A few weeks ago, a group of hackers claiming to be affiliated with Hezbollah published a video in which they announced their latest success. The video showed footage of Hezbollah terrorists firing missiles at northern Israel, followed by a close-up shot of a government ministry in Jerusalem – one which stores detailed information about every Israeli citizen. In the video, the hackers announced that they had gained access to a database containing sensitive information about thousands of Israelis and that they had disseminated this information on the group’s Telegram channel.

The cyberattack on that government office was just the most recent in a series of such attacks against Israel since the outbreak of the war on October 7. In April, there were reports of a massive cyberattack against the Ministry of Justice and in September the Ministry of Defence was the target. In addition, hacker groups have obtained classified documents from the Ministry of Economy and Industry, the Bank of Israel, the Tel Aviv Stock Exchange, various municipalities, government hospitals and several other institutions with direct links to government ministries. All of these cyberattacks led to massive quantities of private documents being made public. A year ago, Shomrim revealed that, during the first weeks of the war, cyberterrorists linked to Iran, Hezbollah and Hamas also took Israel by surprise and attacked sensitive civilian and military databases, including soldiers’ medical files. Since then, the attacks have only intensified. The only difference is that they are now happening far from the public eye.

Why? For the same reason, we are not detailing here the name of the ministry mentioned at the beginning of the article or the types of information that was leaked from it and from other entities. The reason is a legal practice that has become increasingly commonplace these days: gag orders preventing the media from publishing details about many of these attacks – or even from mentioning that they happened at all. In only a handful of cases media outlets have been allowed to report that there was a cyberattack, after authorities released a very partial description of the data leaked. Then, too, it only happens if the cyberattack is hard to hide from the public – as was the case on Sunday, when the panic-button system operated by a company called Maagar-Tec was allegedly hacked into by a group from Iran. They set off missile alerts, played messages in Arabic and pro-terror songs in around 20 kindergartens and schools across the country.

The same Iranian group, according to reports, claimed that it had also hacked into the National Security Ministry’s computer system and stolen information about thousands of police officers. In most of the cases, however, these cyberattacks do not come to light and the Israeli public remains blissfully unaware that their details have been published on various dark web forums and on hackers’ Telegram channels.

This has led to the absurd reality that thousands of Israelis—whose personal information has been leaked online and is easily accessible not only to terrorist cells in the Middle East but to anyone who searches—remain unaware that they have fallen victim to a cyberattack. The court-issued gag orders not only prevent them from knowing about the hack and subsequently demand that the authorities be held to account, but to a large extent they protect the ministries that were hacked from the public criticism that they richly deserve. A side effect of the gag orders is that hiding the incident from the public could also lead to a cover-up; a failure that no one is aware of will not be handled properly and authorities will not be forced to ensure that there is no repetition in the future.

Indeed, several individuals within the field of cybersecurity admitted, in conversations with Shomrim, that they were not familiar with details of the most recent attack, on the unnamed government ministry described at the beginning of the article, which testifies to the importance that officials from the relevant ministry place on controlling information about the data-security failure that occurred under their watch. Unfortunately, they did not exercise the same level of caution with the sensitive information about Israeli citizens they were entrusted with. 

As part of the investigation into the October 7 failings, the State Comptroller's Office is currently working on a new report reviewing the country's preparedness for cyberattacks, its performance during the war, and the level of readiness of dozens of critical organizations in the economy for future attacks. However, the comptroller has already written about such failures in the public sector in the report he published in November. Among the findings of the scathing report, the comptroller found cybersecurity issues at the Israel Postal Authority and the Postal Bank; there were core deficiencies in the National Insurance Institute’s computer system; and deficiencies related to information security and computer systems at Rafael Advanced Defense Systems. The report also warned about “underreporting by government ministries regarding the main information and communication technology (ICT) risks they need to address,” as well as “significant gaps in the field of ICT risk management in the government.”

In at least one case that Shomrim is aware of, it seems that one government ministry bears direct responsibility for allowing the attack to happen by publishing one single page on its website that did not meet basic cybersecurity standards.The identity of that ministry and what details were leaked are under a gag order.

Between October 7, 2023, and July 2024, almost half of the Iranian cyber activity that Microsoft identified was directed at Israeli companies. Before the war, just 10 percent of Iranian cyberattacks were aimed at Israel.

The bigger the hack, the bigger the gag

The dramatic rise in the number of cyberattacks since October 7 is also reflected in the annual report issued by the National Cyber Directorate, which found that 68 percent of the 13,000 cyberattacks against civilian targets in 2023 were carried out in the first three months after the outbreak of the war. According to the report, in that quarter, Israel thwarted or halted around 800 cyber incidents with the potential to cause great harm to the state. An indication of what happened in 2024 can be found in a report from Microsoft, which found that, since the start of the conflict in the Gaza Strip, Iran intensified its cyberattacks against Israel. Between October 7, 2023, and July 2024, almost half of the Iranian cyber activity that Microsoft identified was directed at Israeli companies. Before the war, just 10 percent of Iranian cyberattacks were aimed at Israel.

