Sharp Increase in Cyberattacks on Israeli Websites Ahead of Ramadan
Ron Meyran, Director of Cyber Intelligence at Radware: New cyber entities join Islamist attackers, using previously unobserved attack vectors designed to make it difficult to identify and defend against, and the emergence of new actors
IsraelDefense
| 16/03/2024
Photo: imago/allOver-MEV via Reuters Connect
Radware's war room has seen a dramatic increase in cyberattacks on Israeli websites and companies starting in October 2023, coinciding with Hamas' attack on Israel. This increase has catapulted Israel to first place in the world among the countries under attack in 2023.
Just ahead of Ramadan (which began a few days ago), we have witnessed another wave of cyberattacks by existing and new threat actors. Similar to previous cyber aggressions such as cyberattacks by pro-Russian threat actors on critical sites and infrastructure in Ukraine, it is important to monitor and learn the techniques and methods of the attackers. We estimate that soon we will see an expansion of the use of these techniques to other arenas around the world.
Monitoring the attackers' Telegram channels reveals the motivation (or concerns) of pro-Palestinian attackers about the IDF's entry into Rafah. For example, the leader of the LulzSec Indonesia threat actor wrote that he is “Hereby threatening you for my brotherhood in Palestine, if you dare attack Rahaf in the holy months of Ramadan.” Other religious threat actors echo this message.
Classification of attackers
We have observed dozens of threat actors, most of them religious, who have joined forces in the current wave of attacks:
- Professional threat actors such as Anonymous Sudan, Mysterious Team Bangladesh, and Moroccan Black Cyber Army, which use complex and sophisticated attack vectors.
- New threat actors that have not been observed before, which maintain ambiguity and do not take responsibility for making it difficult to locate their source. It can be assumed that these are state-sponsored actors that carry out the attacks in retaliation against Israel as part of the cyber war between Israel and Iran, in which pro-Russian attackers were also observed. In some of the attack campaigns, we assess that these were "tool checks" to examine the cyber defenses of the State of Israel and its financial systems.
- It should be noted that quite a few of the attackers are amateurs who use attack tools that they find throughout the web (we call them script kiddies) and will therefore choose unprotected commercial or government websites. Their attack vectors are easy to identify and defend against.
New attack vectors
There is a clear increase in the use of sophisticated attack vectors designed to make it difficult to identify and defend against them. In many cyber incidents, we have witnessed the use of complex attacks that include several attack vectors simultaneously over a period that can last from several hours to several days with several high points during the event:
- Web DDoS Tsunami attacks – in which attackers imitate encrypted requests of legitimate users. We observed attack rates of up to 3.2M RPS (RPS–Requests Per Second). Sites are typically designed to process hundreds to several thousand requests per second. For example, a rate of one million requests per second is similar to the case where every user in Israel tries to log in more than 6 times every minute.
- DNS attacks on Internet infrastructure. These attacks are intended to prevent DNS servers (name translation servers) from providing information and links to the attacked websites. A user who wants to access the site will not be able to find it online.
- Burst attacks – These attacks are characterized by powerful bursts of several simultaneous attack vectors that last a short time (a few tens of seconds to a few minutes). The attackers repeat these attacks over and over again, knowing that each such burst disrupts the site's activity and it takes time to return to full operation.
- We also continue to see traditional attack vectors that load websites until there is no effective bandwidth left for legitimate users. We observed attack volumes reaching up to 100 gigabits per second.
Main attacks
Attacks with a high level of sophistication by the professional and new attack bodies were directed against:
- Government websites: government ministries, authorities, and media networks.
- Communications and financial infrastructures: communications companies, banks, and the largest insurance companies in the economy.
Most sites have experienced repeated attacks over the past few days.
The following is an example of a complex attack on a finance company: The company's website was simultaneously attacked by a large number of attack vectors that included network attacks at speeds up to 100 gigabits per second, Web DDoS Tsunami attacks, and DNS attacks designed to prevent users from reaching the company's website.
Secondary attacks
Low-sophistication attacks have been observed on sites such as transportation, tourism, and private businesses. The attacks are random in the choice of targets and mainly include traditional attack vectors that generate network traffic loads on the attacked site.
