Israeli-Palestinian Conflict: Multifaceted Alliances and Fierce Cyberspace Battle

Israeli-Palestinian Conflict: Multifaceted Alliances and Fierce Cyberspace Battle

outubro 23, 2023 | NSFOCUS

Background

On October 7th, accompanied by the launch of thousands of rockets, the Palestinian Islamic Resistance Movement (Hamas) declared a military operation against Israel.

As real-world conflict escalated, hacktivist organizations from various countries, including Russia, India, Indonesia, and Iraq, began engaging in continuous cyber warfare within the cyberspace domains of both sides. The primary methods of attack involve Distributed Denial of Service (DDoS), data theft, website defacement, and other cyber attack techniques. In addition to executing cyber attacks, hacktivist groups supported by various factions also use text, images, and videos to propagate narratives favorable to their own side, influencing public opinion.

According to NSFOCUS Security Labs, as of October 13th, a total of 55 groups have participated in attacks, with the majority being pro-Palestinian hacker groups. This includes 43 pro-Palestinian cybercriminal groups, including Killnet, targeting Israeli critical infrastructure in sectors such as government, finance, and communications. There are comparatively fewer pro-Israeli organizations, with a total of 12, mainly led by organizations like India Cyber Force and UCC, directing their attacks toward Palestinian critical infrastructure.

Attack Overview

Overview of DDoS Attacks Against Israel

DDoS attacks targeting Israel exhibited a noticeable upward trend starting from September 26th, reaching its peak on the 28th. Subsequently, on October 8th and 9th, Hamas initiated military actions against Israel, leading pro-Palestinian hacker groups to intensify their attacks on Israeli websites, expanding the scope of the attacks.

Figure 2.1 Trend of DDoS attacks against Israel

The DDoS attack activity on September 26th may be related to the Cyber Operations Alliance (C.O.A Agency), which claimed responsibility for conducting DDoS attacks on multiple Israeli websites. The attacks on October 8th and 9th were associated with several hacker groups, including Killnet.

Figure 2.2 C.O.A’s attack targets on September 26

Overview of DDoS Attacks Against Palestine

DDoS attacks against Palestine experienced a significant increase on October 8th and 9th, with pro-Israel organizations such as India Cyber Force and Garuna Ops claiming responsibility and conducting DDoS attacks on Palestinian network infrastructure.

Figure 2.3 Trend of DDoS attacks against Palestine

Key Attack Events Monitoring

Monitoring of Attacks Targeting Israel

In cyberspace, NSFOCUS’s global threat hunting system has detected a series of DDoS attack activities against Israel. The primary targets are government, judicial, military, power, and other critical websites. In addition, email services and DNS services have also been targeted.

Furthermore, according to the monitoring, it’s evident that DDoS attack methods have evolved. To bypass or evade DDoS defense devices’ detection, the attack targets not only focus on open service ports but also use random high-numbered ports as targets. The port range falls between 1026 and 65525.

Attacks on Israeli Government Official Websites

At 4:53 AM, 23:43 PM on October 8 (Beijing time), and 12:23 AM on October 9, DDoS attacks were observed on the official Israeli government website (www.gov.il). The main targets of the attack were ports 53 (DNS service) and 443 (Web service). To avoid detection, the attack also targeted random high-numbered ports, including ports 47884, 33166, 45224, and others.

This may be related to the Killnet organization, which claimed to attack the website at 10:59 PM on October 8, causing it to go offline. This corresponds with the monitoring of the organization’s attack targets.

Figure 3.1 Killnet Attack on Israeli Government Website Leading to its Paralysis

Attacks on the Israeli Defense Forces Email System

Email systems play a crucial role in communication, especially for key units. During wartime, frequent and critical information exchange is essential. Email system disruption can result in immeasurable losses.
On October 9, at 12:36 AM and 12:18 PM (Beijing time), the Israeli Defense Forces’ email system was subjected to two DDoS attacks. The second attack lasted until 8:01 PM and exhibited strong targeting. It continuously attacked mail.idf.gov.il and mail1.idf.gov.il, targeting the SMTP service (port 25/TCP). The aim was to disrupt the enemy’s communication system during wartime, temporarily rendering their communication “blind”.

Figure 3.2 Israeli Defense Forces website

Attacks on the DNS Service of the Israel Electric Company

The Israel Electric Company (IEC is the largest electricity provider in Israel and the Palestinian territories. IEC is responsible for constructing, maintaining, and operating power plants, substations, and power distribution networks in Israel, with its installed capacity making up approximately 75% of the country’s total power generation. It transmits and distributes nearly all the electricity used in Israel, including that generated by other producers, highlighting its significance.

