🌍 Cyber Conflict Analysis: Israel-Palestine 2023 (Master Thread)

Last Updated: 30th November 2023

In light of the ongoing conflict between Israel and Palestine, several digital attacks including data breaches, denial-of-service attacks, and malware campaigns are being executed by each party. The repercussions of cyber-attacks impact both virtual and physical realms, highlighting the significance of understanding digital warfare. This awareness is not confined to specific regions; the dynamics of cyber warfare are a global concern.

This Master Thread is created as a centralized repository to share, analyze, and discuss cyber incidents occurring within the Israel-Palestine conflict. It seeks to have an informed and balanced dialogue by collating a range of resources, viewpoints, and real-time updates.

Linked within this thread is our curated list of Telegram Channels dedicated to awareness and Threat Intelligence, offering varied perspectives on the cybersecurity tactics being deployed amidst the conflict.

Disclaimer: Participation in this thread demands a strict adherence to legal and ethical guidelines. Be cautious while interacting with external channels and ensure compliance with all applicable laws and community norms. Crushing Security does not endorse any of the views, actions, or ideologies exhibited within shared resources; they are provided solely for educational purposes and to encourage informed discussion.

Please note that this thread and the linked Telegram Channels thread are designated for individuals aged 18 and above.

:speech_balloon: Resources

:earth_asia: Involved Entities

State-Affiliated Entities

  • :palestinian_territories: Hamas: Conducts physical and digital attacks against Israeli targets.
  • :israel: Israel Defense Forces (IDF): Engages in defense operations and cybersecurity measures. Skills and ability to craft sophisticated tooling for offensive operations.

Hacktivist Groups Supporting Israel

  • :india: Indian Cyber Force: Targets Hamas websites and Palestinian authority pages.
  • :palestinian_territories: Cyber Av3ngers: Compromised ORPAK systems. Also Known for the cyberattack on the Municipal Water Authority of Aliquippa, targeting Israeli-made industrial systems.
  • :palestinian_territories: YourAnon T13x: Targeted Israeli news websites.

Hacktivist Groups Supporting Palestine

  • :palestinian_territories: AnonGhost: Leaked databases and distributed exploit scripts.
  • :palestinian_territories: Soldiers Of Solomon: Exfiltrated and encrypted data in the Nevatim military area.
  • :palestinian_territories: ./CsCrew: Advocated for DoS tool usage.
  • :palestinian_territories: Islamic Cyber Corps: Released manifesto rallying Muslim hacktivists.
  • :indonesia: Indonesian Hackers (e.g., Blankon33, Aceh Cyber Team) : Participated in cyberattacks against Israel as part of the global Anonymous collective.

International Hacktivist Groups

  • :ru: Russian Auxiliaries: Groups such as KillNet.
  • :malaysia: DragonForce Malaysia: Conducted DDOS and defacement attacks.
  • Cyb3r_Drag0nz_Team: Defacement attacks against educational sector sites.
  • X7root: Defaced websites with offensive messages.

Advanced Persistent Threats (APTs) and Other Cyber Espionage Groups

  • :palestinian_territories: Arid Viper (APT-C-23, Grey Karkadann, Desert Falcon, Mantis): Suspected to operate on behalf of Hamas, conducts cyber espionage.
  • :palestinian_territories: Gaza Cybergang (Molerats, TA402, Gaza Hackers Team, Moonlight, Extreme Jackal, Aluminum Saratoga, JEA/Jerusalem Electronic Army): Collects intelligence, possibly affiliated with Hamas.
  • :lebanon: Plaid Rain (Aqua Dev 1, Polonium): Targets Israeli entities, potentially coordinated with Iran.
    :iran: IMPERIAL KITTEN (Iran nexus) : Conducts cyber espionage and strategic web compromise (SWC) operations targeting transportation, logistics, and technology sectors. Suspected connection to the Islamic Revolutionary Guard Corps (IRGC).
  • :iran: Moses Staff: Pro-Iranian group targeting Israeli entities.
  • :iran: MuddyWater (APT group): Conducts spear-phishing campaigns against Israeli targets.

