Cyber warfare continues to punctuate the Middle East conflict as the recent escalation between Iran and Israel is almost certain to lead to intentional and inadvertent regional and global cyber disruption – even as far as Ireland’s water pipes.
Companies based in the Middle East, those taking a public stance on the ongoing conflict and those relying on Israeli technologies are most likely to be targeted by advanced state-linked and opportunistic activist groups based in the region but companies from all verticals globally could be caught in the crossfire.
Iran’s launch of over 300 drones, cruise and ballistic missiles at targets in Israel on 13 April, and Israel’s apparent retaliation as Iran reported intercepting drones over Isfahan and Tabriz on 19 April are the latest real-world escalation amid the backdrop of the ongoing regional conflict between Israel, Hamas and other Iran-linked groups.
As with the ongoing Ukraine war, the Iranian military effort was also likely supported by complementary cyber activity with pro-Palestine group Handala Hack claiming on 3 March and on 13 April (20 minutes before the Iranian missile attack) to have accessed Israeli radar systems.
The missile attack has reverberated on both sides in the cyber domain with Israeli Prime Minister Benjamin Netanyahu reportedly planning retaliatory activities including cyber operations, while pro-Palestine hacktivists have reportedly established a new forum for hackers to share data stolen from Israeli citizens. While we have yet to observe a cyber escalation since the attempted missile and drone strike, these early developments in the aftermath of the attack are likely to be followed by tit-for-tat cyber exchanges by both sides.
Regional conflict cascades globally through the digital domain
Any cyber activity associated with the missile and drone strikes may be difficult to distinguish from the onslaught of cyber warfare that has been disrupting companies regionally and globally since the Israel-Gaza war started on 7 October 2023. Since 7 October, 55 countries have experienced cyber incidents related to the ongoing Israel-Gaza war with over 120 total incidents tracked to actors linked to either Israel, Hamas, Iran or associated proxies.
Cyber warfare incidents linked to the conflict have and continue to be highly disruptive with operational technologies (OT) a key target of state-linked and activist threat actors. High-impact, low-impact incidents, and unsuccessful attempts targeting internet-connected OT systems vital in running critical infrastructure services, particularly utilities, are likely to continue disrupting victim organisations and their clients. Beyond disruptive attacks, regional and global organisations with an Israeli presence or using key Israeli third parties have been attacked. In addition, companies taking a public stance on the ongoing conflict and organisations closely associated with Israeli and Iranian allies have also been targeted. Such attacks have origins across the capability spectrum, from espionage to distributed denial of service (DDoS) and hack-and-leak incidents.
How this conflict is spilling over: a two-day water outage in Ireland
A cyber attack, in early December 2023, on Irish Utility’s internet-connected water pump system left 180 people in Binghamstown and Drum, Ireland without any running water for 48 hours.
The impacted terminals were both disrupted and defaced by the hackers leaving a “Down with Israel” message. The attack has been widely attributed to Cyber Av3ngers, an Iranian state-sponsored group that has also been linked to other disruptive attacks against utilities companies in Israel and the US.
The hacked terminals were reportedly made in Israel, and the Cyber Av3ngers later added on their Telegram channel that “every equipment ‘Made in Israel# is Cyber Av3ngers Legal Target!”
Post by Cyber Av3ngers in late-November on their Telegram feed claiming Israeli-made equipment is a legal target, 28 November 2023
What measures are organisations taking?
Current escalations will be felt most acutely in the Middle East from a cyber perspective. Organisations headquartered in the Middle East or with operations in the region should be considering the impact and likelihood of direct and indirect cyber incidents targeting not only them, but also third parties and supporting infrastructure they rely on. Internal and external security resources should be prioritised to counter the tactics, techniques and procedures (TTPs) of Middle Eastern state, state-linked and proxy actors.
For critical infrastructure organisations, particularly those with Israeli technologies or third-party partners servicing key assets and systems, reviewing OT controls for internet-connected terminals and systems is vital. Organisations should conduct scans against their own perimeter to understand their internet-facing footprint and whether operational systems are identifiable.
For all organisations, global fallout and disruption is more likely. It’s key that organisations review business continuity planning for scenarios where utilities, transport or technology services are unavailable both for a prolonged period or intermittently.