Additionally, the DNS service plays a crucial role in domain name resolution. When it is disrupted, the impact is significant, as it prevents all users who rely on that DNS from resolving any websites, affecting website access in an entire region or even the entire country. An attack on the DNS service of this company can disrupt the internal network of the power system.

NSFOCUS’s global threat hunting system confirmed the attack claim made by the TEAM HEROX organization, which attacked the company’s website and caused its service unavailable.

On October 9, at 2:16:05 AM (Beijing time), monitoring detected the attack organization using 79-byte UDP packets from global nodes to attack the IEC’s DNS service (ns1.iec.co.il) on port 53/UDP.

Figure 3.3 TEAM HEROX paralyzed the Israel Electric Company

Attacks on the Israeli Supreme Court Website

On September 29th at 13:03:33 Beijing time, the Israeli Supreme Court website (supreme.court.gov.il) on port 443 experienced a DDoS attack lasting for over one hour. On October 7th, the same website faced an attack from Team Insane Pakistan.

The Israeli Supreme Court is the highest judicial authority within the Israeli legal system, located in Jerusalem. In the past, it has handled numerous lawsuits related to the Israeli-Palestinian conflict, the rights of Arab-Israelis, and differential treatment of Jewish communities. Additionally, the Supreme Court has the authority to intervene in the military actions of the Israel Defense Forces, which might be a reason for the attacks on the website.

Figure 3.4 Team Insane Pakistan’s attack on the Israeli Supreme Court website, causing its paralysis

Attacks on the Jerusalem Post Website

News websites are crucial sources for the public to receive information, especially during significant events. DDoS attacks on such websites can disrupt public access to information and their understanding of current events.

The Jerusalem Post (www.jpost.com) is the most widely circulated English newspaper in Israel and serves as an important international media outlet. It is more susceptible to DDoS attacks. On October 9th at 01:35:25 Beijing time, the website on port 443 experienced a DDoS attack using global DDoS reflection nodes, lasting for over 24 hours. The website’s official Twitter account confirmed multiple DDoS attacks and service interruptions, which aligns with the claims of an attack on the website made by the Anonymous Sudan organization on their Telegram channel.

Figure 3.5 Anonymous Sudan’s attack on the Jerusalem Post website

Attacks on Israeli Banks

On October 9th at 00:04:30 Beijing time, it was observed that the website of Israeli banks (www.boi.org.il) on port 443 was subjected to a DDoS attack, lasting for 1 hour and 3 minutes.

This website experienced attacks from multiple hacker organizations, including Team Insane Pakistan, SYLHET GANG-SG, ACEH ABOUT HACKED WORLD, Ketapang Greyhat Team, and others. This aligns with the monitoring data indicating such attacks.

Figure 3.6 Multiple hacker organizations attacking the Bank of Israel

The Bank of Israel is the central bank of the State of Israel. It was established in 1954 and is located in the ancient town of Binyamin in Jerusalem, near the Knesset (Israeli Parliament), the Supreme Court, and government offices. The Bank of Israel operates independently, with its goals and operational methods defined in the Bank of Israel Law 5770-2010. Its objectives include maintaining price stability, supporting government objectives, especially in terms of growth and employment, and ensuring the stability of the financial system.

Attacks on the Israel Internet Association Website

On October 9th at 05:18:37 Beijing time, it was observed that the website of the Israel Internet Association (register.isoc.org.il) on port 443 was subjected to a DDoS attack. To avoid detection, the attack also targeted port 43, lasting for 1 hour and 10 minutes.

The Israel Internet Association is dedicated to promoting the Internet and its integration into Israel’s technological, research, educational, social, and business infrastructure. It is responsible for managing the registration of “.il” and “.ישראל” domain names, as well as the ongoing operation of the Israel Internet Exchange (IIX). This allows secure, fast, and unrestricted access to Israeli and global websites and online services from anywhere at any time.

Figure 3.7 Website of the Israel Internet Association

Monitoring of Attacks on Palestine

In cyberspace, NSFOCUS’s Global Threat Hunting System detected a series of DDoS attack activities targeting Palestine, primarily focusing on government and telecommunication websites.

Attacks on Hamas Official Website

As the initiator of the conflict, it is expected that Hamas-related network infrastructure would be among the primary targets. The Global Threat Hunting System observed multiple DDoS attacks on the organization’s official website. These attacks occurred on October 8th at 05:34:44 AM and on October 9th at 12:34:57 AM Beijing time. The attacks targeted port 443 of the Hamas official website (hamas.ps). During the attacks, each attack packet used random high-numbered ports, including 51204, 27653, and 51207. The attacks lasted for 25 minutes.

