Israel is bracing for a wave of Iranian-inspired cyberattacks that will try to disrupt the Israeli internet and deface local websites on Jerusalem Day, Israel’s cyber authority said Wednesday.
Al-Quds Day (Al-Quds is Arabic for Jerusalem) was declared by the leader of Iran’s 1979 Islamic revolution, Ayatollah Ruhollah Khomeini. It’s held on the last Friday of the Muslim fasting month of Ramadan.
This year, the day – which usually sees anti-Israel protests in Tehran and parts of the Arab world – falls on May 22. Israel also marks its own Jerusalem Day, commemorating the unification of the city during the 1967 Six-Day War. This year it falls on May 10.
In a statement, the Israel National Cyber Directorate said that ahead of both dates it “anticipates attempts by anti-Israeli forces to launch a coordinated cyberoperation against Israel.”
Hackers have termed the offensive OpJerusalem; the Israeli authorities say it’s part of Iran’s Al-Quds Day.
The cyber authority said the main offensive, expected on May 7, will see attempts to “push out propaganda through the defacement of websites … and attempts to cause damage to Israeli information and data systems.” The directorate added that messages could be sent to cellphones and include either disinformation or links to nefarious programs.
The authority urged caution and called on Israelis and Israeli businesses to make sure they adhere to cybersecurity regulations for their systems. The authority provided patches for companies with remote workers – considered a vulnerability – and even a hotline for consulting with experts.
- Fake 'Iranian' account targeting Israelis is back on Facebook
- Iranian accounts, Russian tactics and Q: Israel has become a disinformation battlefield
- Iranian attack on Israeli medical orgs proves there’s no vaccine for the cyber pandemic
“It is worth recalling that last year, thousands of Israeli websites were defaced by an attack on a website-hosting site” that provided services to local websites in Hebrew and thus allowed the attackers indirect access through a so-called backdoor, the authority said.
Before OpJerusalem, the main massive coordinated attack on Israel was one called OpIsrael, which still takes place.
“For the past eight years you’ve had this trend of coordinated hacking attacks on Israel on specific dates,” says Dana Segev Moyal, a cybersecurity expert who has researched Iran and cyberattacks on Israel. “OpIsrael takes place on April 7, and for two years now OpJerusalem is taking place on May 7.”
A solid majority of these incursions are defacements. “It’s a form of vandalism,” she says. “You enter a website and instead of seeing its regular homepage you see some scary text and image the hackers create – sometimes there’s also threatening music.”
Other attacks will try to make a website crash by bombarding it with traffic and queries. But, Segev Moyal notes, while “there are always also attempts at more serious attacks, these are usually not very advanced and fail to cause any real damage.”
Etay Maor, senior director of security strategy at Cato Networks, a cybersecurity firm, offers an alternative take on the operation. He says that though “simplistic,” such coordinated attacks can cause real harm.
“Many of the recent attacks exploited vulnerabilities in cybersecurity products; to make things worse, the tools and techniques used can be easily found online, meaning even relatively low-level attackers now have access to sophisticated attack methods,” he says. “While some of the campaigns against Israeli websites have been focused on simple defacement and destruction of web pages, nation-state actors and sophisticated threat actors may use the noise they create to hide their more-sophisticated attacks.”
Other observers, however, note that the OpIsrael threat has waned in recent years and that OpJerusalem has failed to damage Israel substantially. For example, this year’s OpIsrael saw a few websites harassed but nothing more.
“The anti-Israel cyberoperation known as OpJerusalem is organized by groups of hackers from around the world, including from North Africa, Turkey, the Middle East and South Asia,” the cybersecurity firm Check Point Software told Haaretz.
“While in the beginning the attacks created a media echo and even caused damage mainly to small businesses, over the years the operation has weakened, mainly due to its limited successes that did not reap the attackers significant achievements,” a representative for the company said.
“One indicator that this operation has been losing momentum is the decreasing volume of activity on social networks and other communication channels associated with the hackers.”
Experts note that while the differently themed operations have received a lot of media attention, the real threats are constant. “Anti-Israeli cyberattacks are no longer limited to specific dates or a worldwide coordinated effort. The Israeli private sector is targeted by this kind of attack all the time,” Check Point said.
“Attacks like Pay2Key and BlackShadow (aka Shirbit) proved that they can cause significant damage and even monetize attacks when they control the ‘when, where and how’ aspects of the attack. Of course, these attacks aren’t officially linked to OpJerusalem or OpIsrael activities, but without a doubt, anti-Israel cyberactivity is no longer limited to one day a year.”
Segev Moyal adds, “Obviously, if you’re an Israeli website or business that’s targeted and whose site crashes, this can be a problem and you have to take precautions. But we have to take things in perspective.
“More than real damage to the Israeli economy, these attacks have a psychological effect. The cyber authority only strengthens this; it creates a lot of fear regardless of the actual threat.”
Iranian cyber, not Iran
A Turkish think tank focusing on Iran published a report this week attempting to map and detail Iranian state cyber capabilities. The report, by the Center for Iranian Studies in Ankara, said Iran “has shown remarkable progress on the issues of cybersecurity and operational cyber capabilities after it strengthened its national cyberinfrastructure and information technologies.”
According to the report, the 2010 Stuxnet attack attributed to Israel and the United States “led Iran to lean towards offensive cyber operations.
“As a result … the cyber policies of Iran were distinctively shaped in the context of the cyber espionage operations. The advanced cyber actors and the Iranian hacking groups supported by various government agencies have been the main actors of the cyberattacks considered to be of Iranian origin.”
Over the past year, Iranian hackers have been linked to a string of purportedly financially motivated attacks on Israeli targets, including by groups affiliated with the Revolutionary Guards.
As well as the Pay2Key and BlackShadow attacks, only a few weeks ago Iranian hackers – dubbed BadBlood – were implicated in an attack on Israeli and American health researchers in what cyber experts said was probably an espionage campaign.
But it’s far from certain that the people behind OpJerusalem are official Iranian hackers; they might simply be hackers from Iran, or “script kiddies” – amateurs carrying out extremely simple attacks.
For example, during one of the first Al-Quds Day attacks in March 2019, an attempted incursion involving the installation of malicious software on Israeli computers backfired due to a coding error. Some Israeli websites were infected – and thus showed an ominous warning from the hackers – but the code failed to distribute itself and affect anyone using the website.
Experts say professional state cyberwarriors don’t make such mistakes.
“The bottom line is that these simple attacks like defacement end up getting a lot of media attention and create a bigger public panic even though they cause relatively limited damage,” Segev Moyal says.
“On the other hand, when you attack a country’s critical infrastructure, it’s usually kept quiet and then the public doesn’t understand how big the real problem is.”
An industry source who works with the Israeli government and requested anonymity adds: “Alerts and awareness are vital to minimize the potential that there will be victims. That said, specific occasions are less relevant in the current cyberoffensive landscape. Hackers aren’t really looking to link attacks to dates, and they come up with ideological reasoning whenever they succeed.”