In some cases, partial details of the attacks against Israeli ministries have been published – often following a legal struggle. This was the case, for example, when personal details of civil servants were hacked from a government database and reached potentially hostile elements. In other cases, Israelis only find out about leaked information and cyberattacks from reports in the foreign media. In July, for example, the Guardian published several reports into cyberattacks against the Ministry of Justice – attacks that afforded only laconic reports in the Israeli media. Having said that, reports about exactly what personal details have been leaked are mainly of interest to Israeli civilians and the foreign media is not reporting on that.

"The media outlets do not have the financial and human resources, or the bandwidth, to address it.”

Journalists and the general public have extremely limited resources when it comes to fighting the widespread use of gag orders, says Elad Mann, the legal adviser for Hatzlaha (The Movement for the Promotion of a Fair Society), which has been involved in the battle to overturn one such gag order. “There have not been many cases when someone has challenged these orders,” he explains. “First of all, not many people are even aware that they exist. Secondly, the media outlets do not have the financial and human resources, or the bandwidth, to address it. You need legal representation, which itself is not cheap, and there is no guarantee of success.”

Yigal Unna, who served as Director General of the National Cyber Directorate between 2018 and 2022, notes that the widespread use of gag orders is a new practice. During his tenure, he says, “I was not very keen on gag orders because they only attract more attention and more noise.” On the public level, and given the difficulty of challenging gag orders, Unna believes that they should be used only in cases where there is a real and immediate threat to national security. Otherwise, he says, “it’s manipulative.” Attorney Mann points out that for government ministries “limiting freedom of information does not have reputational consequences. They present it as a necessary measure for safeguarding national security and foreign relations.”

Only in cases where there is a real and immediate threat to national security. Otherwise, Unna says, “it’s manipulative.”

Ari Ben Am, an adjunct fellow at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation, adds that issuing a gag order in cases of cyberattacks is not only anti-democratic, but also harms technological efforts to protect against similar attacks in the future. “Gag orders prevent the publication of studies into a certain cyberattack by third parties. If these studies are not published, then we are not getting information about potential threats or about the tactics, techniques, and practices of the hackers – which means that other organizations in Israel will not be able to improve their cybersecurity measures accordingly.”

A good reason for a gag

Amit Ashkenazi is the former legal advisor for the National Cyber Directorate, which operated under the auspices of the Prime Minister’s Office. Like Unna, he has a wealth of experience in Israeli cybersecurity, and he confirms that, during his time at the NCD, gag orders were only used very occasionally. He explains this by saying that, on occasion, gag orders are potentially valuable and even vital in order to counter the negative impact of the leaked information.

One such case in which they both agree that the use of a gag order was justified happened in 2021, when the Atraf dating application, which is popular with the LGBTQ+ community, was hacked. A group of hackers from Iran published the personal information of more than 500,000 registered users of the app, including people who were not out of the closet. According to Unna and Ashkenazi, a sweeping gag order was necessary to prevent the media from publishing details about the cyberattack and stopping the hackers from realizing what they had stolen. However, a partial gag order was issued, and “only when the Israeli media started to report about a cyberattack against Atraf, the hacker understood that they had stumbled on a treasure. Afterwards they started to leak it and take advantage of the information, causing a lot of suffering to the LGBTQ+ community in Israel,” says Unna.

One of the goals of gag orders on cyberattacks, says Sarit Karni, the head of the cyber division at the State Comptroller’s Office, is “to protect the public from information about it that has been leaked and to deny the hackers the ability to abuse the information they obtained or to conceal the threat vector until immediate measures can be taken to close it.”

It should be noted that a gag order gives authorities the power to close social media platforms or internet sites on which the hacked data is published. At the same time, cybersecurity experts point out that even if hackers discover that one of their access points has been blocked, they usually disseminate the information quickly through other channels. “The people who use technology for good are in a constant battle with those that use it for bad,” says Unna. “Sometimes you lose the race – but most of the time we win.”

According to Karni, “It’s always a combination of people, processes and technology.”

How do most of these attacks happen? In most cases, according to Karni, it’s down to human error. “It’s always a combination of people, processes and technology,” she says. “At the same time, how deep the attack goes and the extent of the damage it causes depend on the level of cybersecurity employed and the ability of organizations to identify attempted attacks.”

Karni finds solace in the fact that, following the massive increase in the number of attacks, “cyber threats are now recognized as one of the most serious strategic threats that Israel is facing – alongside things like earthquakes or fires. Therefore, awareness of and investment in the issue have increased significantly.”

The increase in the use of gag orders, however, is not necessarily for reasons that serve the best interests of the Israeli public. Rather, they reflect the authorities’ desire to conceal or downplay the many cybersecurity breaches that have happened with alarming regularity since October 7. In the end, the public that is being kept in the dark is also the victim of these repeated failings.