Regional and Other Groups

  • :pakistan: Team Insane Pakistan: Executes DDoS attacks in pro-Israeli countries.
  • :sudan: Anonymous Sudan: Responsible for a major outage of ChatGPT, citing OpenAI’s alleged ties with Israel. Also targets Western media outlets with DDoS attacks.
  • :iran: Haghjhoyan (Peace Seekers): Leaks data and attacks Israeli infrastructure.

International Cybersecurity Authorities and Agencies

  • :us: United States (e.g., NSA, CISA): Involved in providing cybersecurity intelligence and insights, as exemplified by NSA official Rob Joyce’s commentary on Israel’s cyber pressures. Additionally, deals with the impact of the conflict within its own borders, such as the Iranian-linked cyberattack on the Municipal Water Authority of Aliquippa.

:hammer_and_wrench: Tools and Malware Observed

  • Advanced Monitoring Agent: A legitimate remote administration tool repurposed by MuddyWater in its spear-phishing campaign for system reconnaissance and control.
  • BiBi-Linux Wiper: A Linux malware targeting Israeli entities for file corruption and system disruption.
  • CVE-2023-29489 Exploit: Exploited vulnerability targeting cPanel web hosting software, used by hacktivist groups for digital infiltration.
  • DDoS Tools: Used by various groups to overwhelm and incapacitate the digital infrastructure of adversaries.
  • IMAPLoader: This malware family is employed by IMPERIAL KITTEN in strategic web compromise (SWC) operations. It functions as the final payload, utilizing email-based communication for command and control (C2) operations. IMAPLoader is particularly noteworthy for its capability to leverage email servers as a means to control compromised systems, making detection more challenging.
  • Malicious Microsoft Excel Documents: Utilized in phishing operations by IMPERIAL KITTEN, these documents are macro-enabled Excel files designed to deceive targets into enabling macros, which then triggers the execution of malicious payloads. Once a victim opens the file and activates the macros, the document deploys various batch files and a Python interpreter to the system, establishing persistence and initiating the main Python payload. This method exemplifies the sophisticated use of seemingly benign documents to infiltrate systems and execute custom malware.
  • MuddyC2Go: A command and control (C2) framework utilized by MuddyWater to communicate with and control compromised systems.
  • Pegasus Spyware: Developed by NSO Group, used by the Israeli government for surveillance, particularly against Hamas.
  • PrivateLoader: Employs a payload delivery system to facilitate the spread of additional malware.
  • Redline Stealer: Utilized for data theft, extracting sensitive information from compromised systems.
  • SysJoker: A cross-platform backdoor with variants for Windows, Linux, and Mac, employed in targeted attacks by a Hamas-related threat actor.

:shield: Cyber Updates

Visual Index:
:red_square: - Severe impact and high-profile incidents.
:orange_square: - Significant impact with notable consequences.
:yellow_square: - Moderate impact with considerable effects.
:green_square: - Lower impact but still notable.
:large_blue_circle: - Informational updates or non-critical events.

October 2023

:green_square: :globe_with_meridians: 9th October - Jerusalem Post Website Attack: Hacktivist groups launched online attacks amidst the Israel-Palestine conflict, with The Jerusalem Post’s website being taken offline. :israel: The Daily Dot

:yellow_square: :classical_building: 9th & 10th October - Government and Media Websites Attacks: Various groups, including Russian hacker group Killnet, suspectedly targeted Israeli government and media websites following Hamas attacks. :israel: :palestinian_territories: :ru: Cybernews

:yellow_square: :crossed_swords: 10th October - Rising Cyberattacks Post Hamas Assault: A noted rise in cyberattacks targeting Israeli websites, with some groups allied with Hamas. :israel: :palestinian_territories: Time

:yellow_square: :rotating_light: 11th October - Red Alert App Breach: The Red Alert app was breached, resulting in fake nuclear attack notifications. :israel: :palestinian_territories: Cybernews

:green_square: :woman_technologist: 12th October - Israeli Cyber Security Professionals Volunteer: Israel Tech Guard formed to address cyber threats and locate hostages. :israel: Reuters

:orange_square: :oil_drum: 14th October - ORPAK Systems Compromise: Hacktivist group Cyber Av3ngers suspectedly compromised ORPAK systems, leaking CCTV footage and data from various gas stations, along with screenshots of internal panels using SiteOmat. :palestinian_territories: SoC Radar

