Full Report
BackgroundThe Curated Intelligence community is a group of analysts from around the world that tracks the latest updates on the threat landscape. The latest situation Curated Intel has been following is the Hamas terrorist attack against Israel on 7 October 2023. The attack has subsequently resulted in thousands of civilian casualties on both sides and has destabilized the region.As with any modern conflict, cyber activity surrounds it from all nature of groups. The most widely recognised and surface-level type has been hacktivism due to the public announcements by threat actors claiming responsibility for attacks. This often takes on social networking sites, like Telegram and Twitter, among others. There has also been examples of the cybercrime underground exploiting the situation for financial gain. This includes offering databases of stolen data for sale as well as live access to compromised systems. This is typical behaviour for cybercriminals, but it should not be ignored by defenders in the region.Regional advanced persistent threat (APT) groups are also expected to be launching campaigns following the incident. It should be noted that reporting on APT group activity often lags behind due to the typical covert nature of their operations, but various well-known groups are almost certainly going to be active during this tumultuous time.HacktivismThe type of hacktivism surrounding this conflict often dominates the media headlines and social media circles because it is public and easy to find. It is difficult, however, to verify and debunk their claims. Therefore, spreading their claims can lead to propagating misinformation. Then, by the time hacktivist claims have been debunked, it is often too late as the lie is usually always more likely to be viewed than the fact check. Examples on Telegram include threat actors screenshotting access or lists of IP addresses and claiming that they have hacked them. From these messages alone, it cannot be assumed that they were successful as time and time again, these threat actors have proven to be lying. Ultimately, the goals of these hacktivists are merely to intimidate and cause issues for their targets. The secondary effect is that cybersecurity and intelligence teams have their resources consumed trying to verify if any of these claims are legit, when arguably most of the time these groups are making it up. Some researchers have begun to take the time, in one notable example, to debunk these groups that are known to regularly exaggerate their claims.The most common types of successful hacktivist attacks have been observed during the war in Israel have been denial of service (DoS) attacks on websites and mobile applications, as well as website defacements. This is because of the low-skilled nature related to these attacks. They can, however, be proven by showing the site as offline and showing a site that has been defaced.In some cases, however, the hacktivists have been able to execute disruptive attacks on Israeli civil services, such as the manipulation of the RedAlert app API, which is used in Israel to warn civilians about incoming Hamas or Hezbollah missile barrages. This incident also reportedly led to the app being removed from the Google Play Store and prohibited from launching.Palestine has been attacked by pro-Israeli hacktivist groups as well. One key example thus far involves the Palestinian ISP Alfanet that was targeted by a destructive attack. An adversary known as ThreatSec reportedly breached Alfanet and shutdown its servers. Technical details about the incident have not yet been shared.Various researchers have shared their resources related to tracking the Israel-Palestine conflict. This includes CyberKnow's CyberTracker, CrowdStrike's Pyramid of Adversaries, and FastFire's GitHub Resource of Telegram channels. We recommend using these resources to track adversary activities, which can be done live and on a daily basis.Cybercrime UndergroundAs with any major historical event or catastrophe, cybercriminals will seek to exploit the situation. It is to be expected now that there will always be fake websites scamming those trying to donate to causes, whether it is for Israel or Palestine. Some cybercriminals from the English-speaking and Russian-speaking forums are attempting to profit off of the war by offering stolen databases from Israeli and Palestinian organizations. The stolen data could be weaponized for all sorts of attacks, including phishing, identity theft, and account takeovers, among types of attacks. IDF/Shabak personal data was offered on RAMP (Russian-speaking forum)Israeli MoCH data was offered on BreachForums2 (English-speaking forum)Palestine Communications data was offered on BreachForums2 (English-speaking forum)Defenders in the region should also not discount the fact that organized cybercrime groups running ransomware operations may also seek to exploit the situation and attack while resources are strained. One month before the war in Israel began, the RagnarLocker ransomware group attacked Israel's Mayanei Hayeshua hospital. During the time of war, such destructive attacks on hospitals are going to cause much more significant strain and impact on the targeted victims.APT GroupsAt the time of writing, there has been a minimal amount of public reports related