OpIsrael 2016 marked by increase in data compromise

Michael Marriott | 11 April 2016

In our last blog on OpIsrael, we assessed what we were likely to observe on April 7. Now, shortly days after the date, it is possible to reflect on what actually happened.

Purely by mentions of OpIsrael on Twitter, the campaign saw far less activity than in 2014 and 2015, as illustrated by Figure 1. Nevertheless, we did observe an uptick in malicious cyber activity as part of the hacktivist operation OpIsrael.

 

OpIsrael timeline 

Fig 1: The total mentions of ‘OpIsrael’ in the last seven days.

Affected entities have included Israeli government websites, as well as those of smaller companies operating in Israel.  Associated threat actors that have made claims included New World Hackers, who claimed they rendered two domains offline; AnonGhost, who successfully defaced three Israeli domains; and a previously unknown threat actor who called themselves “Cyber Saudi”, who claimed they rendered 11 Israeli government domains offline. Indeed, in the majority of the incidents, the targeted websites have featured the Israel top-level domain (.il).  We also detected unattributed claims that were posted to the free-text sharing website Pastebin which pertained to data leakage. Although many of the claims were assessed to be a realistic possibility, only those made by AnonGhost were confirmed at the time of writing.

The tactics and techniques used by the threat actors included multiple claims of denial of service, data leakage and defacement. Figure 2 shows the breakdown of incident types observed as part of OpIsrael in both 2015 and 2016. In 2016, there were proportionally more claims of denial of service and data leakage than in 2015. Although not all of these claims were confirmed, a majority of them were assessed to have been a realistic possibility. 

OpIsrael incidenttype 

Fig 2: A breakdown of incident types in OpIsrael 2015 and 2016.

There is a realistic possibility that hacktivist threat actors favor this approach, as while the theft of data may require a low-capability – particularly in relation to the use of automated tools – the impact is higher than most denial of service or defacement attempts.

So that’s all over now? Not quite. Despite the hacktivist-led plans to target Israeli web assets on 7 April each year since 2013, previous reporting on the operation suggests it to be likely that further targeting will occur after this date. Therefore, there remains a threat to Israeli domains and companies operating in Israel at the time of writing. Targeting will likely include defacement, denial of service and the attempted theft of data from websites.