Iran's Cyber Onslaught: From Data Heist to Digital Warfare in Israel

It appears that on October 7 Israel was not only unprepared at the border of Gaza but also on the cyber front. Since the attack, multiple Iran-affiliated hacker groups infiltrated and are sharing on the dark web and hacker forums available to all, multiple leaked databases containing thousands of highly sensitive files regarding Israeli soldiers, civilians, and companies. An in-depth analysis of the ongoing crisis, from hospital breaches to governmental cyber warfare – navigating the fallout and implications for Israel's cybersecurity landscape. This investigation is also published in ynetnews.com

It appears that on October 7 Israel was not only unprepared at the border of Gaza but also on the cyber front. Since the attack, multiple Iran-affiliated hacker groups infiltrated and are sharing on the dark web and hacker forums available to all, multiple leaked databases containing thousands of highly sensitive files regarding Israeli soldiers, civilians, and companies. An in-depth analysis of the ongoing crisis, from hospital breaches to governmental cyber warfare – navigating the fallout and implications for Israel's cybersecurity landscape. This investigation is also published in ynetnews.com

It appears that on October 7 Israel was not only unprepared at the border of Gaza but also on the cyber front. Since the attack, multiple Iran-affiliated hacker groups infiltrated and are sharing on the dark web and hacker forums available to all, multiple leaked databases containing thousands of highly sensitive files regarding Israeli soldiers, civilians, and companies. An in-depth analysis of the ongoing crisis, from hospital breaches to governmental cyber warfare – navigating the fallout and implications for Israel's cybersecurity landscape. This investigation is also published in ynetnews.com

The Israel-Iran cyber conflict. Illustrations: Shutterstock

Milan Czerny

in collaboration with

January 21, 2024

Summary

On October 8th, as Israel only just began to wake up to the scope of the worst intelligence failure of its history, a previously unknown hacker group, “MalekTeam,” appeared online. “I am Malek. I have all of your personal information. Anyone who serves the Zionists is under my control,” they wrote in their first message on a popular messaging application. In the following weeks, the hackers who are believed to be tied to Iranian military intelligence, proceeded to publish tens of thousands of records containing Israeli citizens' private information. 

In their most damaging leak to date, the hackers released hundreds of medical records, detailing personal health information and types of wounds, belonging to soldiers injured at the border with Lebanon after October 7th. "We have more than 500 GB. We give you some samples: about 20000 of citizens, and 5000 of the IDF," they announced, claiming to possess way beyond the publicly available files. The hacker group also claims to be behind the hacking of Ono Academic College, and a major Media Group.

The leaks of such sensitive information were hardly a surprise to Israeli cyber experts who have been warning for many years about key vulnerabilities of Israel in the cyber domain. More than a year ago, in December 2022, the State Comptroller already noted in a report the lack of protection of the personal information of millions of citizens and called for a rapid intervention to correct the deficiencies, yet little was done. Hospitals, storing soldiers’ medical records and data on their injuries, were recognized to be particularly under-protected, and a far cry from Israel’s self-representation as cyber-security powerhouse. An Israeli official speaking on condition of anonymity indicates that in hospitals many times the computer operating systems are old, there is low awareness in terms of cyber security, and no budget for this. The official adds that hospitals do not effectuate risk assessments to check the risks on an ongoing basis, while unauthorized people can get into the systems

Such private information will remain online indefinitely and can be used to harm Israelis in multiple manners, such as modifying health data in life-threatening ways, identity thefts, tailored phishing and social engineering attempts which can be used to lure victims into sharing sensitive intelligence to prepare future attacks. Israeli authorities in charge of cyber security are now finally starting to take action to improve cyber security, but the harm has been done, and they have largely failed to prevent the widespread diffusion of Israeli private information.

Prime Minister Netanyahu at the Cyber ​​Conference in 2019. Photo: Reuters
As on Gaza’s border, where alerts preceding Hamas’ October 7th attacks were not taken seriously, hubris took over, and warnings regarding key cyber vulnerabilities fell on deaf ears.

The Warning Signs Ignored Before October 7th 

Starting in 2010, Prime Minister Benjamin Netanyahu made Israel’s cyber-security a priority. He launched the “National Cyber Initiative,” tasked to provide Israel with “superpower capabilities in cyber-space.” A few years later, Netanyahu claimed that the goal had been achieved, with Israel turning into “a cyber security power.” Israel began to be seen internationally as a cyber security powerhouse, allegedly invulnerable to external digital threats. 

