What are the cyber risks from the latest Middle Eastern conflict?

Hamas’ attention to OpSec

One substantial difference observed between the two conflicts is a lack of cyber activity before the initial Hamas attack. Prior to Russia’s invasion of Ukraine, which had been signalled months in advance by the Russian government, Ukraine was bombarded with a widespread campaign of cyber intrusions designed to soften up critical targets in advance.

This was not the case in the Gaza war, and this is not much of a surprise, because out of necessity, Hamas spent months – maybe years – plotting its initial attack with exceptional attention paid to operational security (OpSec). Indeed, it has been suggested that some senior members of Hamas were kept in the dark entirely, in case they were compromised by Israeli intelligence.

Therefore, for the incursion to take Israel by complete surprise, it may have been necessary for pro-Palestinian groups and Hamas-affiliated actors to confine their activity to normal levels. According to SecurityScorecard’s intel team, this was almost certainly the case.

“SecurityScorecard’s recently expanded collections of Hamas-affiliated messaging channels contain no evidence of how or when Hamas’s operation would begin prior to the start of the conflict,” said the Strike Threat Intelligence team.

“This suggests that, in contrast to other contemporary wars, the frequency or impact of cyber and information operations did not increase leading up to the war.

“A Russian hacktivist group may, for example, oppose Israel and be capable of attempting attacks against Israeli targets following the start of the war, but such a group would be unlikely to have a relationship with Hamas that could have offered it the early indications necessary to conduct cyber operations as a prelude to physical attacks,” the Strike team pointed out.

The isolation of Hamas and Israel’s clear technological superiority in this instance may also go some way to explaining why no cyber activity preceded the physical conflict.

Defensive posture

Given the most widespread form of impactful cyber attack seen to date has been DDoS attacks, defenders should consider implementing DDoS mitigations as a priority. Radware, a specialist supplier of DDoS mitigation services, suggests the following checklist as a strong basis for a defensive strategy:

• Gather up-to-date intelligence on active threat actors that can be used to implement pre-emptive protection, for example, adding IP ranges associated with their activity to deny lists;
• Implement behavioural-based detection to quickly and accurately spot and block traffic anomalies while allowing genuine traffic through;
• Implement real-time signature creation to quickly guard against novel threats and zero-days;
• Draw up a cyber security emergency response plan, making sure it accounts for DDoS attacks on connected systems and devices, and test it;
• Add hybrid mixes of on-premise and cloud DDoS protection services to enable real-time attack prevention that can address higher-volume attacks, and protect from pipe saturation.

Operators of critical infrastructure may additionally wish to harden defences around their operational technology (OT), such industrial control systems (ICS). Security teams may wish to review whether or not it is really necessary to expose such devices to the public internet (spoiler, it is not), and if possible, restricting access to them by adding known or dependent IPs to an allow list, and placing them behind a virtual private network (VPN) or firewall.

Beyond hardening networks, defenders may wish to consider the possibility of other forms of attack. Chris Hauk, consumer privacy advocate at Pixel Privacy, said: “Organisations with Israeli connections will want to stay alert for cyber attacks that could come from both without and within. Organisations should educate their employees to the risks of phishing schemes to gain access to internal systems. It is also possible that some employees may be sympathetic to Hamas, possibly initiating attacks from within.”

In addition, financially motivated cyber criminals will also be looking to exploit the war to access target networks for data exfiltration or ransomware attacks, so it is important for both security teams and regular employees to be on the lookout for suspicious activity, as Paul Bischoff of Comparitech explained.

“UK organisations should be on the lookout for phishing attacks that use the Israel-Palestine conflict as clickbait,” said Bischoff. “Phishing emails, messages and phone calls attempt to trick victims into clicking on malicious links leading to fake login pages, or attachments that carry malware.

“The content of messages could be related to charities, misinformation about the conflict or even recruitment,” he said. “Never click on links or attachments in unsolicited messages, and always verify the sender’s identity before handing over money or private information.”

Shields up

A few days prior to the onset of the war in Ukraine, Jen Easterly of the US Cybersecurity and Infrastructure Security Agency issued her now famous “Shields Up” alert to encourage organisations to take steps to bolster their resilience in the face of what was coming.

In the event, the cyber impact of the war in Ukraine has been rather more limited than was feared, with little disruptive activity observed beyond the physical warzone – although Ukrainian targets faced an onslaught of cyber attacks themselves.

With a reasonable degree of confidence, we can speculate that the cyber element of the Hamas-Israel war will follow a similar trajectory.

All the same, as we have seen, for those organisations that may find themselves in some way adjacent to the fighting, or bear some connection to Israel or Palestine, should consider dusting off their incident response plans and raising their shields.