#OpSaveGaza Campaign – Insights from the Recent Anti-Israel Cyber Operation

The #OpSaveGaza Campaign was officially launched on July 11, 2014, as a counter-reaction to operation “Protective Edge”. This is the third military operation against Hamas since the end of December 2008, when Israel waged operation “Cast Lead”, followed by operation “Pillar of Defense” in November 2012.

These military operations were accompanied by cyber campaigns emanating from pro-Palestinian hacker groups around the world. #OpSaveGaza was not the only recent cyber campaign against Israel, but it is the most organized, diverse and focused. During this campaign, hacker groups from Malaysia and Indonesia in the East to Tunisia and Morocco in the West have been participating in cyber attacks against Israel.

The Use of Social Networks

Hacktivist groups recruit large masses for their operations by means of social networks. Muslim hacker groups use mostly Facebook and Twitter to upload target lists, incite others to take part in cyberattacks and share attack tools.

The #OpSaveGaza campaign was planned and organized using these two social media platforms. The organizers of the campaign succeeded in recruiting tens of thousands of supporters to their anti-Israel ideology.

OpSaveGaza - Facebook Event

Attack Vectors

When examining the types of attacks perpetrated against Israeli cyber space, it appears that this campaign has been the most diverse in terms of attack vectors. It not only includes simple DDoS, defacement and data leakage attacks, but also phishing (even spear-phishing based on leaked databases), SMS spoofing and satellite hijacking (part of the Hamas psychological warfare), in addition to high-volume/high-frequency DDoS attacks.

Hackers targeting Israeli ISPs
Hackers targeting Israeli ISPs

Furthermore, these attacks have been much more focused as the attackers attempt to deface and knock offline governmental websites, defense contractors, banks and energy companies. Simultaneously, a large number of small and private websites were defaced (over 2,500) and several databases were leaked online.

Pro-Palestinian hackers defacing Israeli websites
Pro-Palestinian hackers defacing Israeli websites

Motivation and the Involvement of other Threat Actors

The motivation for waging cyberattacks against Israel during a military operation is clear. This is not the first time that a physical conflict has had implications on the cyber sphere. However, we believe that other factors are contributing to the cyber campaign. In July 2014, the Muslim world observed the month of Ramadan, a holy month in Muslim tradition. There are two significant dates in this month – “Laylat al-Qadr” (the Night of Destiny), the night the first verses of the Quran were revealed to the Prophet Muhammad; and “Quds Day” (Jerusalem Day), an annual event held on the last Friday of Ramadan and mentioned specifically by Iran and Hezbollah. We identified an increase in the number of attacks, as well as their quality, surrounding these dates.

Last year, several days before “Quds Day” a hacker group named Qods Freedom, suspected to be Iranian, launched a massive cyber operation against Israeli websites. In other words, we believe that not only hacktivist elements participated in this campaign but also cyber terrorism units and perhaps even state-sponsored groups from the Middle East.

The Islamic Cyber Resistance (ICR) leaking an internal database
The Islamic Cyber Resistance (ICR) leaking an internal database

To summarize, this campaign was far better organized than the recent cyber operations we experienced in 2009 and 2012 alongside physical conflicts with Hamas. We have seen changes in several aspects:

  • Improvement in attack tools and technical capabilities
  • Information-sharing between the groups (targets, attack tools, tutorials)
  • The involvement of hacker groups from Indonesia in the East and Morocco in the West.
  • Possible involvement of cyber terrorism groups
  • Well-managed psychological warfare and media campaign by the participating groups

The scope and manner in which this campaign was conducted shows improved capabilities of the perpetrators, which is in-line with Assaf Keren’s assessment of the evolution of hacktivist capabilities.

#OpSaveGaza – Interim Summary

Written by Yotam Gutman

When the cannons roar, the muses stay silent (but the hacktivists hack).

As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.

Attacker Types

Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.

Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.

Moxer Cyber Team event page
Moxer Cyber Team event page

The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.

Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).

Attacker Tools

The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.

Results (Interim Summary)

#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.

Summary

We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.