether or not it is really necessary to expose such devices to the public internet (spoiler, it is not), and if possible, restricting access to them by adding known or dependent IPs to an allow list, and placing them behind a virtual private network (VPN) or firewall.
Beyond hardening networks, defenders may wish to consider the possibility of other forms of attack. Chris Hauk, consumer privacy advocate at Pixel Privacy, said: “Organisations with Israeli connections will want to stay alert for cyber attacks that could come from both without and within. Organisations should educate their employees to the risks of phishing schemes to gain access to internal systems. It is also possible that some employees may be sympathetic to Hamas, possibly initiating attacks from within.”
In addition, financially motivated cyber criminals will also be looking to exploit the war to access target networks for data exfiltration or ransomware attacks, so it is important for both security teams and regular employees to be on the lookout for suspicious activity, as Paul Bischoff of Comparitech explained.
“UK organisations should be on the lookout for phishing attacks that use the Israel-Palestine conflict as clickbait,” said Bischoff. “Phishing emails, messages and phone calls attempt to trick victims into clicking on malicious links leading to fake login pages, or attachments that carry malware.
“The content of messages could be related to charities, misinformation about the conflict or even recruitment,” he said. “Never click on links or attachments in unsolicited messages, and always verify the sender’s identity before handing over money or private information.”
A few days prior to the onset of the war in Ukraine, Jen Easterly of the US Cybersecurity and Infrastructure Security Agency issued her now famous “Shields Up” alert to encourage organisations to take steps to bolster their resilience in the face of what was coming.
In the event, the cyber impact of the war in Ukraine has been rather more limited than was feared, with little disruptive activity observed beyond the physical warzone – although Ukrainian targets faced an onslaught of cyber attacks themselves.
With a reasonable degree of confidence, we can speculate that the cyber element of the Hamas-Israel war will follow a similar trajectory.
All the same, as we have seen, for those organisations that may find themselves in some way adjacent to the fighting, or bear some connection to Israel or Palestine, should consider dusting off their incident response plans and raising their shields.