How hackers linked to Iran, Hezbollah and Hamas are increasing their efforts to attack Israeli targets
How hackers linked to Iran, Hezbollah and Hamas are increasing their efforts to attack Israeli targets
Cyber attacks not only aim to damage infrastructure but also to deter business with Israeli companies, creating a complex threat landscape
During the temporary ceasefire in the war between Israel and Hamas, cyber warfare activity did not cease. In recent days, elements from both sides have been revealing their activities. Hacker groups associated with the Iranian Revolutionary Guards have been distributing personal data obtained from Israeli websites and attempting to compromise American water systems. Meanwhile, in Israel, the IDF has exposed a fictitious network of avatars on Instagram designed to extract security information from both regular and reserve IDF soldiers.
At the end of the week, Israel's National Cyber Directorate and several American law enforcement agencies, including the FBI, the NSA, and the CISA, issued a joint statement warning against activities targeting industrial controllers in the water sector produced in Israel. The statement indicated that the Iranian Revolutionary Guard Corps (IRGC), designated a terrorist organization since 2019, operates an attack group calling itself the CyberAvengers (CyberAv3ngers). This group was recently observed attempting to damage industrial controllers made in Israel by the Unitronics company. Unitronics develops and manufactures Programmable Logic Controllers (PLC) used to control and monitor machines performing automatic operations such as production systems.
The announcement came amid speculation that CyberAv3ngers had hacked into a water facility belonging to the Municipal Water Authority of Aliquippa, Pennsylvania. Hackers left a message on the water pump screen, stating that the attack was in response to some of its components being manufactured in Israel. According to Matthew Motes, chairman of the board of directors for the Municipal Water Authority of Aliquippa, the hackers partially took control of the system regulating water pressure through Unitronics technology. However, the system was quickly shut down after the threat was discovered, and normal water pressure was maintained along the entire water line.
According to the joint Israeli-American statement, CyberAv3ngers are responsible for several attacks since November 22, all against authorities across the United States and using Unitronics' controllers. While the attacks did not appear to cause disruption, they are still urging all organizations, especially critical infrastructure entities, to implement a series of recommendations to reduce the risk of vulnerability associated with the Revolutionary Guards.
Since the Hamas attack on Israel on October 7, various hacker groups, some linked to Iran, Hezbollah, or Hamas, have increased their offensive efforts against Israel. Anonymous Sudan, a group of Sudanese hackers active since early 2023, launched DDoS attacks against the Red Paint app, and the AnonGhost group spammed false missile alerts. A group affiliated with Russian interests called Killent claimed responsibility for an attack that allegedly took down the websites of the Israeli government and Discount Bank. Not all hacker claims are true. For instance, on October 18, 2023, the group "Soldiers of Solomon," linked to the CyberAv3ngers, claimed responsibility for cyber attacks on over 50 servers, security cameras, and smart city management systems in Israel. However, the joint statement clarified that most of these claims have been proven false.
Authorities, companies, and entities related to Israel, which are always popular targets for cyber attacks, have suffered more attacks in recent weeks than before. These often included denial of service, publication of databases, and exaggerated claims of access to critical infrastructures. Although it appears that CyberAv3ngers' claims of the vulnerabilities they created were also exaggerated, law enforcement agencies are taking this escalation seriously. "It is unknown whether additional cyber activities were intended or achieved deeper into these controllers or control networks and related components," the National Cyber Directorate said.
Some of the hacker groups pose an ongoing and familiar threat to Israel, but some are new groups. One of them, which gained attention during the weekend full of reports, is CyberToufan, which began its activities with the outbreak of the war. In recent days, it distributed databases of the Nature and Parks Authority and the Academic College of Tel Aviv through Telegram channels, including names, phone numbers, and email addresses. It obtained this information in an attack about two weeks ago on the Israeli storage company Signature-it, where the state archives and about 40 other Israeli websites, mainly in the retail sector, were hacked.
Additionally, CyberToufan threatened to leak the database of the Israeli medical device company Lumenis for Yokneam with over 80,000 records of its customers. "Netanyahu and his military forces bombed our hospitals," they wrote in Telegram, referring to the reason they chose to attack. "Does he think that the resistance and the Muslim nation will not make Israel pay the price in the near future? Any equipment made in Israel is a legal target of CyberAv3ngers." Lumenis reported that "no hacking into the company's information systems was detected."
Not all the messages and claims of the groups in Telegram have been confirmed as true, and sometimes the groups tend to exaggerate the scope and quality of their activities. In any case, it is clear that the purpose of the attacks, whether sophisticated or less sophisticated, is not only to damage critical Israeli infrastructures but also to deter customers of Israeli companies from doing business with them.
At the same time, the IDF announced on Sunday that it had uncovered dozens of fictitious profiles or avatars whose purpose is to try to establish a romantic relationship with members of the IDF through written conversations, voice recordings, and video calls. "This is an infrastructure that activated dozens of profiles... with the aim of providing information to the terrorist organization Hamas," the statement said. The investigation was carried out by the IDF's information security department, based on network monitoring, and it joins a similar activity that was revealed at the beginning of November. This activity exposed "dozens of profiles on social networks" and questioned their credibility online, creating profiles of fictitious "parents," "siblings," and "friends." According to the IDF, this involves potential targets of "hundreds to thousands of regular and reserve IDF soldiers."
In the current investigation, another 40 fictitious characters were found on Instagram, some with hundreds of followers. For example, the message mentions "Lia Cohen," allegedly a software engineer and a graduate of Ben-Gurion University living in Eilat. "Adam," from Kibbutz Eilot, originally from Northern Ireland, who volunteers for the environment, "loves dogs, food, and sports," and "Sarah," who lives in Denmark but wants to immigrate, has over 700 followers and "loves nature and traveling with friends."
Last week, against the backdrop of numerous cyber attacks, emergency regulations were approved that allow the national cyber directorate to issue direct instructions to business entities in the event of cyber attacks. The current instructions oblige the body in which a fear of a cyber attack has been identified to act promptly on the matter. "Despite the sensitivity and economic importance of these companies, there is currently no government agency entrusted with regulating their activities in terms of cyber defense," the emergency regulations state. The regulations began to be drafted at the beginning of the month and they define a non-public supplier list of storage service providers and digital service providers. The choice of these services stems from the high connectivity between these providers and government offices, public bodies, and the rest of the economy.