This aligns with the related statement from the India Cyber Force organization on Telegram, which declared on October 8th at 4:58:00 PM that they had successfully rendered the website inoperative.

Figure 3.8 India Cyber Force’s Attack on Hamas Official Website resulting in its disruption

Attacks on the Palestine Telecommunications Company Website

Telecommunication companies play a vital role in facilitating communication, and during times of conflict, they become significant targets. When such a company ceases its services, it can have a significant impact on national operations. The India Cyber Force organization targeted this website and claimed to have paralyzed it on October 9th at 12:05.

On October 9th at 02:23:46 Beijing time, NSFOCUS’s global threat hunting system observed multiple port attacks on the company’s website, including ports 53, 80, and 443, among other important ports. The attack targets varied in port sequence, focusing on ports 53, 443, and 80.

Figure 3.9 India Cyber Force’s attack paralyzed the Palestine Telecommunications Company website

Monitoring of Threat Actors

NSFOCUS’s global threat hunting system conducted continuous foreign monitoring of the cyberspace conflict between Israel and Palestine. In this conflict, hacktivist actions involve network attacks, and the cyberspace battle is divided into two camps: pro-Palestinian organizations and pro-Israel organizations. DDoS attacks are primarily used by both sides to paralyze their attack targets, rendering them unable to provide services. The main targets of these attacks are government websites, with military, intelligence, education, and financial sites also affected. For instance, Anonymous Sudan claimed responsibility for an attack on the Israeli Iron Dome system, a mobile all-weather air defense system designed to intercept rockets within a range of 5 to 70 kilometers.

As of October 13, there are a total of 43 pro-Palestinian organizations and 12 pro-Israel organizations, originating from various countries.

Overview of Pro-Palestinian Organizations and Attack Targets

Several hacker groups openly support Hamas and have carried out DDoS attacks mainly targeting Israeli government websites. These hacker groups primarily consist of two major entities: the Killnet Hacker Group and the C.O.A Agency.

  • Killnet Hacker Group: This group includes Killnet, Anonymous Sudan, and ЛЕГИОН – КИБЕР СПЕЦНАЗ РФ V2 (Cyber Special Forces) organization.
  • C.O.A Agency: Comprises 8 different hacker groups.

Figure 4.1 Members of the C.O.A Agency

Killnet Organization and Their Activities

Killnet is a pro-Russian hacker organization known for conducting DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks against government institutions and private companies from various countries during Russian-Ukrainian conflict in 2022.

On October 8th, Killnet posted comments on their Telegram social platform account, indicating their intention to attack Israeli government websites. This was subsequently shared on the ЛЕГИОН – КИБЕР СПЕЦНАЗ РФ V2 (Cyber Special Forces) Telegram channel, indicating the participation of ЛЕГИОН – КИБЕР СПЕЦНАЗ РФ V2 in the attacks on Israel.

Figure 4.2 Killnet claims to launch cyberattacks on Israel

Shortly afterward, they posted screenshots of breached targets, including the Israeli government’s official website.

Figure 4.3 Killnet’s attack paralyzes the Israeli government website

On the evening of October 8th at 23:13, Killnet announced plans to coordinate an attack with Anonymous Sudan, which was subsequently shared on Anonymous Sudan’s Telegram channel.

On the early morning of October 9th, while conducting cyberattacks, Killnet also published an article to shape public opinion, claiming that their attacks were for “peace” and only targeted the Israeli government. After breaching websites, they sent out messages for a ceasefire, attracting public attention.

Figure 4.4 Killnet publishes articles to guide public opinion through website defacement

At 03:55 on October 9th, Killnet launched a successful attack on the Israeli Security Agency, Shabak. Shabak is part of the Israeli intelligence system and is responsible for counterintelligence activities and ensuring internal security, functioning similarly to the FBI and FSB.

Figure 4.5 Shabak Killnet’s attack on Shabak

Table 4.1 Killnet’s Attack Targets

TargetWebsiteType
Israeli government official websiteshttps://www.gov.ilGovernment
Shabak official websitehttps://shabak.gov.ilMilitary
Freelance service provider recommendationhttps://www.interman.co.ilPublic Service
Kitchen customization and designhttps://chenkitchens.co.ilPublic Service
Information systems implementation traininghttps://khl.co.ilPublic Service
Wine saleshttps://wewines.co.ilPublic Service

Anonymous Sudan Organization and Their Activities

“Anonymous Sudan” is a group of hacktivists who claim to be from Sudan and are motivated by religious and political reasons. Since January 2023, they have been conducting DDoS attacks driven by religious motives against several Western countries. Due to a shared target during an attack in Sweden, Killnet officially declared “Anonymous Sudan” as part of their cluster of hacktivists targeting Western countries and countries opposing Russia. Subsequently, “Anonymous Sudan” has used Killnet’s reputation and influence to develop its members and has become one of the most prominent hacktivist organizations in 2023.

