Debate Roils Over Extent of Nation-State Cyber Involvement in Gaza

Cyberattack activity in the Israel-Hamas war has shown a decided lack of sophistication, and researchers warn that nation-state attackers are more involved than originally thought.

So far, attackers involved in the cyber-component of the conflict have largely fallen into the lower-skilled "hacktivist" category, putting out false claims about supposed critical infrastructure disruptions and mounting minor compromises.

That's in stark contrast to state-sponsored advanced persistent threat (APT) attacks, which have the potential to disrupt economies, compromise national security, and manipulate geopolitical dynamics.

The Hacktivist Element

After the Oct. 7 attacks, hacktivist groups declared their intentions to launch disruptive attacks against Israel, Palestine, and their supporters. Hacktivists typically do not have a large arsenal of advanced tactics and are more reliant on small-scale efforts, typically employing disruptive distributed denial-of-service attacks to promote a political agenda or idea.

However, according to Microsoft's Threat Intelligence Center, APT-related activity to the conflict is likely to increase, and organizations need to be prepared. "Iranian operators will move from a reactive posture to more proactive activities the longer the current war plays out," said Microsoft in a report issued in early November.

Hacktivists in the Hands of Nations

As the conflict enters its third month, political and technology observers are wondering if this is the stage where nation-state actors take a more central role in the conflict.

Adam Meyers, senior vice president of Counter Adversary Operations at CrowdStrike, says nation-state actors are already involved. He points at successful attacks — including on a water treatment plant — as evidence that actions initially related to a hacktivist group are those of a nation-state.

Technology from an Israeli-owned company was used at the water treatment plant, which was attacked by the Cyber Avengers group, an Iranian threat actor.

CrowdStrike intelligence suggests that the Cyber Avengers attackers are actually part of the Islamic Revolutionary Guard Corps (IRGC), with Iran using it as a "faketivist" persona — an attack group made to look like hacktivists, but actually threat actors directly associated with a nation-state.

Faketivist groups are created by nation-state actors for deniability, Meyers says, with these fake actors able to conduct intrusions and disruptions, but without any direct attribution to the nation-state.

Meyers points out how an attack on a New York dam that came to light in 2015 highlights a persistent focus on industrial control security. "They have been more focused on operational technology, probably more so than the average threat actor," he says.

A Show of Strength?

The National Security Agency's cyber director, Rob Joyce, specifically named hacktivists as a main threat in the cyber element of the Gaza conflict at an event last month. But even he admits it "can be difficult to tell if the groups are independent or backed by actual nation-states."

Other researchers agree with the faketivist concept. John Gallagher, vice president of Viakoo Labs, says the preferred approach for how nations are involved in attacks seems to be "working through proxies for any direct cyberattacks," allowing the nation-state combatant to be less directly involved and avoid attribution.

Ben Read, head of cyber espionage analysis at Mandiant Google Cloud, says that while disruptive attacks have been conducted by state-backed groups, they've been publicized through "hacktivist" personas "to maximize the psychological impact."

Nation-states may be conducting two types of attack: one that uses faketivist groups to conduct attacks and another for espionage, but avoiding attribution on both. Read says cyber espionage has been primarily conducted to gain insight into decision-making and help the sponsoring governments make decisions — presumably as to who and where they attack next.