As on Gaza’s border, where alerts preceding Hamas’ October 7th attacks were not taken seriously, hubris took over, and warnings regarding key cyber vulnerabilities fell on deaf ears. Dr. Tehilla Shwartz Altshuler from the Israel Democracy Institute, noted already last year that “there is a systemic problem with Israel's cyber defense readiness” and “Israel's cybersecurity is a ticking time bomb.” Amidst the war, the bomb is exploding and these vulnerabilities are being exposed.

Israel’s flaws on the cyber front concern public institutions that are often subject to cyber attacks worldwide, such as hospitals and universities. Israel defines 40 organizations as critical infrastructures, granting them more manpower, funding, and they have to meet certain standards. However, the important organizations that are not defined as critical are more problematic - universities and hospitals, hosting high-value information such as citizens' and soldiers’ health data. In May 2023, the State Comptroller warned about the numerous cybersecurity shortfalls that put state institutions, including hospitals and the health data of citizens, at risk of falling prey to hackers. 

The National Cyber Directorate, one of the main bodies in charge of ensuring the country's cyber security, could do little following such an alarming report: before the war, the Cyber Directorate operated without a legal framework granting it monitoring, supervision, enforcement, and punishment powers. As explained in an interview by Dr Rachel Aridor Hershkowitz, a researcher on cybersecurity and medical data at the Israeli Democracy Institute: “After a cyber-attack against a hospital in 2021, little happened, because the Cyber Directorate could not do anything, it had no power, and the health ministry said that it had no money to invest in the cyber security of the hospitals. It is a known fact that hospitals in the cyber domains are not protected enough, and we are now seeing the problems.” 

In broken English, Iranian-backed hackers from the MalekTeam are now exploiting the systemic deficiencies in Israel's cyber defense and sharing links to download files containing Israeli private health information: “We have the files for soldiers who were admitted to Ziv hospital in the last 10 months. The hospital is one of the main medical centers in the North and Hezbollah attacks from there.” Rather than asking for money, as is usually the case in cyber attacks against hospitals around the world, MalekTeam shares sensitive medical information, health records dating from 2020 to 2023, including vaccination records. The data was verified by Shomrim. Israel’s Cyber Directorate acknowledged on December 18, 2023, that “the attackers succeeded in extracting some data,” pointing the finger at Iran and Hezbollah for being behind the attack, without expanding on their sensitive nature. 

Ziv Hospital has been a recurrent victim of cyber-attacks, failing to prevent hackers from gaining access to sensitive data in the current war. In response to these attacks and warnings, Ziv Hospital’s spokesperson indicated that “we increased preparedness at the Ministry of Health and the Government Hospitals Division.” Even more worrisome, Ziv Hospital might be far from an isolated case. An Israeli official reveals that there have been many attacks against hospitals in the last few months; not just against Ziv Hospital, but also against Mayanei Hayeshua, Emek, and the Eitanim psychiatric hospital near Jerusalem. It is unknown if data leaked in those attacks.

The Cyber Directorate is now finally gaining new power in the war, with an emergency regulation granting it the ability to issue binding instructions to firms victims of cyber attacks, but this seems to happen too late. Dr Aridor Hershkowitz stresses that “nothing can be done about the leaks which have already taken place.” Similarly, an Israeli cyber analyst notes that while Israeli agencies have improved the cyber defense of Israeli private and public sector during the war, “the questions that we can raise is whether what was done before October 7th was enough in order to deter Iran from actively hacking many companies in Israel, and getting a pretty good foothold in the Israeli cyberspace over time”.

Illustration: Reuters
Israel’s Cyber Directorate acknowledged on December 18, 2023, that “the attackers succeeded in extracting some data,” pointing the finger at Iran and Hezbollah for being behind the attack, without expanding on their sensitive nature.

Exploiting Israel's Weaknesses in the Digital Battlefield

MalekTeam is far from the only Iranian-affiliated group that has exploited Israel’s cyber deficiencies. The Cyber Directorate noted in a recent report that over 15 groups associated with Iran, Hezbollah, and Hamas attacked Israel in cyberspace since October 7th. 

“To Smotrich, Minister of Finance: Are you ready to pay the price?,” asks Iranian-linked hackers from the newly formed group “CyberToufan.” Since October 7th, the group has tried to weaken Israel’s economy by sharing twice a day large data dumps, hacked from nearly 100 organizations, including government services such as the Israel Innovation Authority, and sensitive cyber security firms which were reviewed by Shomrim. Each set of data usually contains thousands of names, phone numbers, emails, addresses, and passwords belonging to Israeli citizens. The hackers then often proceed to directly threaten the individuals present in the leaks by sending them messages, via emails obtained in the leaks, calling them to “boycott Israeli cyber and tech.” 