Similar to the Killnet organization, Anonymous Sudan launched attacks on October 8th at 01:41, primarily targeting critical endpoints within the Israeli alert system and claiming potential impacts on the Iron Dome.

Figure 4.6 Anonymous Sudan claims to launch cyberattacks on Israel

Ten hours later, the organization attacked the Jerusalem Post, causing it to be paralyzed. Subsequently, on October 9th, they conducted multiple rounds of attacks, rendering the website unable to provide normal services for over 50 hours. NSFOCUS’s global threat hunting system monitored these attack activities.

Figure 4.7 Anonymous Sudan’s attack on the Jerusalem Post

Table 4.2 Anonymous Sudan’s Attack Target

TargetWebsiteType
Jerusalem Posthttps://www.jpost.com/Media

ЛЕГИОН – КИБЕР СПЕЦНАЗ РФ V2 (Cyber Special Forces) Organization and Their Activities

This organization created its Telegram channel on August 5, 2023, and publicly announced itself, claiming to consist of Russians and recruiting new members. It is affiliated with the Killnet group and primarily employs DDoS attacks.

Within 5 minutes of Killnet’s announcement of attacking Israel, ЛЕГИОН – КИБЕР СПЕЦНАЗ РФ V2 organization shared related statements and joined in the attacks on Israel. This organization mainly targets bank websites.

Figure 4.8 ЛЕГИОН – КИБЕР СПЕЦНАЗ РФ V2 joined attacks

On October 9th, they attacked multiple bank websites, including Bank Mercantile Discount Ltd (mercantile.co.il), Discount Bank (discountbank.co.il), and Bank of Jerusalem (bankjerusalem.co.il).

Table 4.3 ЛЕГИОН – КИБЕР СПЕЦНАЗ РФ V2’s Attack Targets

TargetWebsiteType
Bank Mercantile Discount Ltdhttps://discountbank.co.il/Bank
Discount Bankhttps://mercantile.co.il/Bank
Bank of Jerusalemhttps://bankjerusalem.co.il/Bank

C.O.A Agency and Their Activities

C.O.A Agency, composed of 8 hacker organizations, was formed on September 24, 2023. They primarily conducted DDoS attacks targeting India. On September 26, they began their attacks against Israel and officially declared their support for Palestine’s involvement in attacks against Israel on October 8.  

Figure 4.9 C.O.A Agency claims to launch cyberattacks on Israel

Their attack targets encompass various sectors, including government, healthcare, and education.  

Table 4.4 C.O.A Agency’s Attack Targets

TargetWebsiteType
Government service appointment websitehttps://govisit.gov.il/Government
National Rights Index websitehttps://mybenefits.gov.il/Government
Israeli Ministry of Agriculture and Rural Developmenthttps://agri.gov.il/Government
Israeli Tax Authorityhttps://www.shaam.gov.il/Government
Healthcare Centerhttps://www.poria.health.gov.il/Healthcare
Israeli Educationhttp://apps.education.gov.il/Education
Teacher Portalhttps://poh.education.gov.il/Education
Peace Now websitehttps://peacenow.org.il/Society
Israeli Accessibility Associationhttps://www.aisrael.orgSociety

Overview of Pro-Israel Organizations and Attack Targets

Several hacker criminal groups, including India Cyber Force, openly supported Israel and, on October 8th, claimed that they would carry out cyberattacks on the Palestinian region.

India Cyber Force Organization and Attack Activities

India Cyber Force is an Indian hacker organization that claims to be the official network defense unit of the Indian Army.

On October 8th, they announced that they would launch cyberattacks on the Palestinian region.

Figure 4.10 India Cyber Force claims to launch cyberattacks on Palestinian region

Subsequently, within two days, they successfully carried out attacks on several critical Palestinian websites, including those in the government, communication, and financial sectors. Additionally, the organization compromised over 200 network devices in Palestine, including devices from schools and hospitals.