:green_square: :broken_heart: 15th October - The Gaydar Database Leak: Hacktivist group AnonGhost Indonesia claims to have leaked the database of The Gaydar, an Israeli LGBTQ dating site, on Pastebin. Note: I can only find a single source for this from Cyfirma. :palestinian_territories: Cyfirma

:yellow_square: :newspaper: 16th October - News Website Attacks: Israeli news websites All Israel News and Abu Ali Express were targeted by hacktivist YourAnon T13x, who managed to DDoS the websites after initial countermeasures blocked the web requests. :palestinian_territories: Cyfirma

:yellow_square: :toolbox: 17th October - Hacktivist Attack Method Sharing: Hacktivist groups like AnonGhost and ./CsCrew continued sharing attack methods, distributing scripts to exploit vulnerabilities like CVE-2023-29489, and recommending DoS tools to followers. Islamic Cyber Corps released a jihadist manifesto rallying Muslim hacktivists for substantial actions. :palestinian_territories: SoC Radar

:yellow_square: :computer: 17th October - CVE-2023-29489 Exploit Disclosure: Hacktivist group AnonGhost dumped a list of Israeli targets vulnerable to CVE-2023-29489 along with the exploit, affecting cPanel applications hosted on websites. :palestinian_territories: Cyfirma

:orange_square: :shield: 19th October - Soldiers Of Solomon Attack: Soldiers Of Solomon claimed control over assets in Israeli Nevatim military area, allegedly exfiltrating 25TB of data and encrypting it with ransomware. :palestinian_territories: SoC Radar

:green_square: :robot: 20th October - AI-Powered Israeli Cyber Dome: An AI-powered Israeli Cyber Dome defense operation was initiated to bolster cybersecurity. :israel: Dark Reading

:orange_square: :hospital: 22nd October - Hospital Cyber Attacks: Amid escalating cyber tensions, critical entities like hospitals were targeted. Notably, Sheba Medical Center, Tel Hashomer, was attacked, leading the Israeli Health Ministry to disconnect remote internet access to prevent further damage. Several other hospitals proactively disconnected from the internet to ensure uninterrupted patient care. :israel:Databreaches.net

:yellow_square: :satellite: 23rd October - Cyber operations linked to Israel-Hamas fighting gain momentum: Amid a flurry of exaggerated claims of cyberattacks, experts cautioned that attacks on digital systems might intensify as the conflict drags on. An unverified cyberattack against Israel’s Nevatim Air Force Base was reported, claimed by a pro-Palestinian group. :israel: :palestinian_territories: CyberScoop

:yellow_square: :loudspeaker: 24th October - SentinelOne Report on Disinformation: SentinelOne reported an escalation in disinformation tactics via social media platforms. The report highlighted state-sponsored threat actors, including APT groups associated with Hamas, Hezbollah, and Iran. Arid Viper, Gaza Cybergang, and Plaid Rain were identified as significant actors. :israel: :palestinian_territories: SentinelOne.

:green_square: :no_entry_sign: 24th October - Google’s Intervention in Telegram: Google removed Telegram channels promoting hacktivist campaigns against both regions. :israel: :palestinian_territories: Verge.

:green_square: :world_map: 24th October - Google Maps Suspends Live Traffic Features: Google temporarily suspended the display of live traffic conditions on Google Maps and Waze within Israel as a precautionary action amid potential ground operations into Gaza. :israel: CNN.

:yellow_square::arrows_counterclockwise: 26th October - Misuse of Map Services for Propaganda: Reports emerged of Google Maps being misused to disseminate propaganda, reflecting the increasingly digital nature of the conflict. :israel: SoC Radar

:orange_square: :art: 26th October - Website Defacement Spree: Pro-Palestinian groups DragonForce Malaysia, Cyb3r_Drag0nz_Team, and X7root defaced approximately 125 Israeli websites, and claimed to have leaked database dumps. :palestinian_territories: WaterISAC.

:red_square: :chart_with_upwards_trend: 26th October - Hacktivism Escalation: Increased hacktivist activity was observed amid the conflict. A pro-Iran group named Haghjhoyan emerged, leaking data of Israeli citizens and claiming cyber intrusions into the Israeli Red Alert Emergency System and various critical infrastructure sectors. :israel: :iran: SentinelOne Blog.

