Caught in the Crossfire : How International Relationships Generate Cyber Threats

Published On : 2024-02-07
Share :
Caught in the Crossfire : How International Relationships Generate Cyber Threats

EXECUTIVE SUMMARY

In times of conflict, there are consequences of being an ally or an enemy of warring nations, either geopolitically, or in the cyber realm. Analyzing the Russia-Ukraine war and the Israel-Gaza conflict, it’s evident that hacktivists now play a significant role, launching attacks using custom-made DDoS tools, defacing websites, and mentoring others in how to disrupt organizations. This behavior arguably goes beyond the attacks themselves, involving a quasi-recruitment process, akin to a sleeper cell, where individuals are trained to act when needed. This dual strategy of cyber and ideological warfare poses huge challenges for governments and private organizations during times of escalating global tension.

INTRODUCTION

The surge in DDoS attacks and other hacking activities extends beyond the Israel-Gaza war. In the past, hacktivists from Russia (such as NoName057(16) and Killnet) and ransomware gangs supporting pro-Russian causes have engaged in damaging actions against countries opposing their stance.
In the ongoing Israel-Palestine conflict, much is happening in the physical world and online. Previous reports have focused on the geopolitical and cyber aspects of the conflict, whereas this report explores the cybercriminal community in greater depth, including advanced persistent threats, hacktivists, and ‘script kiddies’ who are destroying servers, leaking sensitive information, defacing websites, and launching DDOS attacks. We’ve identified many in-house tools created by hackers and shared on platforms like Telegram and GitHub, and tutorials on how to launch cyber-attacks to contribute to the ongoing war.

ASSESSMENT

Hackers Supporting Palestine
Hackers from Pakistan, Palestine, Turkey, Bangladesh, Iran, and Yemen target nations who are not only directly involved, but their supporters, too.

This Anonymous Collective message from Telegram calls for continued attacks against Israel and its supporters.

Whilst there are a large number of hacktivist groups supporting Palestine, there appears to be far fewer groups opposing Palestine.

Pro-Palestinian hacktivist groups have hacked billboards and displayed messages against Israel in Croatia and the West Indies.

Against India
Groups like LulzSec Muslim and SystemadminBD are carrying out significant cyber-attacks against India as part of a wider pro-Palestine campaign. Recently, LulzSec Muslim gained access to the database and server of an Indian engineering college:

SystemadminBD, a group based in Bangladesh with a history of targeting Indian organizations, has recently attacked the Indian government by claiming to leak a database, stating that their actions were in retaliation to cyber-attacks from Indian hacktivists against the cyberspace of Palestine.

Additionally, we’ve observed instances of misinformation being spread by users in underground forums and Telegram groups, claiming to have breached or leaked data, but ultimately their claims didn’t stand up to scrutiny: for example, the assertion below, which our investigation debunked by revealing that the data in question had already been officially uploaded on the Goa government’s official website some time ago.

The Anonymous Collective initiated an attack on the Indian Post website, rending it inaccessible for four consecutive days and causing difficulties for many users.

The Kromsec hacker group conducted a DDoS (Distributed Denial of Service) attack, and leaked data from the Central Bank of India and the India Crime Research Agency:

Upon investigating the data leaked by KromSec on ICRA, we ascertained that none of the data was confidential in nature, simply containing data from their web server to host the website. This is another example of how hacktivists tend to overemphasize their impact on the cyber threat landscape globally.

Against Saudi Arabia
Several hacktivist groups are targeting multiple sectors within Saudi Arabia, for example, ‘Anon Black Flag’ which were found targeting education websites.

Against USA
The USA is a prominent target, with multiple websites defaced in response to the nation’s support of Israel.

Website defacements are not a new occurrence, as this post from 2017 can attest. In this case, the Turkish-based group; ‘Turkhackteam’, targeted Mossad and websites associated with the USA, as part of a Free Palestine campaign.

Turkhackteam was established in 2002 by Arsenik and is one of the oldest hacking forums in Turkey, first gaining recognition by hacking a Microsoft MSN web portal subdomain and engaging in other high-profile activities.

Kromsec successfully hacked and breached the data of AC-ISSA (Information Systems Security Association) North Alabama Chapter, claiming the attack on Beach forum. The compromised information includes email addresses, names, phone numbers, locations, and other related data.

Since mid-October, there have been over 100 cyber-attacks on the United States. US defense officials report that more than 100 drones and missiles have been launched against vessels, targeting Israeli interests. In contrast to these kinetic events, a user on a Breach Forum leaked a database associated with Bank of America, purportedly as a response to the American stance on the Red Sea conflict.

Cyber Av3ngers affiliated to Iran’s Islamic Revolutionary Guard Corps (IRGC) announced their intention to target any equipment made in Israel, and have attacked water systems in the United States, made by Unitronics, headquartered in Israel.

