Start your day with intelligence. Get The OODA Daily Pulse.

Home > Analysis > Geopolitical Hacktivism in Palestine Conflict

While many of the hacktivist groups seem at this point unsophisticated in how they are conducting their operations, there are those that are more capable and more experienced.  

The recent situation in Palestine bears similarities to the Ukraine war where nonstate hacktivist groups have quickly chosen sides and entered the conflict conducting cyber attacks against both the primary antagonists, as well government and private sector supporters.  According to recent estimates, there were more than 100 active groups participating in the ongoing “cyber warfare” between Israel and Palestine.  Of these, approximately 20 groups align with Israeli interests while 77 ally with the Palestinian side, and three remain neutral.  Some of these groups like KillNet and Anonymous Sudan have also been engaged in the Ukraine war, further demonstrating how geopolitical issues are a major catalyst to mobilize these interests.  Hacktivists on both sides have taken to social media and other channels like Telegram to support their side of the ideological struggle, recruiting others, and pushing their own narratives.

For most of the conflict thus far, cyber attacks have primarily manifested into distributed denial-of-service attacks (DDoS), though other forms are quickly emerging as well.  Primary victims of these attacks have been media, banking/financial organizations, government, and telecommunications, most of which have a role in disseminating information to domestic and international audiences.  As has been in the case of the Ukraine war, political and ideological motivated hacktivist activity has expanded past the two primary combatants and targeted governments and even private sector companies supporting a side.  Already several hacktivist groups (including but not limited to Sylhet Gang, Garnesia Team, and Panoc Team) have conducted DDoS attacks against countries that have openly supported Israel to include France, India, Ukraine, and the United States.  This further serves as a reminder that any entity publicly backing one side risks being targeted by that side’s adversaries.

Curiously, recent findings have revealed that observed DDoS originating from Iranian IP addresses has actually subsidedsince the beginning of the conflict, an interesting revelation given that Iranian hackers are typically tied to such attacks against Israel.  Whether they may be supporting other hacktivist activities or perhaps organizing other forms of attack remains uncertain.  A more logical explanation is that they are simply watching the cyber battlefield trying to determine how these attacks are being detected and neutralized by Israeli defenders, applying what they are learning to potential future campaigns.  Thus far, most of the DDoS attacks on either side have had limited tactical or strategic impact, proving more of a nuisance than a means of delivering punitive retribution.

While many of the hacktivist groups seem at this point unsophisticated in how they are conducting their operations, like the two groups already mentioned, there are those that are more capable and more experienced.  These more practiced groups may take guidance from the sides they support, or act independently of them, making them unaccountable and truly unpredictable.   What’s more, these groups can choose to lead other less experienced hacktivists, organizing resources in order to create more effective attacks regardless of the capabilities on hand.  If they continue to remain independent, these groups can execute their operations in and around their attacks, using them as distractions to better conceal their own strikes, enhancing the chances of success.  This is important given the increased attention that has been placed on critical infrastructures, a valid concern during times of tension, no less conflict.

Despite the Red Cross efforts to create a hacktivist code of conduct in cyberspace that adhere to the basic principles of international humanitarian laws when conducting operations in support of a state, many groups like KillNet and Anonymous Sudan have refused to sign on.  In their opinion, such restrictions were “not viable” restricting their ability to maximize their efforts.  While they may not possess the sophisticated weaponry and tactics, techniques, and procedures of state actors, they likely have enough capability to cause the necessary disruptions to impact operations of key industries on which the public relies.  At the very least, they can obtain the tools they need, or at least collaborate with other sympathizers who may be more capable.

Therefore, it is unsurprising to see that hacktivist tactics, especially from the more capable groups, will continue to diversify.  Aside from DDoS, there has been at least one notable incident where the pro-Palestinian AnonGhost group gained access to an app used by Israelis to warn them of impending rocket strikes.  Once compromised, AnonGhost sent fake rocket alerts and even a fake nuclear launch warning.  There have been other forms of disinformation executed by hacktivists, but most of the claims asserted with respect to attacks they had conducted were not confirmed or substantiated, but still suggest value in promoting false narratives.  While some content is clearly driven by the hacktivists themselves, these groups can quickly become useful mechanisms for distributing more polished forms of mis- and disinformation the longer the conflict endures.  Given the longstanding historic rift between Palestine and Israel that has culminated in horrific and tragic images, the opportunity to sway public opinion and influence the global audience is an opportunity to leverage favorable resolutions.

The more the Palestine conflict continues to evolve, the more likely these hacktivist groups will engage in other forms of more dangerous cyber attacks other than web page defacements and DDoS attacks.  Already, one pro-Palestinian group has been using a Linux-based wiper malware (BiBi-Linux-Wiper) against Israeli targets.  Wiper malware has been used in the Ukraine war, and has proven effectively destructive, often employed to cause, destruction of evidence, and cyber warfare, as it can “wipe” data, overwrite data, or corrupt data.  As more wipers are deployed, other punitive cyber attacks can be expected such as ransomware deployment to lock up systems and steal/distribute stolen data, and not make money.  Also, hacktivists may engage in doxxing high-value persons for the purpose of exposing their sensitive information that can be leveraged for physical and/or digital targeting.

Ultimately, the best indicator of future behavior is past behavior, and the current Palestine conflict bears many geopolitical similarities to that occurring currently in the Ukraine war.  While the Palestine conflict is still early, it has the potential to escalate quickly, which will likely reflect in the cyber domain that seems to mirror the activities happening in the physical world.  Proceeding forward, it will be interesting to see how hacktivism evolves from what’s been occurring in Ukraine, branching out into other information-based activities that go beyond the disruption/destruction of information systems, and if it is more influenced/directed by its state benefactors.

Tagged: Cybersecurity
Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.