Cybersecurity holds immense significance in geopolitics, especially in times of conflict, Google mentioned in a report named "Tool of First Resort: Israel-Hamas War in Cyber."
Read more:
Though offensive cyber operations are widespread, threat actors' strategies, timing, and goals vary significantly. For instance, amid Russia’s invasion of Ukraine, Google has examined and disseminated a report detailing how cyber tactics can bolster military endeavors.
Following the October 7 Hamas terror attack, the report found a steady stream of cyber operations by Iran and Hezbollah-linked groups become more focused, more concentrated, and — among other objectives — geared toward undercutting public support for the war.
The report, based on analysis from Google’s Threat Analysis Group (TAG), Mandiant, and Trust & Safety teams, encompasses new findings on Iranian-government-backed phishing campaigns, hack-and-leak and information operations (IO), as well as disruptive attacks targeting Iran and Hamas-linked cyber operations.
Key findings on cyber operations related to the Israel-Hamas war
1. Iran's aggressive targeting of Israeli and U.S. entities persists, with varying degrees of success. While Hamas' attack didn't fundamentally alter Tehran's strategy, it did prompt a more focused effort afterward, notably aimed at undermining public support for the war. This includes destructive attacks on key Israeli organizations; hack-and-leak operations, featuring exaggerated claims of attacks on critical infrastructure in Israel and the US; information operations to demoralize Israeli citizens, sow distrust in critical organizations, and sway global public opinion against Israel; and phishing campaigns targeting users in Israel and the U.S. to gather intelligence on key decision-makers.
2. An entity identifying itself as "Gonjeshke Darande" (Predatory Sparrow) has asserted responsibility for disrupting critical infrastructure in Iran. It purportedly targeted numerous gas stations, rendering them offline by attacking their infrastructure and payment systems. While Iranian authorities have attributed these actions to Israel, conclusive evidence to validate such claims is currently lacking.
3. Hamas’s cyber espionage followed its typical pattern in the lead-up to October 7, and no other significant activity was recorded since. The Google observations suggest Hamas did not use cyber operations to support the terrorist attack on October 7 tactically. Through September 2023, Hamas-linked groups engaged in cyber espionage consistent with their normal operations, including "mass phishing campaigns to deliver malware and steal data; mobile spyware, including Android backdoors, distributed via phishing; persistent targeting of Israel, Palestine, and their regional neighbors in the Middle East, as well as regular targeting of the U.S. and Europe."
As for what to expect in the rest of 2024, the report asses that "Iran-linked groups are likely to continue to conduct destructive cyber attacks, particularly in the event of any perceived escalation to the conflict, to include kinetic activity against Iranian proxy groups in various countries, such as Lebanon and Yemen."
"Hack-and-leak operations and IO will remain a key component in these efforts to telegraph intent and capability throughout the war, both to Iran’s adversaries and to other audiences that they seek to influence."
"While the outlook for future cyber operations by Hamas-linked actors is uncertain in the near term, we anticipate Hamas cyber activity will eventually resume, with a focus on espionage for intelligence gathering on intra-Palestine affairs, Israel, the US, Europe, and other regional players in the Middle East."