Against Egypt
Hacktivists have turned their attention to the Egyptian government for slowing down humanitarian aid to Palestinian refugees. In retaliation, the Anonymous Collective group executed a DDoS attack against the Cairo official website and the government income tax department, collecting a database of 109 million records containing sensitive data.

Against Bahrain
The US and the UK, along with other countries, conducted joint strikes on Houthi targets in Yemen. The strikes aimed to weaken the Iran-backed militia that has been targeting international ships in the Red Sea in response to the Israel-Hamas conflict. Bahrain’s silence on the matter has irked hacktivists.

Hackers Supporting Israel
The hacktivist group Glorysec issued a warning, indirectly stating that countries supporting Hamas and other terrorist groups in Palestine will be heavily targeted.

Hackers from India have also joined the fray, engaging in DDoS attacks and defacing websites of countries supporting Palestine in the conflict. Below is an image depicting an Indian group attacking a Pakistani website for backing Palestine.

Training and Tool Sharing
CYFIRMA researchers obtained covert access to a meeting organized by hacktivist group; SystemadminBD, addressing queries from its users, such as how to search for and exploit vulnerabilities.

The team has also observed numerous in-house tools and DDoS software (both free and paid) created by hacktivists. These tools are shared on platforms like Telegram and GitHub, and they come in both command-line versions and versions compatible with Termux on Android devices. Since Termux is easily installable on any Android phone, and with step-by-step instructions provided, it enables users to participate in disruptive activities, causing slowdowns or disruptions to organizations.

While using an asset’s exposure tool and by conducting specific queries, it’s evident that hacktivist groups have launched cyber-attacks on numerous countries in support of – or in the guise of supporting – the Palestine conflict. It’s noteworthy that multiple sources are available to track websites defacement, providing a glimpse into the global cyber vandalism of websites around the world.

Body= ”hacked” && body=”savepalestine”

Recent Heat
A campaign called “India Out” has come into force and is supported by opposition parties and some civilians within Bangladesh. They claim that the Indian government interfered in Bangladesh’s recent election, where Prime Minister Sheikh Hasina’s Awami League won a fourth term. The opposition party boycotted the polls, and now the hashtag #IndiaOut is trending, with hackers from Bangladesh and similar groups preparing to launch attacks against India as a response.

SystemadminBD and other hacktivist groups like Sylhet Gang-SG are actively preparing attacks against Indian targets, indeed SystemadminBD have recently leaked data from private organizations, and provide free access to Indian government portals as part of their campaign.

The admin credentials for the Town & Country Planning Department of the Himanchal Government are provided freely on SystemadminBD Telegram channel.

In a recent conversation with an alleged spokesperson of the hacktivist network; Sylhet Gang, we inquired about their views on India:

Sylhet Gang-SG Spokesperson: “the Indians are showing aggression along the Bangladeshi border, so our other admin moderators held a meeting, and we are waging a war against India now.

EXTERNAL THREAT LANDSCAPE MANAGEMENT

  • In recent conversations with multiple hacktivist groups:
    • They claim to support Palestine and use hacktivism as a means to raise awareness.
    • They operate with the support of more than 30 teams and keep their skills and tools private.
    • The spokesperson claimed that they have targeted countries like the UK, South Korea, India, and Germany, striking in response to various causes.
    • The groups assert they do not monetize their operations and work for free, emphasizing a commitment to their cause.
    • When asked about Saudi Arabia’s stance on Israel, the spokesperson criticized the Saudi rulers as “hypocrites”. They declared that more attacks will come as long as the groups exist.
  • Anonymous Collective recently joined forces with Criminality Networks; a group that sells DDoS services. This collaboration aims to impact Israel and its allies in the cyber realm by unleashing powerful DDoS attacks.
  • A statement jointly issued by Australia, Bahrain, Canada, the Netherlands, the United Kingdom, and the United States about additional strikes against the Houthis in Yemen could potentially trigger more hacktivist activity.

    As observed in this report, these hacktivists, who support Yemen and Palestine, might be preparing further attacks, having already targeted the USA, Bahrain, and the UK.

  • With moderate confidence, we caution that they are likely to extend their efforts to disrupt upcoming events, such as the Paris Olympics in 2024. In doing so, they may attempt to DDOS or deface websites of hotels, food stores or ticketing websites and others to promote their motives and ongoing campaigns.

