19 April 2024

Cyber Operations Intensify in Middle East, With Israel the Main Target

Robert Lemos

As tensions in the Middle East continue to escalate, cyberattacks and operations have become a standard part of the fabric of the geopolitical conflict.

Last week, the head of Israel's National Cyber Directorate blamed Iran and Hezbollah for "around the clock" cyberattacks against the country's networks, government agencies, and businesses, tripling in intensity as Israel's military operations continued against Hamas in Gaza. Following Quds Day — Iran's commemoration of its pro-Palestinian Jerusalem Day on April 5 — dozens of denial-of-service attacks disrupted Israeli targets, according to data from cybersecurity firm Radware.

While the volume of cyberattacks are running at a lower level so far this year, renewed tensions between Israel, Iran, and Lebanon could easily lead to more cyber activity, says Pascal Geenens, director of threat research for Tel Aviv-based Radware, a maker of cloud security solutions.

"There are two planes that we need to consider here," Geenens says. "One is more nation-state aligned, meaning purposely doing attacks against another nation, while the other is all the hacktivist activity — they just want to share their message [and] show that they're not happy with the situation."

Overall, Israel should be ready for more destructive cyberattacks, as Iran and other regional cyber groups have shown little restraint in such attacks, Google conclude in its "Tool of First Resort: Israel-Hamas War in Cyber" report, published in February. As Iran and Hezbollah appear ready to use destructive cyberattacks against both Israel and the United States, Israeli-linked groups likely will continue to target Iran, and hacktivists will likely target any organization they deem associated with their perceived enemies, the report stated.

"We assess with high confidence that Iran-linked groups are likely to continue to conduct destructive cyber attacks, particularly in the event of any perceived escalation to the conflict, which may include kinetic activity against Iranian proxy groups in various countries, such as Lebanon and Yemen," the company stated in the report.

Not Your Father's Cyber Conflict

When Russia invaded Ukraine, the Russian military used cyberattacks to target Ukraine prior to the invasion and during the invasion, and widely attacked the US and Ukraine's allies in Europe in the two years since the start of the war.


A significant spike in cyberattacks came prior to and after Oct. 7, while much more modest levels of activity targeted Israel this year. 

For the Middle East, the cyber conflict has a different character. On one hand, the participants in the conflict have different strengths and limitations, which are affecting their options and making the cyber conflict more asymmetrical. Where the Russian government has a unity of purpose, Iran and Hamas are more opportunistic adversaries. Where Russia and Ukraine have similar cyber capabilities, Israel's military operations have limited Hamas' ability to respond, and the country has the most sophisticated cyber-offensive capabilities in the region, says Ben Read, head of cyber espionage analysis for Google Cloud's Mandiant incident-response group.

"Iran is very opposed to Israel, but aren't a direct party to the conflict, so their goals aren't necessarily about supporting the seizure of territory in the same sort of way as Russia," he says. "Because conventional weapons are not [currently] an outcome acceptable to Iran, they are using cyber to do some destructive [operations]. ... Cyber can be an easier tool to reach for there."

Iran is not the only anti-Israeli actor in the region. Google has observed cyber operations by groups linked to Hezbollah, a Lebanese Islamist political party and militant group aligned with Iran.

Iran has also been the target of disruptive cyber operations in the context of the conflict, says Kirsten Dennesen, reporting analyst with Google's Threat Analysis Group (TAG). Several disruptive attacks on the nation's infrastructure have been attributed to Predatory Sparrow, which reappeared in October and attacked Iranian gas stations in December, and which some analysts have linked to Israel.

"Telegraphing intent and demonstrating involvement in the conflict without escalating or directly taking part in on-the-ground confrontation ... limits potential blowback while also giving regional players the opportunity to project power through the cyber domain," she says. "Moreover, cyber capabilities can be quickly deployed at minimal cost by actors who may wish to avoid armed conflict."

Resurgence in Hacktivism

Nation-states are not the only actors involved in the conflict. In the past year, hacktivism has taken off as technologically savvy protesters react to the Russia-Ukraine war and the conflict between Israel and Hamas. Much of the increase in attack activity in Israel is due to hacktivism, as is demonstrated by sharp upticks in denial-of-service attacks, says Radware's Geenens.

"It's not like it did not exist before, but before they were much less organized, and now they have like this ability to gather on Telegram," he says. "They all started to communicate with each other through hashtags. They find each other much more easy, so they come together and create alliances to perform attacks."

In the past, the groups banded together under the Anonymous name, claiming the monicker for their own and attempting to get other groups to sign up. Today, they use operation-specific hashtags on Telegram to gain like-minded collaborators, a much more efficient method of operation, Geenens says.

Hacktivism likely will continue to fuel attacks against not only Israel, but other countries as well, he says. Attacks are more likely to ramp up quickly as nation-states develop standard techniques and hacktivists are able to collaborate more efficiently.

"Anything that happens in the future," Geenens says, "whether it be a military operation or an outcome of an election that they don't like or somebody says something that that they don't like — they will be there and there will be a wave of DDoS attacks."

No comments: