Cyber ops linked to Israel-Hamas conflict largely improvised, researchers say
In the wake of Hamas’s attack on Israel, researchers and cybersecurity firms observed an uptick in operations by hacktivists and state-sponsored hacking groups. But more than one month into the conflict, researchers are increasingly concluding that cyberoperations linked to the war have been mostly opportunistic in nature and frequently exaggerated in terms of their impact.
In a pair of reports presented Thursday at the CYBERWARCON computer security conference in Arlington, Va., researchers from Microsoft and Mandiant, the Google-owned cybersecurity firm, described a wide range of cyber operations, ranging from influence operations to ransomware attacks that have attempted to shape the conflict between Israel and Hamas.
Shortly after Hamas fighters crossed into Israel, for example, researchers from the two firms said that Telegram channels were spun up to disseminate videos of massacres carried out at kibbutzim along the Gaza border. Pro-Iran mass media picked up on these videos and amplified them, while a number of different hacktivist groups claimed to have breached various Israeli critical infrastructure entities, in what appear to be exaggerated claims of cyberattacks.
Taken together, the cyber operations around the conflict point toward an improvised effort. “We have no evidence that Iranian threat actors were actually prepared for the attack,” said Simeon Kakpovi, a senior threat intelligence analyst at Microsoft.
Having been caught flat-footed by the Hamas attack, Iranian hacking groups instead used their existing operations and access to compromised systems and tried to pivot these operations to support Hamas, Kakpovi said.
Microsoft did not observe Iranian-linked cyber activity until Oct. 18, roughly 11 days after the start of the ground conflict. Data collected by Microsoft on known Iranian-linked hacking groups provides no evidence that the groups had pre-planned cyberattacks aligned with Hamas’s Oct. 7 attack, the researchers said, bolstering claims from senior U.S. government officials that Iran was likely not directly involved in the planning and execution of the attack.
As they spun up operations, the Iranian-linked groups made exaggerated claims regarding the impacts of their operations, including a purported ransomware attack on an Israeli military facility by a group known as Soldiers of Solomon, which is linked to Iran’s Islamic Revolutionary Guard Corps. That attack included claims of massive data exfiltration and screenshots of internet-connected cameras near the facility.
The compromised cameras, according to the researchers, were actually located across scattered sites outside any one defined region, suggesting “that despite Iran actors’ strategic claims, this camera example was ultimately a case of adversaries continuing to opportunistically discover and compromise vulnerable connected devices and try to reframe this routine work as more impactful in the context of the current conflict.”
While it is unclear how attacks on internet-connected cameras have figured into Hamas’s military operations, Israeli authorities nonetheless appear to be concerned about the risk they pose, including as possible targeting aids for rocket attacks. Israeli national security agencies reportedly want greater access to domestic cameras, including the ability to hack into them.
Researchers caution that as the conflict between Israel and Hamas drags on, attacks in the digital arena may ramp up. The relatively low-level cyber operations observed in the conflict so far are reflective of its participants’ political calculations, which may change as time goes on.
“Iran did not in earnest join the war yet, so it is plausible that in cybersecurity they are also walking the line,” said Yuri Rozhansky, a Google researcher studying the conflict.
The cybersecurity firm Crowdstrike reported on Thursday that a hacking group known as Charming Kitten, which is linked to the IRGC, has targeted the transportation, logistics and technology sectors with novel malware.