Written by Ron Meyran, Director of Cyber Intelligence at Radware
Ron Meyran, Director of Cyber Intelligence at Radware: New cyber entities join Islamist attackers, using previously unobserved attack vectors designed to make it difficult to identify and defend against, and the emergence of new actors
Photo: imago/allOver-MEV via Reuters Connect
Radware's war room has seen a dramatic increase in cyberattacks on Israeli websites and companies starting in October 2023, coinciding with Hamas' attack on Israel. This increase has catapulted Israel to first place in the world among the countries under attack in 2023.
Just ahead of Ramadan (which began a few days ago), we have witnessed another wave of cyberattacks by existing and new threat actors. Similar to previous cyber aggressions such as cyberattacks by pro-Russian threat actors on critical sites and infrastructure in Ukraine, it is important to monitor and learn the techniques and methods of the attackers. We estimate that soon we will see an expansion of the use of these techniques to other arenas around the world.
Monitoring the attackers' Telegram channels reveals the motivation (or concerns) of pro-Palestinian attackers about the IDF's entry into Rafah. For example, the leader of the LulzSec Indonesia threat actor wrote that he is “Hereby threatening you for my brotherhood in Palestine, if you dare attack Rahaf in the holy months of Ramadan.” Other religious threat actors echo this message.
Classification of attackers
We have observed dozens of threat actors, most of them religious, who have joined forces in the current wave of attacks:
- Professional threat actors such as Anonymous Sudan, Mysterious Team Bangladesh, and Moroccan Black Cyber Army, which use complex and sophisticated attack vectors.
- New threat actors that have not been observed before, which maintain ambiguity and do not take responsibility for making it difficult to locate their source. It can be assumed that these are state-sponsored actors that carry out the attacks in retaliation against Israel as part of the cyber war between Israel and Iran, in which pro-Russian attackers were also observed. In some of the attack campaigns, we assess that these were "tool checks" to examine the cyber defenses of the State of Israel and its financial systems.
- It should be noted that quite a few of the attackers are amateurs who use attack tools that they find throughout the web (we call them script kiddies) and will therefore choose unprotected commercial or government websites. Their attack vectors are easy to identify and defend against.
New attack vectors
There is a clear increase in the use of sophisticated attack vectors designed to make it difficult to identify and defend against them. In many cyber incidents, we have witnessed the use of complex attacks that include several attack vectors simultaneously over a period that can last from several hours to several days with several high points during the event:
- Web DDoS Tsunami attacks – in which attackers imitate encrypted requests of legitimate users. We observed attack rates of up to 3.2M RPS (RPS–Requests Per Second). Sites are typically designed to process hundreds to several thousand requests per second. For example, a rate of one million requests per second is similar to the case where every user in Israel tries to log in more than 6 times every minute.
- DNS attacks on Internet infrastructure. These attacks are intended to prevent DNS servers (name translation servers) from providing information and links to the attacked websites. A user who wants to access the site will not be able to find it online.
- Burst attacks – These attacks are characterized by powerful bursts of several simultaneous attack vectors that last a short time (a few tens of seconds to a few minutes). The attackers repeat these attacks over and over again, knowing that each such burst disrupts the site's activity and it takes time to return to full operation.
- We also continue to see traditional attack vectors that load websites until there is no effective bandwidth left for legitimate users. We observed attack volumes reaching up to 100 gigabits per second.
Main attacks
Attacks with a high level of sophistication by the professional and new attack bodies were directed against:
- Government websites: government ministries, authorities, and media networks.
- Communications and financial infrastructures: communications companies, banks, and the largest insurance companies in the economy.
Most sites have experienced repeated attacks over the past few days.
The following is an example of a complex attack on a finance company: The company's website was simultaneously attacked by a large number of attack vectors that included network attacks at speeds up to 100 gigabits per second, Web DDoS Tsunami attacks, and DNS attacks designed to prevent users from reaching the company's website.
Secondary attacks
Low-sophistication attacks have been observed on sites such as transportation, tourism, and private businesses. The attacks are random in the choice of targets and mainly include traditional attack vectors that generate network traffic loads on the attacked site.
Written by Ron Meyran, Director of Cyber Intelligence at Radware