:orange_square: :medal_military: 30th October - APT Group Resurgence: APT groups, particularly Moses Staff with pro-Iranian ties, have escalated their operations, engaging in data breaches and disruptive attacks, signifying a surge in sophisticated cyberattacks. :israel: :palestinian_territories: :iran: SoC Radar.

:orange_square: :boom: 31st October - Escalation to Cyber Sabotage: The cyber aspect of the Israel-Hamas conflict has advanced beyond mere hacktivism. A pro-Hamas group has deployed a Linux-based malware, the BiBi-Linux Wiper, against Israeli targets. This malware can significantly damage an operating system by corrupting and overwriting files, marked with a “BiBi” extension. Meanwhile, the APT group Arid Viper, suspected to be affiliated with Hamas, continues to engage in cyber espionage, dividing into sub-groups with specific targets in Israel and Palestine. Their sophisticated methods point to an ominous future where the involvement of elite cyber warfare units is likely to be more pronounced and destructive. These developments underscore a shift towards more aggressive cyber strategies aimed at causing substantial disruption and damage. :israel: :palestinian_territories: SoC Radar.

October 2023 Summary

You can see October 2023 summary in our blog post here: 🌐 An Analysis of the Israel-Palestine Conflict from a Cybersecurity Perspective, October 2023

November 2023

:red_square: :tv: 1st November - Media Outlets Under Cyber Siege : Anonymous Sudan dramatically intensified its campaign against media outlets by initiating a prolonged DDoS attack on AP News, causing a service disruption exceeding 13 hours. The assault was expanded to include Fox News and several Sudanese press organizations, shedding light on the substantial impact hacktivist groups can have on the accessibility and distribution of information. Concurrently, Team Insane Pakistan targeted the OECD Nuclear Energy Agency’s site with a DDoS attack, though it seemed to have a minimal strategic impact. Adding to the complexity of cyber threats, a South Asian hacktivist collective, known as the 177 Member group, has been actively disclosing databases from American and Indian targets, illustrating the persistent cyber threats posed by such groups. :israel: :palestinian_territories: SoC Radar

:orange_square: :e-mail: 2nd November - Spear-Phishing Campaign by MuddyWater : The Iranian nation-state actor known as MuddyWater initiated a spear-phishing campaign targeting two Israeli entities to deploy a legitimate remote administration tool, demonstrating the persistent cyber espionage efforts by state-sponsored groups. This was utilizing a refined multi-stage infection mechanism, MuddyWater targeted Israeli infrastructure with spear-phishing emails. Victims downloading from a malicious URL find obfuscated LNK files, triggering an executable that masquerades as a folder, deploying “Advanced Monitoring Agent” for system reconnaissance and potentially establishing communication with a new C2 framework, “MuddyC2Go”. :israel: :iran: Cyberwarzone

:orange_square: :robot: 8th November - ChatGPT Targeted by Anonymous Sudan: A hacking group, Anonymous Sudan, claimed responsibility for a major outage of ChatGPT, an AI tool developed by OpenAI. The group cited OpenAI’s alleged ties with Israel and support during the Israel-Hamas conflict as the primary reasons for the attack. They accused OpenAI of cooperation with Israel and claimed that AI technology is being used by Israeli intelligence agencies like Mossad. They also alleged biases in ChatGPT towards Israel and against Palestine. :israel: :sudan: PYMNTS

:orange_square: :cat: 9th November - IMPERIAL KITTEN Deploys Novel Malware Families: CrowdStrike Counter Adversary Operations identified a series of cyberattacks and strategic web compromise (SWC) operations targeting organizations in the transportation, logistics, and technology sectors. These activities were attributed to IMPERIAL KITTEN, an Iran-nexus adversary suspected to be connected to the Islamic Revolutionary Guard Corps (IRGC), known for using social engineering and custom .NET-based implants. The operations involved tactics like SQL injection, stolen VPN credentials, and phishing with malicious Microsoft Excel documents. :israel: :iran: CrowdStrike

