It's cyberwar-o-clock .. or something like that.
As was the case at the beginning of the war in Ukraine a year and a half ago, reports about the possible role of cyberattacks in this conflict emerged relatively quickly shortly after the events that shook Israel on October 7, 2023.
Please note: This post has originally been released on October 19th, 2024. The information contained in it contain my analysis / opinion / comment on events that transpired at said date. Facts might have changed since then. Please bear this in mind while reading it.
Important disclaimer before we start: I have made every effort to focus on the available facts, to emphasize technical information and to remain linguistically neutral. However, I cannot exclude the possibility that I may have slipped in wording that is in some way politically tinged. Where this is the case, it is a personal editing error and not a deliberate expression of opinion.
As was the case at the beginning of the war in Ukraine a year and a half ago, reports about the possible role of cyberattacks in this conflict emerged relatively quickly shortly after the events that shook Israel on October 7, 2023.
In addition to articles by journalists and news portals, social networks were flooded with reports of attacks, alleged leaks of sensitive data and alleged compromises of critical infrastructure.
After several years in this industry, I - and probably most experts - no longer even raise an eyebrow at defacements of websites of all kinds in such situations. Even the countless, mostly short-lived DDoS attacks no longer cause excessive sweating (except for overworked, underpaid system administrators of small companies).
The attackers were apparently aware of this, so rumors were spread about an alleged hack of the Israeli missile defense system “Iron Dome”, which then quickly turned into “attacks against critical points of the Iron Dome”.
Israeli companies were also victims - including entire production companies being hacked - and even critical infrastructure in the form of a power plant was compromised. To top it all off, Israeli energy, telecommunications and defense companies were also targeted by a threat actor attributed to Hamas.
At first glance, especially against the backdrop of analog events, this seems like a lot of frightening and effective attacks on sometimes vital targets of a modern society. However, if you take a closer look, the facade of efficient, effective hackers who supposedly stop at nothing falls apart relatively quickly.
It was not possible to find out which “critical points of the Iron Dome” were actually attacked by the criminals, but the attacks do not appear to have been particularly effective (if they even happened in the first place). The hack of a production company ultimately turned out to be a defacement of the company's website. A website whose relevance I dare to doubt, since more than a week later it is still decorated with the attackers' “digital graffiti”.
And as far as the power plant allegedly taken over by the perpetrators is concerned, the reports are indeed true. Provided that the meaning of the word “takeover” is redefined to mean the reprocessing of years-old leaks.
The last mentioned attempt by a threat actor attributed to Hamas to compromise Israeli companies really did take place - at the beginning of the year, as the Microsoft report referred to by the authors of “The Hacker News” also states very clearly. In my opinion, this deliberate misleading leaves a more than bitter aftertaste, especially in view of the situation.
What a group of attackers actually managed to achieve: A mobile application used in Israel to warn of rocket attacks contained a security vulnerability that enabled the threat actor “AnonGhost” to send several fake warnings (including of an alleged nuclear strike against Israel) to several thousand users. I don't want to keep this incident a secret, but frankly I'll chalk it up to “a blind hen sometimes finds a grain of corn”. A statistical outlier, if you like.
Everything I have just listed and described here indicates to me that history is repeating itself. Vocal hacktivist groups (or people pretending to be such) using defacements, DDoS attacks and claims of allegedly stolen data or compromised systems to attract attention and thus harm a party to the conflict - or, as in the case of the DDoS waves that also hit Austria, entities peripherally linked to the parties to the conflict. Without actually having any influence on the actual conflict and without the attacks lasting longer than a few weeks.
Perhaps the most decisive difference to the events at the beginning of the war in Ukraine is that the attacks were largely one-sided. While at the beginning of 2022 both Russian and Ukrainian actors targeted the digital infrastructure of the other warring party, the overwhelming majority of attacks since the Hamas raid have been directed against Israeli targets.
Another difference is that there is currently virtually no public information about the activities of state-supported or controlled threat actors. Only the group known as “Predatory Sparrow” (which is seen by some journalists and security experts as a cover identity for cyberattacks by Israeli intelligence services) has announced the resumption of its activities on Telegram, but has not published any further information about possible attacks.
Of course, this does not mean that there are no attacks here; these types of attacks are not usually publicized by the attackers. But considering how quickly and publicly reported attacks by groups such as Sandworm or APT28 were reported in February 2022, and to some extent before, I am inclined to assume that the comparative absence of such reports on the current conflict is at least an indication that a smaller number of such operations are taking place.
Some groups (including Killnet and Anonymous Sudan), which can be said with a certain degree of certainty to be at least close to states or intelligence services, have spoken out and shown solidarity with the Palestinian side - but nothing has come from them in the past apart from DDoS and a lot of hot air, so I am not willing to take them seriously in the context of state threat actors.
Despite these differences, one major commonality remains: Mainly, the attacks known so far are to be seen as an expression of solidarity, with virtually no relevant impact and without any even remotely significant contribution to the situation in the “real world”. The latter is being done, sometimes in terrible ways, elsewhere and elsewhere.
As I mentioned before when talking about cyber attacks in the context of the war in Ukraine, I am a security analyst, not a military expert. But for now, I'll stick to the conclusion I drew back then: Cyber attacks rapidly lose tactical and operational significance when alternative, kinetic options are available. And I currently see no reason why this should change in the foreseeable future.