Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Israel-Hamas War: Publicity-Seeking Hacktivists Take Sides

Many Hack Attack, Data Dump and Website Disruption Claims Are Bogus, Experts Say
Israel-Hamas War: Publicity-Seeking Hacktivists Take Sides
Image: Israel Defense Forces

Self-proclaimed hacktivist groups have been attempting to insert themselves into the narrative surrounding the latest war between Israel and Hamas, and sometimes succeeding.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

"The ongoing conflict in Israel has drawn the attention of multiple hacktivist groups, each with their own motivations, either in opposition or support of Israel or Palestine," said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint.

More than 1,000 Israelis have been killed and 2,800 injured following a Saturday attack by militant group Hamas, which is designated as a terrorist organization by the U.S. government. Hamas overran the Israeli border along the Gaza Strip during the early morning hours of Saturday, occupying army bases and killing civilians in kibbutzim and towns.

Israeli Prime Minister Benjamin Netanyahu declared war against Hamas and Islamic Jihad, ordering retaliatory airstrikes. The Palestinian Health Ministry said on Tuesday that the airstrikes on the Gaza Strip have left 950 people dead and 5,000 injured.

Low-level distributed denial-of-service attacks are already a feature of the Israel-Palestinian war. The Jerusalem Post on Sunday said its website was being hit by a DDoS attack, and that it remained intermittently down until Tuesday. The pro-Kremlin Anonymous Sudan group claimed credit for the attack. Experts say the attack by the well-funded group - which doesn't appear to be part of Anonymous or based in an impoverished East African nation - highlights how quickly supposed hacktivist collectives have joined the fray (see: Expensive Proxies Underpin Anonymous Sudan DDoS Attacks).

Attackers have also defaced multiple websites, the online equivalent of spray-painting the outside wall of a building. Some also claim to have hacked targets and dumped stolen data.

"I've seen several Israeli databases for sale on the usual forums today," Alexander Leslie, a threat researcher at Recorded Future, said in a Tuesday post to X, formerly Twitter. "I can't verify their authenticity, but I can tell you this: Similar to Ukraine, there were a lot of opportunistic threat actors that sold fake, public, and old data. Likely the same thing happening here."

At least one group has executed an attack that didn't involve DDoS or defacements. On Sunday, AnonGhost subverted the Red Alert app, available to iOS and Google Play users, through which volunteers relay real-time alerts to residents of Israel of incoming rocket, mortar and missile attacks.

AnonGhost is a pro-Palestinian Anonymous spinoff which has been operating - or at least its handle continues to be invoked by attackers - for more than a decade.

The group or collective exploited an API vulnerability in the Red Alert app, security researchers at cybersecurity firm Group-IB reported. "In their exploit, they successfully intercepted requests, exposed vulnerable servers and APIs, and employed Python scripts to send spam messages to some users of the app," it said. Researchers said they recovered chat logs tied to the group which claimed they'd spammed some users with bogus messages about a "nuclear bomb."

The cybersecurity firm said that while "hacktivists are generally associated with conducting small-scale DDoS attacks and defacement," they do sometimes cause chaos or attempt to spread fear by hitting APIs tied to web and mobile applications, which can be "softer targets compared to the principal product APIs."

AnonGhost's hit on the Red Alert app came just one day after Hamas launched its sneak attack on Israel (see: Intelligence Failure: Surprise Strike on Israel by Hamas).

Taking Sides

In recent days, a small number of hacktivist groups have voiced support for Israel. One of them, Indian Cyber Force, appears to support the Indian government's policy aims. It's retweeted messages of support for Israel and claimed on Sunday to have begun launching DDoS attacks against government email services in Palestine, Bank of Palestine and other targets.

On Monday, the self-proclaimed hacktivist group Predatory Sparrow, posting to Telegram and X with the handle "Gonjeshke Darande" - the Persian version of the group's name - announced its return. The group appears to have been active in 2021 and 2022, with a focus on Iran. In one high-profile campaign last year, the group claimed to have triggered fires in multiple state-run Iranian steel foundries. Security experts say the sophistication and restraint shown by the group suggest its government-run (see: Predatory Sparrow's Hacks: There's Smoke, There's Fire).

Many other hacktivist groups or handles - 31 at last count - have espoused a pro-Palestine, pro-Muslim and/or anti-Israel agenda, Flashpoint's Gray said. These include such groups as 777exploitteam, Ghosts of Palestine, HackersFactory, NinjaForces and Mysterious Team Bangladesh, and he expects more to follow as the conflict escalates.

Pro-Kremlin KillNet and Anonymous Sudan operation have claimed on their Telegram channels that they'll target the Israeli government. The latter "alleged it had obtained unspecified "zero-day vulnerabilities from Romania" to use in anti-Israel attacks," reported security operations software vendor ReliaQuest (see: KillNet DDoS Attacks Further Moscow's Psychological Agenda).

Many hacktivist claims tied to the conflict are fake, or hoaxes. This includes a claim by the CyberAv3ngers hacktivist group on its Telegram channel that it "hacked" a number of power companies, including the Dorad power station in southern Israel. After analyzing data leaked by the group as supposed proof, Group-IB said it's the same as data stolen and leaked in 2022 by Moses Staff, which is a group suspected of being aligned with or run by Iran.

"This is yet another example of how hacktivists try to generate hype by posting data from past attacks and masquerading them as recent ones in order to attract attention," Group-IB said. "Stay alert."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.