The Cyber Directorate’s spokesperson acknowledges that some of these leaks took place, indicating that they originated from a single hack of the website hosting company Signature-IT, and mentioned that no credit card information was stored on the platform’s servers. However, cyber security researcher Kevin Beaumont, who has closely tracked this group of hackers, demonstrates that some of Cyber-Toofan's victims are not customers of Signature-IT, revealing that the group’s reach extends beyond the website hosting firm. In addition, a third of the targeted organizations have yet to recover, with some having seen their data wiped from their internal systems. Again, these leaks stem, in part, from a lack of preparation for Israel’s cyber defense, notes Beaumont in an interview: “Companies in Israel need to ask themselves and their suppliers if they are set up, cybersecurity wise, to be able to handle adversaries in a time of war. In the case of Cyber Toufan, it looks like the suppliers involved were simply not equipped to deal with the level of threat.” 

Iranian-backed hacker groups seem to be well aware of Israel’s cyber flaws, as well as the country’s political fault lines. Take for instance KarmaGroup, a group posing as a left-wing Israeli group, relying on malware, nicknamed “Bibi-Wiper” and compiled on Netanyahu's birthday, October 21st, to cause data destruction and release leaks of Israeli organizations; including against a data-hosting firm and defense contractors.“#no2Bibi #no2CrimeMinister,”they write, before releasing leaked information, trying to deepen social rifts by portraying itself as an Israeli left-wing organization while conducting cyber operations. The group attacked private sector firms as a way to get a foothold in government services, explains an Israeli cyber-security expert: “KarmaGroup, which is linked to Iranian military intelligence, targeted and leaked information from various Israeli institutions, including Octopus Computer Solutions and other private sector firms. Most likely the reason to target such companies is their connection to big companies and governmental agencies. Hackers are aiming for these firms 'on the periphery' to obtain information, as state agencies can exert less control over private firms.”

In addition, additional groups seek to gain publicity by exploiting the current international focus on the war against Hamas and sharing a mix of old and newly acquired databases belonging to Israelis. As noted by the Cyber Directorate spokesperson, “since the outbreak of the war, there has been an increase on the Darkweb and social networks of mention of leaks of various types. It is important to note that some of the leaked files published at the beginning of the war are from old or recycled events.” Nevertheless, leaks dating even from prior to the war may contain information that remains up to date and a source of threats for Israelis. 

Iranian President Raisi visiting Russian President Putin in Moscow. The same methods. Photo: Reuters
These risks have been particularly exemplified in the war in Ukraine, with Russian hackers using leaked data to sow mistrust and place citizens at risk.

Cyber Leaks and Real-World Risks: Threats to Israeli Citizens in the Current War

Beyond exposing vulnerabilities in Israel’s cyber defense, and undermining the country’s image as an invulnerable cyber power, these leaks pose multiple potential threats to Israeli citizens in the context of the war. These risks have been particularly exemplified in the war in Ukraine, with Russian hackers using leaked data to sow mistrust and place citizens at risk. As summarized by Aleksandar Milenkoski, Senior Threat Researcher at cyber security firm SentinelLabs, “data breaches create opportunities for espionage, disruption, or financially motivated operations with potentially severe consequences, ranging from large-scale supply-chain attacks and targeted phishing campaigns to intrusions into private networks and the misappropriation of financial resources.”

For instance, at the start of November 2023, Tsahal exposed fake profiles on social media, working on behalf of Hamas, and trying to enter in contact with soldiers to extract sensitive information. These avatars can exploit the personal information found in the leaks to appear more convincing and lure their targets into sharing information. The leaks also represent an entry-point for convincing phishing attempts, with hackers sending emails calling individuals to click on a malicious link, leading to further data breaches. 

The risks are also particularly high with the medical data found in some of the leaks. These leaks not only violate patients’ privacy and expose some of the type of injuries suffered by Israeli troops but also expose them to life-threatening scenarios, with hackers modifying health records after having gained access to a hospital record. An Israeli official underlines that, such leaks “can allow hackers to change blood type in the system, this can harm human life” A wounded soldier, promptly evacuated from Gaza or the Northern front to a hospital, may be exposed to faulty treatments, with fatal and irreversible consequences, if doctors rely on partial or incorrect data following cyberattacks and leaks similar to ones currently taking place in Israel. It is not difficult to imagine how deficiencies in cyberspace and lack of attention paid to prior warnings quickly spill onto the battlefield. 

This is a summary of shomrim's story published in Hebrew.
To read the full story click here.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

Text link

Bold text

Emphasis

Superscript

Subscript