Table 4.5 India Cyber Force’s Attack Targets

TargetWebsiteType
Hamas Official Websitehttps://hamas.ps/Governmental Group
Palestinian Government Postal Websitehttps://www.webmail.gov.ps/Government
Palestinian Telecommunications Company Websitehttps://www.paltel.psCommunication
Palestinian National Bank Websitehttps://www.tnb.ps/enFincance
Ministry of Transportation and Communication Websitehttp://www.mot.gov.psTransportation
Ubuy Websitehttps://www.ubuy.com.ps/E-commerce

Garuna Ops Organization and Attack Activities

On October 8th, this organization issued a statement warning other countries that support Palestine and called for non-Muslim hackers to attack Palestine.

Figure 4.11 Garuna Ops claims to launch cyberattacks on Palestinian region

This attack organization primarily targets news websites in other countries, including Bali News and Bangladesh National Information Broadcasting Network, with the aim of shaping local public opinion.

Figure 4.12 Garuna Ops attacks Bali news website

Table 4.6 Garuna Ops’s Attack Targets

TargetWebsiteType
Bali News Websitehttps://balebengong.id/Media
Bangladesh National Information Broadcasting Network Websitehttp://www.bangladesh.gov.bd/Government

UCC Organization and Attack Activities

On October 8th, the UCC organization forwarded the statement issued by the Garuna Ops organization on its Telegram channel and officially launched cyberattacks against Palestine on October 9th.

These attacks targeted various Palestinian entities, with a primary focus on DDoS attacks against government websites.

Table 4.7 UCC’s Attack Targets

TargetWebsiteType
Palestinian Ministry of Foreign Affairs and Expatriates Websitehttp://www.mofa.pna.psGovernment
Palestinian Government Websitehttps://www.palgov.ps/Government
Palestinian Social Solidarity Fund Websitehttp://www.takaful.gov.ps/Government
Palestinian Public Procurement Policy Higher Council Websitehttp://www.shiraa.gov.ps/Government
Palestinian Supreme Judicial Council Websitehttps://www.courts.gov.ps/Government
Palestinian Lireh Deir Ghazi Elementary School Websitehttp://awardedu.gov.ps/Education

Conclusion

1. Communication Services and Network Infrastructure Are Main Targets of DDoS Attacks

Looking at the online competition between the two sides in the Israel-Palestine conflict, DDoS attacks target not only web servers but also DNS services and critical email services. Compared to traditional web service attacks, targeting DNS services and critical email services has a more significant impact. If DNS services are disrupted, it affects domain name resolution in the entire region, rendering various services such as websites and email inaccessible, causing interruptions in network communication. If critical email services are disrupted, it leads to communication interruptions, affecting the transmission of crucial information, temporarily causing “blindness” in communication.

2. Cyber Warfare Extends Beyond the Warring Parties, Often Triggering Chain Reactions

Cyber warfare is not confined by geographical boundaries and can be initiated at any time and place. This results in online warfare extending beyond the warring parties, with multiple hacker organizations from different countries participating in cyberattacks. In this conflict, hacker organizations from countries such as Russia, India, Pakistan, and Indonesia participated in the attacks. Once various hacker organizations align themselves, apart from attacking network facilities within the warring parties’ borders, the “war” of online attacks can spread to the countries of these hacker organizations, causing a series of attack responses and triggering chain reactions, resulting in more extensive attacks.

3. Cyberattacks and Information Warfare Intertwine, Good and Evil Coexist

Hacker organizations supporting both sides have carried out a series of malicious cyberattacks in the online space, including DDoS attacks, data theft, website defacement, etc., disrupting and damaging the network infrastructure of the opposing side. Their primary targets are crucial websites in sectors such as government and finance, implying a broad impact, potentially affecting entire countries. However, in addition to cyberattacks, these attacking organizations also publish articles and alter the content of the attacked websites to influence public opinion, claiming that their actions are just and that their “evil” cyberattacks are for the people and for “justice.”

4. Hacker Organizations Are Not Always Solitary Entities; They Quickly Form Temporary Interest Groups During the War

Looking at the online competition between various hacker organizations during the Israel-Palestine conflict, these organizations are not always solitary actors. Organizations with similar interests will show solidarity and quickly form interest groups during times of “war.” While these organizations usually operate independently, their shared interests during times of “war” lead to a rapid alliance, expanding their attack capabilities. Examples of such groups during the Israel-Palestine conflict include the Community Network Operations Alliance (C.O.A), Killnet, and Anonymous Sudan, among others. Additionally, many hacker organizations temporarily assemble and join attacks due to their interest demands.

About NSFOCUS Security Labs
Founded in 2000, the NSFOCUS Security Labs is an internationally recognized cyber-security research and threat response center at the forefront of vulnerability assessment, threat detection and mitigation research.
NSFOCUS Security Labs focuses on eight key research domains that address the most critical concerns in the cybersecurity industry.