Gaza Conflict Paves Way for Pro-Hamas Information Operations

Researchers are on the lookout for state-sponsored information operations springing from the Israel-Hamas conflict, but so far, no major initiatives have cropped up. Yet that could quickly change as more hacktivists and espionage actors enter the fray.

On a press call held this week, John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, said that so far, no "coordinated cyber activity" has been identified, but attacks are expected to increase over time as the situation continues. He called out distributed denial-of-service (DDoS) activity as a possible precursor to other types of political activity, naming Anonymous Sudan in particular as being active.

And meanwhile, he noted, expect disruptive threats begin to ramp up — or at least claims of critical infrastructure hacks.

The Beginning of Influence Operations

Information operations have twin definitions: They can refer to the collection of tactical information about an adversary, and/or the spread of propaganda in pursuit of a competitive advantage over an opponent.

On the latter front, Hultquist said two notable information operations campaigns have been identified so far. The first is related to Iran, which he said is "promoting narratives related to the crisis." In particular, this has involved Iranian posing as Egyptians to stir up historical hostilities in influence campaigns. In previous influence instances, groups have leveraged networks of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests, including anti-Israeli and pro-Palestinian themes.

The messages claim that Israel was humiliated by a small force, and that this exposed the weakness of one of the most advanced military superpowers, and that Israeli soldiers are now afraid of Hamas. Hultquist said these claims have not been validated, and merit "extreme skepticism."

Another information operation campaign being monitored is related to the Dragon Bridge campaign, which was identified last year as supporting the political interests of China. Hultquist said that it was seeing activity from multiple accounts associated with the Dragon Bridge campaign and that this is consistent with how the group follows news cycles and ongoing crises to portray the United States and its allies in a negative light.

In this instance, the accounts are amplifying the stance that the initial attack on Oct. 7 was a failing by the Israeli government, which didn't seem to be aware of the incoming attacks.

Hultquist said: "The silver lining is we haven't had any indication that it's getting major pickup or authentic traction, which is consistent with previous Dragon Bridge campaigns. It's one thing to broadcast these messages and create this content. It's quite another to actually penetrate the consciousness of everyday citizens."

Beyond Influence Campaigns: Next Phase of Attacks

Hultquist said that going forward, more espionage activity is expected, especially from actors related to Iran and Lebanon-based Hezbollah. He also said that he expects to see activity designed to look like financially motivated cybercrime, including extortion-based ransomware deployments where no money is collected, just a threat is made around data exfiltration and leaking.

"We have definitely seen Iranian actors do exactly that in Israel, and that's something that we're sort of anticipating," he said.

Meanwhile, threats and posturing against critical infrastructure will ramp up. Just this week, threat groups declared their intention to launch disruptive attacks against Israel, Palestine, and their supporters, while Anonymous Sudan claimed it attacked the Jerusalem Post. However, Hultquist did call out the amount of "dubious information" about the severity of such attacks, and noted that many claims to successfully hit major targets are just another form of influence activity.

"We're seeing threat actors take advantage of a tremendously confusing environment by lying about what they can do and what they've accomplished, or 'almost' accomplished because they recognize that these things are hard to validate by experts," he said. “By making these dubious claims that linger in the open without being validated or invalidated, they can still have the intended effect. We anticipate we'll see a lot of that in the coming days, and it could potentially have adverse psychological effects."