Fallacies & Propaganda Shaping Perceptions
The Israel-Palestine tensions have sparked once again in 2023, raging a full-scale armed conflict between the two states. Israel and Palestine have been at loggerheads since the early 20th century, with major escalations since 2008. Studies indicate that so far, the 2014 conflict witnessed unprecedented carnage between the estranged neighbors, but analysis of the conflict of 2023 raises worries of an even higher casualty count than before.
The war zone in Gaza has also attracted a lot of reprisal attacks from Hacktivists and Threat Actors (TAs), as was expected considering the trend observed from 2012. Further, cyberattacks are often complementary tactics in the context of modern warfare, a trend witnessed even before the outset of the Russia-Ukraine conflict in early 2022.
Cyble Research & Intelligence Labs (CRIL) has been curating specific intel amidst the fog of cyber-attacks by hacktivists and different threat actors to capture peculiar developments in the cyber theatre. We have observed several hacktivists and threat actors employing different malicious techniques to exploit the weaknesses in vital infrastructures and disrupt their functioning.
The attacks on critical infrastructures have been the key attack vectors traditionally adopted by state-backed actors and ransomware groups. However, the dynamics of the Russia-Ukraine and Israel-Palestine conflict have added even the Hacktivist groups to this threat scope, thereby increasing the worries for the nations and also the businesses contributing to the critical infrastructures.
This threat scenario raises concerns about how technological advancements, ideological differences, and deleterious zeal have capacitated Hacktivists to take a leap from cyber activism to cyber terrorism.
Cyber Av3ngers
The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. Possibly with Iranian origins, the hacktivist group has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.
The group carried out multiple attacks on Israeli critical infrastructures from September 13 to September 17, 2023, but seized their operations to reinitiate their activities from September 30 with certain remarks indicating that the group allegedly carried out a recon on certain Israeli network infrastructures and announced on October 5, the day of the attack as October 6, 6 PM (GMT+3), i.e. 6 PM timing in Israel. The hacktivist group launched their attacks on October 6, some 12 hours before the Hamas hailed rockets on Israel at about 6 AM, IDT.
October 6, 2023
The group claimed to target Noga Company and claimed responsibility for power outages. The hacktivist group claims to be behind power outages in certain areas of Israel since 2020 and has shared multiple news articles about the same.
Further, the group posted screenshots indicating a DDOS attack on Noga company, along with images of RS Logic 500 Pro, which is used to design and implement ladder logic programs for Programmable Logic Controllers (PLC). However, none of the screenshots of PLC systems indicate an attack on Noga.
October 10, 2023
The group claimed to have hacked MEKOROT National Water Company; The group shared the video as proof showcasing their access to MEKOROT Water Company CCTV. On the same day, the group shared a screenshot of the script, which fetched Industrial Control System devices such as Programmable logic controllers, SCADA software, Hikvision cameras, etc, as shown below.
The IP shown in the screenshot indicates the RDP port (figure); Cyble’s proprietary attack surface discovery tool ODIN shows that the IP has an RDP port exposed over the internet, as shown in the figure below.
Moreover, it’s noteworthy that the Government of Israel subsequently released an alert for – “Remote access, management and control interfaces exposed to the Internet”.
October 14, 2023
The group claimed to have hacked ORPAK Systems, a Fuel Fleet and Retail Management Solutions company in Israel. The screenshot of the claim indicates that the group compromised “SiteOmat,” a forecourt controller software developed by Orpak Systems. As shown in figure – 1, The group further shared leaked data on one of the prominent cybercrime forums.
October 17, 2023
The group claimed to have compromised Nahariyya’s regional electricity distribution center and Yavne Electricity Infrastructure. The group further shared video evidence for the claim, as shown in the figure below.
GhostSec
GhostSec, known for its pro-Ukraine stance in the Russia-Ukraine conflict, was quick to capitalize on the opportunity of the Israel-Palestine conflict by siding with Palestine and launching their attacks on Israeli vital installations.
Incidentally, pro-Russian groups Killnet and Anonymous Sudan, and the pro-Ukraine groups GhostSec and SiegedSec, despite different ideologies, have displayed common anti-Israel sentiments by mounting their cyberattacks on Israeli infrastructure.
The group shared a screenshot of Aegis 2 Controller interfaces and claimed to have targeted 27 Aegis 2 controllers along with Unitronics Devices in Israel on October 14, 2023. The Aegis controllers are designed for use in various applications, including cooling solutions, boiler applications, and wastewater treatment.
The same devices were in the line of attack during the “Al-Aqsa Mosque Incident” covered by CRIL in April 2023. Recently, we have observed over 50 Aegis controllers and 20 Unitronics Devices still exposed in Israel.
Haghjoyan
A newly emerged hacktivist group named ‘Haghojoyan’ or the Peace Seekers as they claim, with the group’s profile photo similar to that of the Iranian Justice System, initiated their activities on a Telegram channel on October 7.
October 8
The group claiming themselves to be Iranian, in their very first attack on October 8, claimed an attack on the Israeli Red Alert Emergency Response system.
