Worldwide Hacktivists Take Sides Over Gaza, With Little to Show for It

Against the backdrop of the war in Gaza, hacktivists across the globe are announcing industrial-grade cyberattacks in support of either Palestine or Israel, though little evidence backs up most of the stories.

In scouring online forums, researchers from SecurityScorecard have observed hackers from the Middle East, Asia, and Europe all asserting breaches of Israeli organizations or, sometimes, similar organizations in countries aligned with the Palestinian cause, such as Iran.

But in a closer inspection of Israel's industrial sector, the analysts were unable to find compelling evidence to support any such attacks.

"There's a lot of supposedly breached data circling around Telegram, for example," says Rob Ames, staff threat researcher at SecurityScorecard, "but most of that is either from old breaches, or it's publicly available information which would take a very broad definition of PII to actually seem to be as sensitive as the threat actors are claiming."

Hacktivists' Shouts of Victory

Beyond Israel's neighbors, hacktivist operations in Muslim-majority countries such as Indonesia and Malaysia have added to the online hubbub.

Some have claimed standard data breaches:

Source: SecurityScorecard

Others have gone a step further, posting human machine interface (HMI) visualizations to demonstrate access to industrial infrastructure sites:

Source: SecurityScorecard

Such cases have popped up around the world in the month since the first attack on Oct. 7. "Early on in the conflict, it was Russian or Russian-backed groups that were making the loudest claims with distributed denial-of-service (DDoS) attacks — KillNet, Anonymous Sudan — and I noticed Hamas channels reposting videos from Iraqi Shia groups," Ames recalls.

"And then on the pro-Israel side, we've seen Indian and Ukrainian activist groups start to go after targets like Iran," he adds.

For one case study, consider the so-called "Soldiers of Solomon." The religiously inspired threat actor has spoken of taking down an Israeli power station, stealing over 25TB of data from an IDF military installation, and disrupting production at a flour plant in Haifa.

Dark Reading has not been able to independently confirm any Soldier of Solomon attacks, but some of them have been picked up by Western media outlets, including FalconFeeds and SecurityWeek.

Is Any of It Legit?

Inspired by one purported compromise to water treatment — one of the most sensitive cyber sectors imaginable — SecurityScorecard recently analyzed 402,354 individual traffic flows to and from 36 Israeli IP addresses associated with the sector, during the period in which hackers, ƬΉΣ ᑕYBΣЯ ЩΛƬᑕΉΣЯƧ and STUCX TEAM, claimed victory.

Of those 400,000-plus flows, 5,670 involved IP addresses using virtual private networks (VPNs) and other proxy software, or the Tor Onion router, popular tools for malicious actors. Still, the researchers have noted, the traffic did not offer clear evidence of the claimed compromise.

To broaden the picture, the researchers scanned for Internet-exposed devices at the relevant plants, finding none that weren't at the very least protected by a firewall. They also scanned for logins using compromised credentials, finding only one case from a Gmail address which, they wrote, "may suggest that the credentials correspond to a customer account or provide access to an otherwise external-facing resource."

This is why even though "there have been plenty of claims, I haven't yet seen any of them that I would say are confirmed," Ames concludes.

Just in case one of these stories isn't an exaggeration, though, he recommends a number of protective steps critical organizations can take against hacktivist-level actors, including standard DDoS protections and firewalls that keep Internet users from breaching operational systems.

"That's something fairly basic that you want to do, because it puts one more barrier between threat actors and your SCADA systems or, even more broadly, your databases and remote desktops," he explains. "Because if our fairly noninvasive Internet scans can observe an ICS device then, definitely, other malicious scans are seeing the same things."