to APT group activity that's potentially related to the war in Israel. But that does not mean there are not many groups currently launching campaigns. Due to the nature of these APT groups, they are almost certainly going to seek to exploit the situation to conduct intelligence gathering operations. Usefully, Secureworks publicly shared their database of threat actor profiles in the past and continue to keep it updated. This enables us to search for APT groups that target Israel and begin to predict which APT actors are potentially going to be launching attacks. Examples of APT actors that are likely to be involved in the conflict at some stage could include:COBALT AZTEC, an Iranian state-sponsored threat group that operates and distributes DarkBit ransomware in destructive cyber attacks.COBALT FOXGLOVE, an Iranian threat group that exploits VPN and network appliance vulnerabilities to gain remote access to targets, usually dropping a web shell shortly after successful exploitation.COBALT LYCEUM, an Iranian state-sponsored threat group known for targeting critical infrastructure organizations, such as telecommunications, oil and gas companies as well as government entities.COBALT MIRAGE, an Iranian state-sponsored threat group known for delivering ransomware attacks using BitLocker and DiskCryptor to encrypt systemsCOBALT SAPLING, an Iranian threat group that uses the Moses Staff persona, styling themselves as a pro-Palestinian hacktivist group with a stated aim of harassing and disrupting businesses and government entities in Israel.COBALT SHADOW, an Iranian threat group that uses the BlackShadow persona, that has conducted multiple high-profile hack-and-leak attacks against companies in Israel, involving the distribution of personal information.Other regional APT actors deemed worth tracking and investigating their TTPs by Curated Intel are also as follows:POLONIUM, a Lebanon-based and Hezbollah affiliated APT group that launches cyber-espionage campaigns against Israel and likely collaborates with Iranian intelligence services.Volatile Cedar, a Lebanon-based and Hezbollah affiliated APT group that launches cyber-espionage campaigns against Israel and elsewhere.Dark Caracal, a state-sponsored APT groups attributed to the Lebanese General Security Directorate that launches cyber-espionage campaigns against Israel and elsewhere.Molerats, a Gaza-based and Hamas affiliated APT group that launches cyber-espionage campaigns against Israel.AridViper, a Palestine-based APT group that launches cyber-espionage campaigns against Israel.ConclusionThe Curated Intelligence community shall continue to track hacktivist, cybercriminal, and APT group activity surrounding the war in Israel. We are fortunate to have a strong network of industry and public sector connections that allow us to send information to where it needs to go. We pray for peace in the region.
Analysis Summary
# Threat Actor: ThreatSec
## Attribution & Identity
Attributed actor involved in hacktivist activity surrounding the Israel-Palestine conflict. Reportedly associated with pro-Israeli hacktivist efforts.
## Activity Summary
ThreatSec reportedly executed a destructive attack against the Palestinian ISP **Alfanet**, breaching their systems and shutting down their servers following the October 7, 2023 events.
## Tactics, Techniques & Procedures
- Destructive attack leading to infrastructure shutdown.
- **Note:** Specific technical TTPs beyond the effect (server shutdown) were not detailed in the provided text.
## Targeting
- Sectors: Internet Service Providers (ISP)
- Geography: Palestine
- Victims: Palestinian ISP **Alfanet**
## Tools & Infrastructure
- *No specific tools, malware, or infrastructure details were provided.*
## Implications
ThreatSec demonstrates the capability and intent to conduct disruptive, destructive attacks against Palestinian critical infrastructure operators (in this case, an ISP) in the context of the ongoing conflict.
## Mitigations
- Organizations in conflict zones should ensure robust backups and contingency plans for potential infrastructure shutdowns.
- Enhance network segmentation and monitoring for signs of unauthorized breaches following disruptive service interruptions.
***
# Threat Actor: Hacktivists (General Category)
## Attribution & Identity
Numerous unverified groups engaging in public-facing cyber activities, often claiming responsibility via social media platforms like Telegram and Twitter. Many claims may be exaggerated or false, consuming security resources during verification efforts.
## Activity Summary
Dominate media headlines through public announcements. Successful attacks are generally low-skilled but disruptive, including Denial of Service (DoS) attacks against websites/applications and website defacements. A notable disruptive attack involved manipulating the **RedAlert app API**, used for missile warnings in Israel, reportedly leading to the app's removal from the Play Store. Pro-Israeli groups targeted Palestinian entities (e.g., ThreatSec attacking Alfanet).
## Tactics, Techniques & Procedures
- Denial of Service (DoS) attacks.
- Website defacement.
- API manipulation (e.g., RedAlert app).
- Exaggeration and disinformation via Telegram/Twitter.
## Targeting
- Sectors: Civil Services (emergency warning apps), Websites/Mobile Applications.
- Geography: Israel and Palestine.
- Victims: Civilian warning systems (RedAlert app), various websites/apps.
## Tools & Infrastructure
- *Specific tools were not detailed, but methods rely on broad, accessible techniques like DoS.*
## Implications
Hacktivism consumes significant defensive resources due to the need to constantly verify false or exaggerated claims. While much activity is noise, successful disruptive efforts (like the RedAlert incident) pose a genuine risk to civilian safety and critical civil services.
## Mitigations
- Implement strong API governance and input validation to prevent manipulation of critical service APIs.
- Deploy strong DDoS mitigation services.
- Establish clear internal protocols for responding to and verifying claims made on public forums (Telegram/Twitter) to prevent wasted effort on false positives.
***
# Threat Actors: Cybercriminals (General Category)
## Attribution & Identity
Individuals and groups operating in English-speaking and Russian-speaking cybercrime forums seeking financial gain associated with the conflict.
## Activity Summary
Exploiting the situation for financial gain, primarily through:
1. Creating fake websites designed to scam users attempting to donate to conflict-related causes.
2. Offering stolen databases from Israeli and Palestinian organizations for sale.
3. Offering live access to compromised systems for sale.
## Tactics, Techniques & Procedures
- Phishing/Scamming (fake donation sites).
- Data exfiltration and sale (stolen databases).
- Initial Access Brokerage (selling compromised system access).
## Targeting
- Sectors: Any organization with data relevant to the conflict parties (Israel/Palestine).
- Geography: Global (buyers/sellers), local entities (victims of data theft).
- Victims: General population attempting to donate, organizations in Israel and Palestine with exploitable data.
## Tools & Infrastructure
- *No specific tools mentioned, but classic cybercrime methods are employed.*
## Implications
The conflict creates a fertile environment for unrelated opportunistic crime. Stolen data from entities in the region can be weaponized for future targeted attacks.
## Mitigations
- Enhance vigilance against look-alike or newly registered donation websites.
- Strict enforcement of access control policies, especially for remote access solutions.
- Prioritize patching and ensuring comprehensive security for systems holding sensitive personal or organizational data.
***
# Threat Actors: Identified Regional APT Groups (By Association/Expectation)
## Attribution & Identity
Several established regional Advanced Persistent Threat (APT) groups, particularly those linked to Iran, Lebanon, and Palestine, are expected to be active capitalizing on the conflict environment, though their specific actions in the immediate aftermath are not detailed in this section of the article.
## Activity Summary
The article notes these groups are *expected* to be launching campaigns, though reporting on their activity often lags. Previous known capabilities include espionage and disruptive attacks.
## Tactics, Techniques & Procedures
Specific TTPs are referenced via associated group profiles:
- **Iran-linked groups (e.g., COBALT MIRAGE, COBALT SAPLING, COBALT SHADOW):** Known for ransomware (BitLocker, DiskCryptor), hack-and-leak campaigns, and leveraging pro-Palestinian personas (Moses Staff) or known personas (BlackShadow).
- **Lebanon/Hezbollah-linked groups (POLONIUM, Volatile Cedar):** Known for cyber-espionage campaigns against Israel, likely collaborating with Iranian intelligence services.
- **Lebanese General Security Directorate (Dark Caracal):** Cyber-espionage.
- **Palestine-based groups (Molerats, AridViper):** Cyber-espionage campaigns against Israel.
## Targeting
- Sectors: Critical Infrastructure (Telecom, Oil/Gas), Government entities, Organizations in Israel.
- Geography: Israel, potentially others depending on the group.
- Victims: Government, Telecoms, Energy sectors, various companies in Israel.
## Tools & Infrastructure
- **Ransomware:** BitLocker, DiskCryptor.
- **Personas:** Moses Staff, BlackShadow.
- **Associations:** Collaboration with Iranian intelligence services (Hezbollah groups).
## Implications
These state-sponsored or state-affiliated actors pose a long-term, covert threat. Their activities are likely espionage-focused but could easily pivot to destructive or disruptive operations leveraging the region's instability.
## Mitigations
- Enhance visibility into network traffic to detect command and control associated with known espionage TTPs.
- Proactively hunt for evidence of ransomware deployment techniques (if applicable to COBALT MIRAGE overlap).
- Monitor intelligence related to Iranian-backed threat groups specifically, given their strong linkage to the conflict narrative.