#OpSaveGaza Campaign – Insights from the Recent Anti-Israel Cyber Operation

The #OpSaveGaza Campaign was officially launched on July 11, 2014, as a counter-reaction to operation “Protective Edge”. This is the third military operation against Hamas since the end of December 2008, when Israel waged operation “Cast Lead”, followed by operation “Pillar of Defense” in November 2012.

These military operations were accompanied by cyber campaigns emanating from pro-Palestinian hacker groups around the world. #OpSaveGaza was not the only recent cyber campaign against Israel, but it is the most organized, diverse and focused. During this campaign, hacker groups from Malaysia and Indonesia in the East to Tunisia and Morocco in the West have been participating in cyber attacks against Israel.

The Use of Social Networks

Hacktivist groups recruit large masses for their operations by means of social networks. Muslim hacker groups use mostly Facebook and Twitter to upload target lists, incite others to take part in cyberattacks and share attack tools.

The #OpSaveGaza campaign was planned and organized using these two social media platforms. The organizers of the campaign succeeded in recruiting tens of thousands of supporters to their anti-Israel ideology.

OpSaveGaza - Facebook Event

Attack Vectors

When examining the types of attacks perpetrated against Israeli cyber space, it appears that this campaign has been the most diverse in terms of attack vectors. It not only includes simple DDoS, defacement and data leakage attacks, but also phishing (even spear-phishing based on leaked databases), SMS spoofing and satellite hijacking (part of the Hamas psychological warfare), in addition to high-volume/high-frequency DDoS attacks.

Hackers targeting Israeli ISPs
Hackers targeting Israeli ISPs

Furthermore, these attacks have been much more focused as the attackers attempt to deface and knock offline governmental websites, defense contractors, banks and energy companies. Simultaneously, a large number of small and private websites were defaced (over 2,500) and several databases were leaked online.

Pro-Palestinian hackers defacing Israeli websites
Pro-Palestinian hackers defacing Israeli websites

Motivation and the Involvement of other Threat Actors

The motivation for waging cyberattacks against Israel during a military operation is clear. This is not the first time that a physical conflict has had implications on the cyber sphere. However, we believe that other factors are contributing to the cyber campaign. In July 2014, the Muslim world observed the month of Ramadan, a holy month in Muslim tradition. There are two significant dates in this month – “Laylat al-Qadr” (the Night of Destiny), the night the first verses of the Quran were revealed to the Prophet Muhammad; and “Quds Day” (Jerusalem Day), an annual event held on the last Friday of Ramadan and mentioned specifically by Iran and Hezbollah. We identified an increase in the number of attacks, as well as their quality, surrounding these dates.

Last year, several days before “Quds Day” a hacker group named Qods Freedom, suspected to be Iranian, launched a massive cyber operation against Israeli websites. In other words, we believe that not only hacktivist elements participated in this campaign but also cyber terrorism units and perhaps even state-sponsored groups from the Middle East.

The Islamic Cyber Resistance (ICR) leaking an internal database
The Islamic Cyber Resistance (ICR) leaking an internal database

To summarize, this campaign was far better organized than the recent cyber operations we experienced in 2009 and 2012 alongside physical conflicts with Hamas. We have seen changes in several aspects:

  • Improvement in attack tools and technical capabilities
  • Information-sharing between the groups (targets, attack tools, tutorials)
  • The involvement of hacker groups from Indonesia in the East and Morocco in the West.
  • Possible involvement of cyber terrorism groups
  • Well-managed psychological warfare and media campaign by the participating groups

The scope and manner in which this campaign was conducted shows improved capabilities of the perpetrators, which is in-line with Assaf Keren’s assessment of the evolution of hacktivist capabilities.

Qods Freedom Hacker Group – Possible Iranian Involvement in Cyber Activity against Israel

In late July and early August 2013, a Gaza-based hacker group named “Qods Freedom” launched a cyber-operation against Israeli websites. The attack comprised distributed denial-of-service (DDoS) attacks, website defacements and attempted bank account breaches.

"Qods Freedom" Facebook page
“Qods Freedom” Facebook page

The DDoS-affected sites were Israel Railways, El Al (Israel’s national airline) and a leading daily newspaper. The attacks were all effective, topping at about 3.2 Gb/sec, rendering the sites inaccessible for many hours.

Screenshot posted by the group showing El Al site down due to their attack
Screenshot posted by the group showing El Al site down due to their attack

The group defaced over 600 sites, most of them related to two hosting service providers (likely to have been compromised). The defacement messages suggest that the motivation for the attack was to commemorate “Quds Day” – the last Friday of Ramadan.The group did not attempt to conceal its actions. Quite the contrary – it has an official Facebook page and Imageshack account where it posted images purportedly depicting the breach of Israeli bank accounts.

The political affiliation of the groups seems very clear – hardcore Palestinian, anti-Israeli. This was also evident from pictures they posted on the defaced sites that included images of the Dome of the Rock, the Palestinian flag, footage of protesters skirmishing with IDF soldiers and a portrait of Hezbollah leader Hassan Nasrallah and a quote from his famous “Spider Web” speech, which he delivered in southern Lebanon in 2000 (where he predicted that Israel would break apart like spider webs in the slightest wind).

The group's defacement signature quoting Nasrallah with a typo
The group’s defacement signature quoting Nasrallah with a typo

After the attack subsided, SenseCy cyber intelligence analysts decided to take a closer look at the actions of this so-called Palestinian group. Gilad Zahavi, Director of Cyber Intelligence, recounted: “Something just didn’t add up. We were seeing many indications that this group was not what it portrayed itself to be, so we decided to dig deeper.”Using virtual entities (some of which have been in operation for some time, and are used to collect information on the vibrant hacking scene in Gaza), they started sniffing around on Palestinian forums and social media groups, but no-one seemed to know much about this group. With little else to do, the team looked again at the “signature” the group left after defacing one website. And there it was – a very uncharacteristic typo in the transcript of Nasrallah’s famous speech, one that no native Arab speaker would make. This raised suspicions that this group might not be Arab at all. A closer look at the font used to type the message confirmed that it originated from a Farsi-language keyboard.

Focusing on the Iranian connection, the team uncovered several other indications of the true origins of the group. For starters, “Quds Day” is mostly celebrated by the Iranian government and Hezbollah, not by Palestinian Sunnis. Secondly, the only references to these attacks (anywhere in the Muslim world) have come from the Iranian media. Two additional Iranian groups, “Iranian Data Coders” and Persian Flag Guards” use the same defacement signature, indicating at least some affiliation to Iranian cyber groups. The last telltale sign was that Iranian hacker groups often choose to masquerade as Arab hackers, choosing Arabic instead of Farsi names. A notable example is the “Izz ad-Din al-Qassam Cyber Fighters”, perceived to be linked to the Palestinian Hamas organization, but in fact operated by the Iranian regime.

So there you have it – an Iranian group with high technical capabilities, masquerading as a Palestinian group and attacking Israeli sites. This scheme was uncovered not by fancy computer forensics, but by good old-fashioned intelligence work, built on linguistic and cultural expertise, combined with a deep understanding of the cyber domain and intimate knowledge of the Middle East hacking scene.