How hackers piled onto the Israeli-Hamas conflict
Lower-level cyberattacks are becoming a major feature of the war between Israel and Hamas, and the attacks could ramp up in intensity.
Hackers sympathetic to Hamas are working to make the Israel-Gaza conflict the next front of cyberwarfare.
Hacking groups with links to countries including Iran and Russia have launched a series of cyberattacks and online campaigns against Israel over the past week, some that may have even occurred in the runup to the Oct. 7 strike by Hamas.
On Telegram, hacking teams claimed they compromised websites, the Israeli electric grid, a rocket alert app and the Iron Dome missile defense system. At least one Israeli newspaper, The Jerusalem Post, acknowledged hackers took down its site temporarily.
It’s unclear how far and deep the cyberattacks went. But the online campaigns show an effort to bolster the physical onslaught with a digital offensive, potentially looking to replicate the way Russia and sympathetic hacktivists buffeted Ukraine with cyber strikes in the first days of that war.
The allegiances of the groups perpetrating the attacks could also offer clues to whether Hamas perpetrated its deadly attack alone. While there aren’t direct ties between these groups and foreign governments, some do conduct hacks that benefit countries that give them sanctuary, including Iran — which has long been a supporter of Hamas.
Liz Wu, a spokesperson for Israeli-based cybersecurity group Check Point Software, said that the company had tracked more than 40 groups conducting attacks that overwhelmed and disrupted more than 80 websites starting with the day of the Hamas onslaught. These included government and media sites.
The hacks are likely to be coming from outside of Gaza given the low internet connectivity there even before the strikes, and with the power cuts and bombing strikes from Israel in ensuing days.
One former cyber official in a Western country posited that coordinating a cyberattack with the Hamas incursion would have been unlikely because the militants planned their attack with old-fashioned communications methods. Acting in concert with hackers online could have triggered Israeli detection, the person said.
“Hard to say which of these claims is real,” Gil Messing, chief of staff at Check Point, said. “Sometimes the databases they publish are recycled from older data breaches, which now they show as new. None of the organizations supposedly linked to these data breaches felt affected.”
Still, these groups have a level of know-how that shouldn’t be discounted, said United States House Intelligence Committee ranking member Jim Himes (D-Conn.).
“Hamas and Hezbollah and Iranian-backed hackers are a heck of a lot better than you might think,” Himes said as he left a classified briefing on the conflict Wednesday. “The cyber realm needs to be watched carefully.”
The fairly limited extent of the actual cyber damage in Israel contrasted with the internet battlefield during Russia’s 2022 invasion of Ukraine. Hackers attacked the communication systems of the Kyiv Post and the KA-SAT satellite network in the hours before Russian tanks crossed the border, causing major communications disruptions, and hacktivist groups on both sides have continued since to attack and disrupt services.
During the Oct. 7 attack, Hamas used more concrete tacticsto circumvent and disrupt the vast Israeli surveillance apparatus: researching spots where cameras were thin, bulldozing fences, launching rockets and destroying drones before they could get in the air.
Israel has said at least 1,300 people were killed by the Hamas attack, while retaliatory Israeli airstrikes have killed more than 2,000 people in Gaza according to local health authorities.
Timeline of strikes
Some cyberattacks this week had clear effects: Israeli media reported the ministry of education switched from Zoom to Google for video meets after people claiming to be Hamas militants Zoombombed live sessions. The Jerusalem Post’s website went on and offline multiple times in the days following the attack, including some hours when it was completely down, according to Editor-in-Chief Avi Mayer.
Anonymous Sudan, a pro-Russian group, said it launched a distributed denial-of-service attack — which overwhelms a website or application with digital traffic — against Israel’s Red Alert app, which provides real-time rocket information to citizens. Cybersecurity firm Group-IB also found that AnonGhostgroup had tampered with the application. POLITICO confirmed reporting by Group-IB that the app was removed from the Google Play store.
Other attacks were difficult to substantiate. An Iran-aligned hacker group called Cyber Av3ngers claimed it had hit an Israeli electric contractor Oct. 6 and plunged the city of Yavne into darkness. Spokespeople for the electric utility and the city did not confirm the attack.
Soon after, Cyber Av3ngers, Anonymous Sudan and the Russia-aligned Killnetalso claimed they took down websites of the Israel Policy Forum think tank and the country’s finance ministry. There was no independent confirmation of the attacks available, and by Friday all the sites were running.
“At this moment, we have no evidence that there is any coordination between attacks on the ground and in cyberspace,” said Alexander Leslie, a threat intelligence analyst at Recorded Future. “We believe that the overwhelming majority of cyberattacks claimed by hacktivist groups are opportunistic and reactionary.”
Iranian hacking looming
The Hamas militants that carried out last weekend’s attacks in Israel are backed by Tehran, which Israel has fought in shadow wars for years. Security experts linked at least one anti-Israeli disinformation operation on social media this week to Iran.
The latest round of cyber hostility follows years of online blows. Iranian hackers were blamed for an unsuccessful attempt to increase chlorine levels in Israel’s water system in 2020. The Stuxnet virus, discovered In 2010, was believed to be a U.S. and Israeli project to sabotage Iran's nuclear program. Israel was also said to be behind a 2020 cyberattack on a major Iranian port.
Lt. Gen. Charles Moore, who was until last year the deputy director of U.S. Cyber Command, said, “Right now I assess that Iran is happy to direct and support all forms of operations, both cyber and kinetic, via their proxies.”
“However, as the Israeli operations in Gaza continue to evolve, that could change quickly,” he said, adding he expects a “very aggressive influence, propaganda campaign by Iran.”
Israel also is a difficult target for cyber strikes. It is considered one of the most advanced countries in cybersecurity and is a major center of the world’s surveillance industry. The Biden administration has also increased cyber support to Israel this week. Moreover, the Israeli tech community stood up its own “citizen cyber brigades” in the days since the Hamas attack, The Wall Street Journal reported.
“The question as to how Israeli and U.S. intelligence failed to detect such a large-scale operation by Hamas is one that has left many people, both inside and outside of the government, quite perplexed,” Moore said. “That said, Israeli cyber forces are some of the best in the world.”