Pro-Palestinian Threat Groups Expand Cyberwar Beyond Israel
As Israel’s military escalates its ground and air attacks in Gaza, the parallel cyberwar that spun up so quickly following the October 7 surprise raids by Hama terrorists appears to be changing and spreading to other countries.
A report this month by cybersecurity firm SecurityScorecard found that while lower-level and less-skilled bad actors are becoming most active hacktivists involved in the Israel-Hamas conflict, attacks in Israel involving more prominent players seeming have slowed.
However, some have begun to target other countries like India and Kenya that have shown support for Israel, mirroring what was seen in the wake of Russia’s illegal invasion of neighboring Ukraine in 2022, when pro-Russian threat groups like KillNet began attacking Ukraine allies like the United States and European countries.
SecurityScorecard researchers wrote that while hacktivists targeting non-Israeli organizations isn’t new in the Israeli-Hamas conflict, the persistence of some groups is noteworthy, particularly in light of the drop in cyberattacks targeting Israeli organizations by some gangs.
“While the ground war continues to present risks of regional escalation, the recent attacks against Kenyan and Indian organizations illustrate just how far beyond the region the cyber conflict has already expanded,” they wrote.
Attacks from the Start
The cyberwar against Israel came swiftly on October 7, with a number of threat groups launching cyberattacks on organizations inside the country within an hour of the first sirens bearing heard warning citizens of incoming missile into southern Israel. The cyberthreats continued in the days following the Hamas raids.
That is changing now, with the researchers noting the ongoing activity of lesser-known groups and adding that “some groups have claimed no new attacks, while others appear to have focused more on targets outside Israel.”
In addition, some of the attacks claimed by bad actors can’t be proven, they wrote.
Solomon’s Ring, a Persian-language pro-Palestine group with suspected ties to Iran – a major player in the Middle East that supports Hamas and other terrorist groups in the region and which has aggressive cyberthreat operations with a global reach – hasn’t claimed an attack since October 8. Even then, it was about an attack the day before that cam with the unsupported claim of having stolen data from an unnamed Israeli data center.
KillNet on October 13 announced the creation of KillNet Palestine, but the subgroup hasn’t posted any new content since that message and KillNet’s most recent claim came a day later, boasting about an attack on a Ukrainian energy company.
“Given that KillNet has operated in support of Russian geopolitical interests for much of its history, and focused on targets related to the war in Ukraine for much of that history, this may reflect a return to form for the group,” the SecurityScorecard researchers wrote.
The Cyberwar Expands
Looking outside of Israel, the suspected Russian-linked group Anonymous Sudan, active from the beginning of the conflict, on October 15 said it made attacks in Kenya in response of the Kenyan government’s support of Israel. Similarly, Ghost of Palestine is still focused on Israeli targets, claiming attacks on government entities like the Ministry of Education, and Dark Store Team, made its most recent claim October 20, saying it attacked Snapchat two days before.
“Closer study of the group’s history suggests that its motivations may be less strictly pro-Palestinian than they initially appear,” the researchers wrote, adding that the group also advertises its DDoS [distributed denial-of-service]-as-a-service and commercial malware and also attacks entities outside of Israel.
“And even though the group’s messaging focuses on the Palestinian cause, it may (like KillNet and Anonymous Sudan) act in support of Russian geopolitical interests,” they wrote. “For much of its history, it has targeted NATO member states and others that have declared their support for Ukraine.”
Some Claims Unsubstantiated
While attacks against Israel haven’t stopped – Anonymous Sudan claimed an October 20 DDoS attack against RedAlert, an app used to alert Israelis to incoming missile strikes and other groups like the Moroccan Black Cyber Army and Turkish hacktivist group AslanNeferler Tim also have boasted of attacks – others are making claims that can’t be substantiated.
Those include the Muslin Cyber Army, SS Cyber Team, Cyber Av3ngers, and Palestinian Electronic_Tigers_Unit.
The 1915 Team also claimed October 20 to have person data of an Israeli military spokesperson and even circulated an image supposedly from the data, though the image features a password from 2019, so it may be fabricated, the researchers wrote. The group also said on October 11 that it planned to launch ransomware attacks against Israel, though it hasn’t been substantiated through October 20.
The pro-Palestinian group Force Electronic Quds is spending more time highlighting its defensive capabilities than claiming attacks against Israel, according to SecurityScorecard.