October 13
Subsequently, the group claimed attacks on several VNC systems allegedly controlling Israeli water pumps, electricity distribution units, and gas stations. Remote access to Industrial Control Systems operating via VNC should be considered as one of the major security loopholes that might be exploited by hacktivist groups in war-like situations such as the current Iran-Israel war. CRIL has previously released a detailed blog on the same.
The hacktivist also claimed to have infected over 5000 Israeli computer users with malware and exfiltrated over 2 TB of data, which they leaked subsequently. The screenshots shared on their Telegram post reveal that they launched these attacks using the ‘Frost Mod FIFA 19 ver 1.0.6.0 (Beta 4)’ trojan.
October 15
The group claimed to target 4150 cameras and DVRs primarily from Hikvision, with screenshots exposing their IPs and pawned camera images.
BlackSec
The BlacSec, AKA BlackSecurity hacktivist group, also joined the anti-Israel campaign in coordination with GhostSec. The group stated – “As of now, we are joining the war. We are pro-Palestine, hopefully, we do a lot of damage to Israel. We are not going to be neutral when it comes to this war.” on their telegram channel on October 18, 2023.
The group has claimed to have launched a mass attack on “Israeli Modbus Systems” and claims to have crashed over 100 systems.
AnonGhost
Hacktivist Group AnonGhost Official claimed to have hacked the Red Alert National Emergency phone application on October 8, 2023, and claimed to generate multiple false alerts in the application to its users. They falsely alerted the users of the Nuclear Bomb threat and claimed to target about 10k to 20k users to cause panic amongst the public.
Further, the Hacktivist also shared a Proof of Concept (PoC) to exploit the Red Alert system to target the users’ phones. They claimed that the exploit would disconnect the users’ mobile from the internet and ultimately render it useless.
The hacktivist group has claimed to have targeted the emergency system several times since then.
DragonForce Malaysia
Dragonforce Malaysia has participated in several campaigns targeting Israel and displays a pro-Islamic ideology. The group even though posted about their support for Palestine in their Telegram group in the early days of the OpIsrael campaign launched by pro-Palestine hacktivists on October 7-8, 2023, they aggressively began targeting Israeli websites at a very later stage, from October 13, 2023- till date, they have claimed to target numerous Israeli websites under their campaign OpsBadai.
On October 14, 2023, the group claimed to have targeted “Israhell Gas Stations”. Upon analyzing the screenshots shared by the group, CRIL researchers believe that the targeted entity might be “Automated Tank Gauges (ATGs)” These devices are used at gas stations and perform various functions, including monitoring fuel levels, tracking deliveries, or raising alarms.
Anonymous Sudan & SiegedSec Collaboration
Hacktivist groups Anonymous Sudan and SiegedSec were observed collaborating to target Israeli Global Navigational Satellite System (GNSS) Receivers, Building Automation and Control Networks (BACnet), and Modbus Industrial Control Systems on October 10. The collaboration is an unexpected incident, especially considering their disjointed activities as individual hacktivists in the hacktivism space. However, this incident reflects the true nature of their motives for uniting pro-Islamic and anti-Israel ideologies.
Further, Anonymous Sudan has adopted another tactic of targeting nations showcasing their support to Israel in the Gaza conflict. On October 14, 2023, the hacktivist group targeted the Kenyan Railway ticketing system.
Soldiers Of Solomon
The hacktivist group recently emerged as a pro-Palestine supporting operations against Israeli networks. On October 18, 2023, the group claimed to target more than 50 servers, including security cameras and city management systems, in the Israeli Nevatim Military Area. The group claimed to exfiltrate 25 TB of data before infecting these systems with Crucio ransomware. They also posted several screenshots of servers reflecting IP addresses from Nazareth city; however, all these proofs were just circumstantial.
Darkweb & Underground Activities
Amidst these cyber-attacks and the armed conflict, we also observed the Arvin Club ransomware group that remerged in August 2023 in the ransomware threat landscape, claimed to target Iranian Energy company, Kimia Tadbir Kian Company on October 13, 2023. The ransomware group also dumped the compromised data of the company on their leak site.
Akin to Hacktivist activities emanating due to the Israel-Palestine conflict, CRIL observed a moderate but noticeable trend of data leaks and access sales by certain threat actors targeting both estranged countries. We observed a data leak pertaining to Palestine’s Ministry of Health and compromised access being sold for Palestine National Institute of Public Health. While Israel’s Ministry of Defense data leak was also promoted in the underground forum.
Conclusion
The collaboration of various hacktivist groups in launching attacks on critical infrastructure assets is a great concern for private and public entities. However, the claims made by these groups remain questionable, with growing misinformation/disinformation campaigns launched by foreign entities and inadequate proof shared by these groups.
Organizations and individuals must remain vigilant and skeptical of the information shared by these groups. While some of their actions may be justified in their perspective and ideological inclinations, it is important to verify the authenticity of their claims and the impact of their attacks. The consequences of these attacks can be far-reaching, affecting the targeted entities and the general public.
