Operation “Protective Edge” is still developing and – as always in our modern times – alongside the physical hostilities, we are experiencing a cyber-oriented conflict. This trend of a network-based conflict alongside an armed conflict can be traced back to the 2nd Lebanon War – the first time that such a complete connection between the two was recorded.
However, the first time I personally experienced this was during Operation “Cast Lead” in 2009. In this blog, I would like to try and map the changes that have occurred in the threat landscape in terms of motivation, organization and attack vectors.
2009 was a completely different world compared to the world of today, especially when you consider the changes in the world of hacktivism. To quickly sum up, during Operation “Cast Lead”, we mainly saw two types of attacks against the Israeli infrastructure: DDoS and defacements. Moreover, the groups behind the attacks were mostly isolated in strategic terms, launched by Arab groups, and usually amateurish in nature. This was evident in some messages provided by the attackers, the content of which was on the same level as that which you would expect from a hacker group (“We are l33t”, “We killed your server”, “Die Israel”, “Kudos to my friends”, etc). The closest event in that operation that resembled psychological warfare was one case where the website of the Hillel-Yaffe Hospital was defaced and pictures of mutilated Israeli soldier bodies were posted on the site.
Unlike Operation “Cast Lead”, the events around Operation “Protective Edge” seem much more coordinated and include a lot of different attack varieties, including high level DDoS attacks (up to tens of GB/sec), satellite hijacking, SMS spoofing, RAT-oriented phishing, defacements, data dumps from sites, home router HTTP hijacking and elements of psychological warfare on social networks. The thing is, all of the activities seem to have the same “message sheet”, as if the same PR company were charged with explaining most of the attacks, even if the attacks were not perpetrated by the same group. So when there was an indication of an abducted Israeli soldier, the attackers employed images they acquired from Hamas in defacements, HTTP hijacking and on social networks. Another example is the DDoS attacks, which are much more coordinated and include a smaller list of targets than usual – typically government websites and the Israeli Internet infrastructure.
From my perspective, the differences between Operation “Cast Lead” and Operation “Protective Edge” can be explained by several factors:
1.) Technological advancement – like the rest of the world, Middle East-based hacktivist groups are constantly searching for new technology and attack vectors, and we can see a definitive advancement in line with the rest of the world, be it in the use of RATs or reflected in DDoS attacks.
2.) Sharing – in 2009, most of the hacktivist groups were isolated, and often at odds with each other. In 2014, under the umbrella of the Anonymous brand, and the acceptance of social networks as a viable means of communication (Facebook, Twitter), they are standing together against their target. Not all the anti-Israel groups band together, but more often than not, it is no longer one hacktivist group against one target.
3.) Guidance – I think that the recent events in Operation “Protective Edge” have made it clear that hacktivist groups are part of Hamas’ arsenal in this campaign, more specifically, part of their psychological warfare strategy. It may be indirect, but they are definitely wielding some influence by launching cyberattacks against Israel.
To summarize, over five years, the hacktivist threat, as embodied in different #ops, has grown exponentially. It is going to be very interesting to see how this is will affect future clashes.
By Assaf Keren | @assafke
Bio: Assaf is SenseCy‘s CTO, in charge of rolling out a new Cyber Intelligence Product. Prior to joining SenseCy, he held the post of Security Director with Israel e-Government. During his time there, he was responsible for protecting Israel’s government network, known to be one of the world’s most attacked systems. He was responsible for a range of security issues, from application security, infrastructure security, methodologies, incident response and research. Since then, he he has served as a strategic consultant for large enterprises and organizations seeking to efficiently secure their complex network environments. Finally, after the acquisition of CyberVision by Verint, he acted as the Head of Product Management for Verint’s new Cyber Security unit.