:red_square: :desktop_computer: 10th November - BiBi-Windows Wiper in Pro-Hamas Attacks: Cybersecurity researchers have identified a new strain of wiper malware, known as BiBi-Windows Wiper, targeting Windows systems. This malware, suspected to have been developed by a pro-Hamas hacktivist group, is a Windows version of the earlier observed BiBi-Linux Wiper. It is designed to overwrite data in the C:\Users directory with junk data and append “.BiBi” to the filenames, effectively corrupting files and preventing recovery through the deletion of shadow copies. This campaign is believed to be part of a larger strategy to disrupt Israeli companies’ day-to-day operations. :israel: :palestinian_territories: The Hacker News

:orange_square: :mag: 11th November - Pegasus Spyware Deployed Against Hamas: The Israeli government has reportedly deployed the controversial Pegasus spyware, developed by NSO Group, to track individuals affected by Hamas’ actions. Pegasus, known for its “zero-click” installation capability, allows remote surveillance of devices without requiring any action from the target. This software has been used to track the movement of cell phones during and after an attack carried out by Hamas on October 7, aiding in locating victims and assessing the movements of those involved. :israel: Axios

:large_blue_circle::globe_with_meridians: 15th November - NSA Insights on Israel’s Cyber Pressures : A senior National Security Agency official, Rob Joyce, highlighted that Israel is under significant cyber pressure from various adversaries, including the Iranian government, hacktivists, and ransomware criminals. Iran, known for supporting Hamas, poses a formidable digital threat, potentially worsening if the conflict expands. Joyce emphasized the challenges in distinguishing independent hacktivist groups from those backed by nation-states. Additionally, ransomware groups are exploiting the conflict, with misinformation being a particularly impactful strategy, as seen in an incident where an Israeli missile strike warning app displayed false alerts. These insights underline the complexity of the cyber threat landscape Israel faces amidst its conflict with Hamas. :us::israel::iran::palestinian_territories: The Record

:large_blue_circle::desktop_computer: 20th November - Deployment of Honeypots in Israel : In response to the heightened cyber threat environment, Israel has significantly increased the deployment of honeypots, which are manufactured networks designed to lure and catch hackers. These honeypots are emulating a range of products and services to analyse malicious activity. This strategic move is an effort to monitor and combat wide-scale cyberattacks. :israel: TechCrunch

:orange_square::gear: 23rd November - Check Point Research on SysJoker : Check Point Research has been actively tracking new variants of the SysJoker malware, including a variant in Rust, used in targeted attacks by a Hamas-related threat actor. These attacks showcase the ongoing and sophisticated cyber conflict, with ties to past campaigns like Operation Electric Powder and the Gaza Cybergang, highlighting the persistent nature of these threats. :israel::palestinian_territories: Check Point Research

:orange_square::droplet: November 26th - Suspected Iranian-Linked Cyberattack on U.S. Water Authority: The Municipal Water Authority of Aliquippa, Pennsylvania, experienced a cyberattack, likely by the Iranian-backed Cyber Av3ngers group. The attack compromised a system at a booster station but posed no risk to the water supply. The attackers, known for targeting Israeli-made industrial systems, have also claimed attacks on Israeli water facilities since the Israel-Hamas conflict escalation, although their claims often exaggerate the impact. This incident underlines the extended reach and potential global impact of the Israel-Palestine cyber conflict. :us::iran: SecurityWeek

November 2023 Summary

You can see November 2023 summary in our blog post here: 🌐 An Analysis of the Israel-Palestine Conflict from a Cybersecurity Perspective, November 2023

:heart: Support the Cause

In the wake of the ongoing conflict, numerous humanitarian organizations are working tirelessly to provide aid to those in need. If you wish to contribute, below are some platforms where you can make a donation (live as of November 2023):

*Disclaimer: The inclusion of donation links does not imply endorsement of any particular stance on the conflict by Crushing Security. Participation is entirely voluntary, and individuals are encouraged to conduct their own research to ensure the authenticity and credibility of the platforms. Please adhere to the legal and ethical guidelines applicable in your jurisdiction when making a donation.

:loudspeaker: Feedback and Suggestions

We value the input of our community. If you have any suggestions, corrections, or additional resources to share, please feel free to comment below or contact us.