Pro-Hamas threat actors are highly likely to continue to conduct hostile cyber activity targeting organisations and individuals in Israel in the coming weeks.
This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 14 November 2023.
- There has been a surge of such cyber activity in Israel since Hamas mounted attacks inside Israel on 7 October
- In parallel, the authorities in Israel are likely to step up their efforts to surveil social media platforms as they seek to control the narrative around the conflict
The ongoing conflict between Israel and Hamas is highly likely to mean that elevated cyber threats to individuals and organisations in Israel are sustained in the coming weeks. This includes pro-Palestine hacktivists and Iranian state-backed groups targeting Israeli organisations. Based on government warnings in the past month, individuals also face an elevated risk of hostile cyber activity against their devices from such groups. The ongoing conflict between Israel and Hamas has provided anti-Israel cyber groups with further motivation to carry out operations.
Israeli state agencies also seem motivated to use online surveillance to control information and limit dissent. The government is facing growing domestic political and public opposition to the conflict. Hundreds of protesters have been gathering most days in Tel Aviv to demand a pause on the conflict with the aim of freeing those held captive by Hamas. The government appears to be responding by tightening its digital surveillance. Our cyber threat exposure level is severe and personal cyber risk level is high.
Pro-Hamas actors targeting devices in Israel
There will probably continue to be a heightened cyber risk to individuals in Israel from Hamas and Hamas-aligned actors over the coming weeks. These groups seem to be sending threatening messages to individual citizens with the aim of creating panic. The Israeli cybersecurity agency has issued several alerts advising of threats to devices from pro-Hamas groups in recent weeks. These have included phishing attempts, and threatening calls or messages. And there have been reported attempts by Hamas to use fake profiles to gather information on soldiers.
Expanding state digital surveillance
The authorities in Israel are also likely to step up their efforts to surveil social media platforms in the coming weeks. They seem to be trying to control the narrative around the conflict and limit public opposition over its military operation in Gaza. The government said on 6 November that ‘the digital space is another front in the war’ especially when ‘the enemies are using it for intimidation, trolling or conveying anti-Zionist messages’. On 20 October the government approved regulations to temporarily shut down foreign news channels and has attempted to ban access to a pro-Hezbollah news outlet.
Israel also appears to be using its sophisticated digital surveillance tools to support its war efforts. In a sign of this, Israel-based spyware companies have assisted the government in tracking the phones of missing individuals, including those held captive by Hamas. And they have recently strengthened the abilities of the security forces to access private security camera footage in the interests of national security. But we have not seen signs that they are deploying these spyware tools within Israel so far.
The authorities will probably prioritise monitoring people or organisations that they view as promoting anti-Israel or pro-Hamas messages. They have arrested multiple individuals for posting pro-Hamas content online in recent weeks. In our assessment, sensitive sectors such as media and civil society are more exposed to these risks. There is a precedent of the authorities detaining Palestinian NGO workers; they prevented a Palestinian-American NGO director from travelling to Jordan in 2022. But the risks to most foreigners will probably remain lower.
Severe cyber threat exposure to organisations
The ongoing conflict is very likely sustaining the already-high motivation of Iran state-backed actors to disrupt Israeli critical infrastructure and civilian-facing services. We continue to assess that Iran will probably seek to disrupt such infrastructure to diminish public confidence in the Israeli government or weaken Israeli military operations. And pro-Palestine hacktivist groups have participated in frequent DDoS campaigns against organisations in Israel since the hours after Hamas began its incursion on 7 October. This appears to be with the intent to cause temporary disruption, as well as spreading pro-Palestine messages and gaining attention.
Iran will probably intensify its efforts to conduct disruptive operations in the coming weeks. Microsoft said on 9 November that Iran’s operations since Hamas’ 7 October attack have been largely reactive. Based on this, and our understanding of Iran’s motivations, it is likely to conduct more operations as the conflict continues. In a sign that this is already happening, the Israeli cyber authority warned on 12 November of ‘an Iranian attack group’ deploying data-wiping malware against Israeli organisations.
Iranian operations would be the most disruptive. Iran has previously caused disruption to Israeli critical infrastructure entities. By contrast, the capabilities of most hacktivist groups will probably remain limited. Such groups usually only cause a few hours of website downtime from DDoS attacks or website defacement at most. Several groups have also claimed to have conducted hack-and-leaks or disrupted industrial control systems in recent weeks, but much of this appears exaggerated and we have not been able to verify their claims.
Businesses operating in Israel are likely to continue to face a heightened number of hostile cyber operations in the coming weeks. The cybersecurity firm CheckPoint said on 18 October that cyber operations against targets in Israel had increased by 18% from the first few days of the war. They said that groups had claimed ‘around 400 attacks’ in total. Based on their targeting so far, media, defence, telecoms and utility organisations are the most likely targets. And based on the frequency of their campaigns, the most probable perpetrators of such operations will continue to be hacktivist groups.
Israeli cyber resilience continues
Despite this negative trend, we assess that Israel has a high level of resilience and ability to prevent disruptive cyber operations against its infrastructure. Our national cyber resilience risk rating for Israel is low. In a sign that this resilience remains, including among organisations there, CheckPoint said on 6 November that it had detected and prevented an Iran-linked group from successfully deploying data-wiping malware against Israeli organisations between January and October.
Image: An antenna of a communications tower that relays phone and internet signals is pictured in Rafah, in the southern Gaza Strip on 28 October 2023, amid the ongoing battles between Israel and Hamas. Photo by Mohammed Abed/AFP via Getty Images.