23 February 2024

A forecast for 2024 cyberattacks in armed conflicts


It is clear that cyber will play a prominent role in major armed conflicts going forward. Iran-linked groups are likely to continue to conduct destructive cyber attacks, particularly in the event of any escalation to the Israel-Hamas war, according to forecasts in a Google report on cybersecurity and the Israel-Hamas war.

The report says that after the terrorist attacks by Hamas on October 7, there was a steady stream of cyber operations by Iran and Hezbollah-linked groups that were more focused, more concentrated, and — among other objectives — geared toward undercutting public support for the war against Hamas.

Cyber operations are tools of first resort, providing a lower-cost, lower-risk way for rivals to engage in conflict, gather information, disrupt daily life, and shape public perceptions — all while still remaining below the line of direct confrontation, the report says

“Cyber activity surrounding the Israel-Hamas war is very different from the war in Ukraine. Unlike the attack on Ukraine, we did not observe a spike in cyber operations against Israeli targets before the attack, and have no indication that cyber activity was integrated into Hamas battlefield operations, or used to enable kinetic events.”

In a forecast for 2024, the report says:
  • Iran-linked groups are likely to continue to conduct destructive cyber attacks, particularly in the event of any perceived escalation to the conflict, to include kinetic activity against Iranian proxy groups in various countries, such as Lebanon and Yemen.
  • Hack-and-leak operations and IO will remain a key component in these efforts to telegraph intent and capability throughout the war, both to Iran’s adversaries and to other audiences that they seek to influence.
  • While the outlook for future cyber operations by Hamas-linked actors is uncertain in the near term, we anticipate Hamas cyber activity will eventually resume, with a focus on espionage for intelligence gathering on intra-Palestine affairs, Israel, the US, Europe, and other regional players in the Middle East.

The report’s key findings on cyber operations related to the Israel-Hamas war:
  1. Iran continues to aggressively target Israeli and US entities, often with mixed results. This steady focus suggests that Hamas’ attack did not fundamentally shift Tehran’s strategy, but after the attack took place, we saw a more focused effort, concentrated on undercutting public support for the war. This includes:Destructive attacks against key Israeli organizations
  2. Hack-and-leak operations including exaggerated claims of attacks against critical infrastructure in Israel and the US
  3. IO to demoralize Israeli citizens, erode trust in critical organizations and turn global public opinion against Israel
  4. Phishing campaigns directed toward users based in Israel and the US to collect intelligence on key decision makersIranian critical infrastructure was disrupted by an actor claiming to be responding to the conflict. “Gonjeshke Darande” (Predatory Sparrow) claimed it had taken a majority of gas stations in Iran offline, attacking their infrastructure and payment systems. Iran has attributed Gonjeshke Darande activity to Israel, however we do not have sufficient evidence to evaluate these claims.
  5. Hamas’s cyber espionage followed its typical pattern in the leadup to October 7, and we have not observed significant activity since then. Our observations suggest Hamas did not use cyber operations to tactically support the terrorist attack on October 7th. Through September 2023, Hamas-linked groups engaged in cyber espionage consistent with their normal operations, including:
  • Mass phishing campaigns to deliver malware and steal data
  • Mobile spyware, including Android backdoors, distributed via phishing
  • Persistent targeting of Israel, Palestine, and their regional neighbours in the Middle East, as well as regular targeting of the US and Europe.

No comments: