Some Observations about the Cyber Conflict between Israel and Hamas

Matthias Schulze

22. January 2024

A German version of this blog post appeared in Tagesspiegel Background Cyber.

As in Ukraine, the current war in the Middle East is once again being accompanied by a digital conflict. After two months of war, it is now possible to draw some preliminary conclusions about cyber capabilities in the context of conventional ground wars. Including other conflicts such as in Ukraine 2022, Georgia 2008 or Kosovo 1998, an interesting continuity of the nature of digital conflict becomes apparent.

Over the past few weeks, the headlines have been full of reports of cyber-attacks in the Middle East. Some familiar patterns in the use of cyber capabilities have emerged. The attack by the terrorist organization Hamas on Israeli territory on October 7 was accompanied by simple Distributed Denial of Service Attacks, i.e. mass requests to websites that overloaded web servers. According to Cloudflare, media companies (such as the English-language "Jerusalem Post") and Israeli government websites in particular were temporarily disrupted. DDoS launched jointly to accompany a physical invasion  have been observed in numerous wars, for example in Ukraine in 2022 or in Georgia in 2008. Then as now, two objectives were presumably pursued: firstly, to disrupt international communication to conceal the ground operation so that defenders cannot react quickly, and secondly, to influence the global and local information environment. This allows to cover some ground activity in the proverbial “fog of war”, making it harder for an international audience to thoroughly understand the situation. DDoS attacks therefore seem to have become an established tactic in the first phase of armed conflicts.

Hacktivism

In the days around the attack on Israel, the second phenomenon that has accompanied armed conflicts since 1998 at the latest became apparent: international "hacktivism". In the current Israel-Hamas conflict, around 100 active hacktivist groups have been counted, most of which take a pro-Palestinian side and attack Israeli targets. However, there are also some pro-Israeli groups. These are often loosely organized groups of hackers who are globally distributed and organize their activities via digital messengers and darknet forums. They do not necessarily have clear hierarchies and membership tends to be loose. They are typically united by a common political goal or a political or religious ideology; patriotic or even nationalistic elements are sometimes observable as well. The decisive factor is frequently personal involvement or individual proximity to the subject of the conflict. Research has indicated that grievances are frequently the reason civilians become irregular combatants in conflicts. This is apparently also the case in the cyber domain. Since the threshold to participate in digital vandalism is rather low - as simple attack-tools and tutorials are easily available online and hacktivists don't have to put their lives on the front lin - many head the call. This is not necessarily new. When NATO intervened in Kosovo in 1998, pro-Serbian groups paralyzed NATO websites with DDoS attacks and smeared them with digital messages (“website defacement”). When NATO accidentally bombed the Chinese embassy in Belgrade in 1999, Chinese hackers began to participate in DDoS activities.

More than 100 collectives from all over the world also take part in the war in Ukraine. Some of them are more organized than others, for example the Ukrainian initiative of the IT Army of Ukraine and the pro-Russian Killnet group. In addition, there is sometimes an overlap of groups between the war in Ukraine and the war in Gaza: the pro-Russian group "Killnet", for example, sided with Palestine and has announced spectacular attacks on Israeli nuclear infrastructure (without there necessarily being any evidence corroborating this). Killnet allegedly has some ties with the Russian government. This intermixing of the two conflicts is evident both on the side of the attackers and on the side of the victims.

As in Ukraine, globally active corporations or even third countries become victims of (distributed) DoS attacks, for example when they signal their support for one side or the other in this conflict. India, for instance, was caught in the crossfire of pro-Palestinian hacktivists when it signalled its support for Israel. Many Western companies came under digital fire by pro-Ukrainian hacktivists for continuing their operations in Russia. Another hacktivist motivation certainly is a gain of attention and fame through allegedly spectacular hacks. This could already be observed as an element of hacktivism in 1998 in the context of the Kosovo war. In our current age of social media and its attention economy, this dynamic seems to be amplified.

Hacktivist groups differ in their ideologies, motivations, but not much in their attack techniques. The historically dominant attack techniques include denial-of-service attacks, website defacement, information operations, and spam. During the Ukraine war, so-called "hack and leak" operations were also added to the repertoire of established practices. While Distributed Denial of Service attacks haven’t changed much in substance, in essence just being a flood of ping or similar Internet packets, their scale, and automation have changed since the 1990s. DDoS attacks in the 1990s have been a very manual process, while today automated botnets for rent are used. Due to the increasing digitalization of social processes, DoS attacks can now also have effects that were unachievable in the 1990s. In December 2023, for example, pro-Israeli hacktivists used DoS to paralyze petrol stations in Iran. This simply would not have been possible in the 1990s.
Another technique that had little relevance in the 1990s, but can cause some harm for organizations, are hack and leak operations. Hack and leak attacks involve hacking web portals or databases and publishing their content via file hosting or dark net platforms.

During the war in Ukraine, many terabytes of data were published, particularly from Russian (but also Ukrainian and international) targets. Victims were plentiful, from government entities such as the intelligence agencies, media regulators, regional governmental organizations, research institutions as well as private companies, from the arms to the media industry. In the current conflict between Israel and Gaza, there are also hack-and-leak operations, although these appear to be less numerous than in Ukraine (although this may change over time). As in the Ukraine war, the authenticity of these leaks cannot always be confirmed. Data breaches are costly for affected companies as they have to invest in mitigation and recovery, and sometimes face regulatory fines as well. They also represent a strategic disadvantage. Correlating the mass of leaks that include various interesting data points, such as the rank and service ID’s of military personnel, medical records, private addresses or car registration might represent a strategic advantage for adversaries worldwide. Through big data analytics and machine learning, adversarial intelligence agencies can learn a lot about the inner workings of affected countries and organizations.

Information War

Cyber-attacks usually have two simultaneous effects: they negatively impact a system, and they send a message of vulnerability. This communicative function of cyber-attacks naturally also plays a role in armed conflicts. Historically, "website defacement", i.e., the hacking of content management systems on websites and the placement of anti-war messages or propaganda to demoralize or demonize the enemy, was a well-known element. Attacks on media companies or the broadcasting of messages via TV and radio are also established elements. Today, the plethora of social media channels are also utilized. This involves strategic communication or information operations. They aim to dominate the information environment or discourse in certain target societies with one's own messages and narratives. The aim is to convince a target audience of one's own cause to generate moral support or to discredit the adversary. Alternatively, opposing voices can be suppressed in the flood of messages. For groups such as Hamas, this is of course also about recruiting new fighters. While the tools and technologies of the web 2.0 are rather new and so is their enormous global reach, the communicative principles of propaganda haven’t changed much.

One interesting current example is the manipulation of missile alert systems ("Red Alert"). Red Alert is an open-source app used by the Israeli population to receive warnings of rocket attacks. On October 16, a manipulated website appeared offering a variant of Red Alert for Android that contained a Trojan. The fake variant was probably used as spyware to intercept user data, but is also capable of delivering fake push notifications about alleged missile attacks. There are reports that hacktivists are deliberately trying to hijack the APIs of such warning apps to trigger false alarms, presumably for demoralization purposes.

Since the Ukraine War of 2022 at the latest, it has become clear how enormously important the dominance of the information environment has become in armed conflicts in the information age. President Zelensky's well-known video message that the early Russian invasion did not lead to a quick conquest of Kyiv and that the "decapitation" of the Ukrainian government had failed sent a significant international signal: "we are still here". Since 2022, the Ukrainian government has impressively demonstrated how a state can organise information operations to generate international political support (especially in the form of arms deliveries). Other goals of Ukrainian strategic communication have been to boost the morale of its population, recruit soldiers and discredit Russian narratives at the same time. Research indicates that, at least with Western target audiences, Ukraine has been rather successful. Due to tight media control of authoritarian Russia, Ukraine has been less successful in reaching the population of its adversary. Additionally, the Russian state has not been idle either, dominating its national discourses with its messages. Additionally, Russian strategic communication was and is geared toward the BRIC and unaligned emerging countries. However, strategic communication is a marathon and not a sprint, so the long-term impact remains to be seen.  For example, observers have noted that Russia could divert attention of Western governments away from Ukraine, utilizing the conflict in Gaza and stirring tensions in other regional hot spots.

However, many armed forces seem to have already learned from this, including the Israeli Defence Forces, which have had enormous media presence and strategic communication efforts since the beginning of October. This includes the debunking of false reports and the production of counter-narratives to Hamas messages across many types of media (traditional and social). There are also suspicions that the IDF could be responsible for internet blackouts in the Gaza Strip. The loss of internet connectivity occurred in parallel with the Israeli counteroffensive and presumably had the function of disrupting Palestinian communication and counter-response. Internet blackouts also play a recurring role in the Ukraine war, particularly in the frontline regions, and appear to have become an established practice in armed conflicts.

Where are the State Actors?

Interestingly, relatively few state or state-affiliated cyber operations can be observed in the current cyber conflict (so far). This distinguishes the current war from the Ukraine war, for example, in which Russian threat actors (APT 28, Sandworm, APT 29, Gamaredon) were already active in Ukrainian networks long before the outbreak of hostilities.
It was only two weeks after the outbreak of hostilities in Israel that reports emerged of suspected Iranian threat actors MuddyWater, APT 42 and Imperial Kitten launching spear-phishing campaigns against Israeli targets. Iran is traditionally the most dominant threat actor against Israeli networks. On 13 November, the Windows version of Bibi-Wiper also emerged, which was distributed by pro-Hamas threat actors. If attackers do not already have backdoor access, they must first establish bridgeheads in target networks, often across different phishing waves, which usually takes some time (a few weeks) to be successful. Although there are threat actors that are rumoured to be close to Hamas (e.g. AridViper or Molerats), their activities have so far been limited to espionage. However, there are also signs that pro-Iranian threat actors are targeting critical infrastructure such as water supply.
Interestingly, nothing has yet been heard from Israeli threat actors. Unit 8200 of the Israeli intelligence service is regarded as one of the world's best cyber units, which has successfully taken action against Hamas in the past. Either the operations are too well camouflaged or not in the focus of Western threat intelligence actors.

Conclusion

In general, various IT security companies are observing the improvised nature of many of the current cyber-operations surrounding the war in Gaza. Many attacks are opportunistic, i.e. they go after the low-hanging fruit. So far, little is known about targeted, long-lasting operations with deeper impact. There are also fewer reports of more complex attacks, comparable to the KA-SAT hack or the numerous wipers from the early phase of the Ukraine war. It is probably still too early for that. Most of the visible cyber-attacks fall into the category of temporary disruptions and harassment. As in Ukraine, this shows once again that cyber operations have (so far) hardly achieved a major strategic effect in the context of armed conflicts. They can have a tactical function, for example by using cyber-attacks to steal information that could be used by armed forces, such as hacked live feeds from surveillance cameras, which can reveal the position of civilians or armed forces. Cyber espionage is also useful in armed conflicts, for example to obtain information about the number and nature of the enemy. In addition, data from various data leaks and hack-and- leak operations can be gathered and correlated to draw meaningful conclusions. For example, Anonymous leaked files containing the names and ranks of the Russian military units stationed in Bucha, likely responsible for a massacre against the civilian population. Combined with open-source intelligence like social media profiles, this could allow legal prosecutors to conduct war-crime investigations.

Thus far, cyber operations have hardly had any decisive impact on warfare on the ground. However, the communicative function of cyber capabilities and the opportunities that digitalization offers for strategic communication appear to be more important.