Below is a list of hacktivist groups known to be targeting Israel’s allies (please note that this is not an exhaustive list):

  • Riski haxor
  • Gaza children hackers group
  • Kromsec
  • Anonymous Arabic
  • 313 team
  • Turkhackteam
  • Esteem restoration eagle
  • Areaghostnet
  • ETHERSEC TEAM CYBER
  • Nusantara
  • GARUDA_CYBER_OPERATION
  • GHOST_[6669]_TEAM
  • C.E.S
  • GHOST_OF_PALESTINE
  • Anonymous_Global
  • Anonymous_Muslims
  • GBAnon17
  • Anon Black Flag
  • Fredens Of Security
  • Ganosec Team
  • Cyber Sederhana Team
  • Bandung Cyber Team
  • LEGION7_HACKERS_TEAM
  • Jakarta Ghost
  • Esteem Restoration Eagle
  • KETAPANG_GRAY_HAT
  • HIZBULLAH_CYB3R_TEAM
  • IXP666SECTEAM
  • FromLammerToMastah
  • SukowonoBlackHat
  • Jambi_Cyber_Team
  • TigerGroupCommunity
  • Union_Of_Greats
  • CIPINANG_BLACKHAT
  • KuninganExploiter
  • ZERO-XPLOITS-ID
  • 5UL4WES1_TENG4H_BL4CKHT
  • STATE_OF_SECURITY
  • TEAM_HEROX
  • IRoX_TEAM
  • Anonymous Africa

APT Groups

  • Cyber Av3ngers
  • Agrius/Agonizing Serpens/ DEV-0227

Attacking Palestine’s Allies

  • Garunops
  • Termux Israel
  • Israel Cyber Defense
  • Network nine
  • Team UCC
  • Team DarkCyber Warrior
  • Team BlackDragonsec
  • Team NWH Security
  • KERALA CYBER BLACK SQUAD
  • Kerala Cyber Xtractors
  • INDIAN CYBER SANATANI
  • Silent-one
  • IndianCyberForce
  • Hacktivist Vanguard

CONCLUSION

Whenever there are regional conflicts, we have seen hacker groups getting involved by attacking the websites of countries that oppose their agenda. For example, Indian hackers targeted countries like Bangladesh, Pakistan, and Turkey to support Israel, while hackers from Bangladesh, Pakistan, Turkey target the USA, UK, France, India, Bahrain, and other Israeli allies, providing training and tools to carry out attacks and reputational damage. Conflicts such as these highlight the importance of nations maintaining strong cybersecurity measures, especially if they have different geopolitical stances to those in their region.

Hacktivist attacks can lack sophistication, however, and don’t impact businesses unless a critical service in a major supply chain gets targeted for several days in a row, and defacement attacks are performed on websites of small businesses which lack basic cybersecurity hygiene. These attacks can be effective if carried out against entities like reservation websites or tracking consignment sites, for instance, we have observed a similar case regarding Indian post’s website, which was down for 3 days, resulting in widespread customer dissatisfaction.

RECOMMENDATIONS

Strategic Recommendations

  • Threat intelligence sharing: encourage regional and international threat intelligence sharing to improve awareness of ongoing threats. Collaborative efforts can help predict and mitigate attacks more effectively.
  • Diplomatic engagement: governments should engage in diplomatic discussions to de-escalate geopolitical tensions, reducing the motivation for hacktivist activities at their source.
  • Public awareness campaigns: launch public awareness campaigns to educate citizens about cyber threats, including phishing and disinformation. An informed public is less susceptible to hacktivist propaganda.
  • International norms and agreements: advocate for international agreements and norms regarding cyber warfare. Establishing clear rules of engagement in cyberspace can deter hacktivist groups.

Management Recommendations

  • Cybersecurity training: invest in training and awareness programs for employees and government officials. A well-informed workforce is a critical defense against social engineering attacks.
  • Resource allocation: allocate resources for enhancing critical infrastructure security. Ensure that budgetary support is provided for cybersecurity measures that protect essential services.
  • Regular drills and exercises: conduct regular cybersecurity drills and exercises to test incident response plans and identify areas for improvement.
  • Collaborative partnerships: foster partnerships with cybersecurity firms and organizations that can provide threat intelligence, incident response support, and security expertise.

Tactical Recommendations

  • Enhance DDoS mitigation: given the prevalence of DDoS attacks in this cyber conflict, organizations and governments should invest in robust DDoS mitigation technologies and strategies. Employing real-time traffic analysis and traffic scrubbing can help minimize service disruptions.
  • Regular vulnerability scanning: continuous vulnerability scanning of critical infrastructure is crucial. Identifying and addressing vulnerabilities promptly reduces the risk of exploitation by hacktivist groups.
  • Multi-factor authentication (MFA): implement MFA for all privileged accounts and critical systems, including RDPs and VNCs. This adds an extra layer of protection against unauthorized access.
  • Incident response planning: develop and regularly update an incident response plan. Ensure that security teams are well-prepared to respond to cyber incidents swiftly and effectively.