'Operation Quicksand': Iran-linked Hackers Target Israel in 'New Cyberwar Phase'

Israeli cyber security firms say hacker team who in the past worked with Iran’s Revolutionary Guards led a new campaign against Israeli targets called ‘Operation Quicksand’

Omer Benjakob
Omer Benjakob
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Illustrative image of a man typing on a laptop as cyber code is projected onto him.
Illustrative image of a man typing on a laptop as cyber code is projected onto him.Credit: Kacper Pempel / Reuters
Omer Benjakob
Omer Benjakob

Two Israeli cybersecurity firms said Thursday that they thwarted a large-scale, Iranian-linked hacker operation in September called Operation Quicksand, which targeted “prominent Israeli organizations.”

The alleged attack would seem to indicate a “new phase” in Iranian attacks against Israel, the firms said, adding that the tools used have previously been reserved for criminal operations – as opposed to destructive offensive cyberattacks by state actors like Iran.

Haaretz Podcast: Why is Israel arming Azerbaijan against Armenia? Listen to Yossi Melman

-- : --

The claims were made in a report by cyberfirms Profero and ClearSky. Two independent experts who read the report confirmed that its findings are in line with what is known about Iranian-linked hacking operations. They said the incident may well be the latest in the covert cyberwar between Israel and the Islamic Republic.

Both requested anonymity due to their ties to Israel’s defense establishment. 

According to the report, a group of hackers was discovered to have sent malware to Israeli organizations last month. The hacker group, called MuddyWater, was previously exposed as a contractor for the Iranian Revolutionary Guard Corps, they wrote.

The Israel National Cyber Directorate refused to address the attackers’ identity, but told Haaretz that the information revealed in the report “is known to us, and we’ve published a number of warnings about them in September.”

These warnings, they said, included cues that are unique to the attackers, which could allow potential victims to identify attempts on their systems. 

What made the attack suspicious, Profero head Omri Segev Moyal told Haaretz, was that it appeared to function like a criminally driven ransom attack, but “the main goal was not to actually steal data but rather, to cause damage in Israeli targets.”

Data theft is often the key to ransom attacks, but in this case “the hackers wanted to cause damage and they only disguised it as ransomware,” Segev Moyal said. 

According to Fraunhofer FKIE, a German research institute that maintains a database of known hacker teams, MuddyWater (aka Static Kitten) has been known to focus almost exclusively on espionage and state-level attacks.  

Though it is almost impossible to verify the identity of those behind MuddyWater and the alleged operation, the cybersecurity firms said their techniques are very similar to those used in the past.

For example, over the summer, an attempted attack on a number of Middle Eastern and North African countries was reported using a very similar technique, likewise an attack on Israel’s water authority.

The Israeli report noted that some key technological aspects of the hack were identical to those used during the Shamoon cyberattack against Saudi Arabia’s Aramco in August 2012. That attack, attributed to Iran, was described at the time as the biggest hack in history.

This attack, the report said, tallies with the “toolset the Iranian threat actor possessed at the time.”

Meanwhile, Reuters reported last week that the Islamic Republic itself said it had been targeted by two large cyberattacks – one later revealed to be on its ports. As a result, access to the internet in Iran was partially cut off. No additional details are known. 

According to Reuters, since the start of the year, Israel has reported attempted cyberattacks on power stations and water utilities, with officials pointing the finger at Iran or Iranian-backed groups.

A fire at Iran’s Natanz nuclear facility three month ago prompted some Iranian officials to say it was the result of cybersabotage. Israeli Defense Minister Benny Gantz said at the time his country was not “necessarily” behind every mysterious incident in Iran.

Tensions in the cyberarena have run high between Israel and Iran since the so-called Stuxnet attack over a decade ago, which tried to halt the Iranian nuclear program by attacking the uranium enrichment facility at Natanz. Stuxnet was widely believed to have been jointly developed by the United States and Israel. 

According to the Israeli report’s authors, “The tension between Israel and Iran in the cyber domain might be an explanation” for the latest alleged attack by the Iranian group. They further speculate that “retaliation” for the assassination of Revolutionary Guards Quds Force Maj. Gen. Qassem Soleimani last January “is another possible explanation.”

Reuters contributed background to this report.

Click the alert icon to follow topics: