Pro-Iranian Hacktivists Set Sights on Israeli Industrial Control Systems

The hacktivist group SiegedSec has claimed responsibility for a series of attacks against Israeli infrastructure and industrial control systems (ICS), but there is no indication that the listed IP addresses have experienced any attacks.

The hacking group put together a list of what it claims are its Israeli ICS targets, which was recently uncovered by SecurityScorecard's Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team. An image of the list — found via analysis of various dark Web groups — shows a series of IP addresses with the claim "we have unleashed mass attacks on Israeli infrastructure."

Who Made the List

According to a new report from STRIKE, SiegedSec claims it conducted a series of denial of service (DoS) attacks against a number of ICS devices and other Israeli infrastructure with the support of the pro-Iranian hacktivist group Anonymous Sudan. The purported targets included: global navigational satellite system receivers, building automation and control networks, and Modbus ICS — a communication protocol for communication between industrial electronic devices.

However, a sample of NetFlow data seen by SecurityScorecard does not indicate that the listed IP addresses had experienced volumes of traffic consistent with a DoS attack.

"In the absence of reported disruptions to Israeli infrastructure, the available NetFlow sample appears to support assessments that SiegedSec's attacks were either unsuccessful or have not yet begun in earnest," the report said.

Other researchers' assessments also determined that these attempts were likely to have been unsuccessful, and to conduct a DoS against these targets may be outside the attacker's capability.

That said, rather than just being a list of targets the SiegedSec planned to hit, Robert Ames, staff threat researcher at SecurityScorecard, says the document could be a "call to action" to other attackers who could potentially take advantage of the target identification.

He says: "This seems particularly likely given they also mentioned collaborating with Anonymous Sudan in the same post where they listed their targets. Groups like Anonymous Sudan and KillNet have, in the past, used their Telegram channels to name specific targets in hopes of enlisting further support from their channels' followers."

Ames adds, "SiegedSec is, in certain respects, comparable to Anonymous Sudan: Neither appears to possess the same sophistication or capabilities as a nation-state-backed advanced persistent threat group, but both appear to be motivated by publicity."

Who Are SiegedSec?

The SiegedSec group appeared shortly after the Russian invasion of Ukraine in 2022, and has conducted a series of attacks around that conflict, including an alleged data theft on the NATO Communities of Interest Cooperation Portal in July, followed by a second attack on multiple NATO portals earlier this month.

The group was also reportedly behind the attack on Atlassian in February, where a third-party app was breached, compromising employee data and floor plans of Atlassian offices located in San Francisco and Sydney, Australia.

To avoid compromise from this or any other attacker, SecurityScorecard recommended that organizations review the business necessity of exposing ICS devices to the wider Internet and place them behind a VPN or firewall when possible. Also, organizations should consider restricting access to ICS devices by adding dependent IPs to an allow list. 

The firm also recommended blocking the listed IPs in SecurityScorecard's KillNet Bot Blocklist, putting in DDoS mitigations, and configuring DNS resolvers and proxy servers to only accept requests from internal IP addresses and authorized users.

A Week of Attack Claims

At the start of last week, the US National Security Agency's director of cybersecurity Rob Joyce said US intelligence had not observed evidence indicating there had been any significant cyberattacks so far in the Israeli-Hamas conflict.

Yet a number of claims of attacks were made at the start of last week, with Anonymous Sudan naming the Israeli government in online discussions as a main target, and the AnonGhost hacktivist group said it had managed to breach the "RedAlert" airstrike warning app to send messages.

Also, information operations entered the discussion last week when pro-Iranian and pro-Chinese groups were detected as being involved in anti-Israel propaganda campaigns.