Cyberattack: Anti-Israel message takes over multiple Israeli websites

Multiple Israeli websites were the target of a cyberattack on Thursday morning, their homepages being replaced with an anti-Israel video and message in Hebrew and broken English: “The countdown of Israel destruction has begun since a long time ago.”

The bottom of the page credited a group called “Hackers_Of_Savior” for the attack. The page title was changed to “Be Ready for a Big Surprise” in Hebrew. Visitors to the sites were asked to allow access to their cameras.

“This is a combined attack that tries not just to harm Israeli sites and to disturb the economy from operating, but also tries to gain personal information from users that enter these sites through control of the users’ cameras, which would allow the recording of personal information and pictures of thousands of Israelis,” according to Avitar Gat, Digital Systems Operator at the Zeliger Shomron PR agency.

Ransomware was also used in the attack, meaning that sites could only get their data back if they paid a “ransom” to the hackers, according to Channel 12. The ransom could easily cost over $100,000. The attacks also tried to target production lines themselves in order to halt production or to try and get control of schematics.

Factories in Israel reported a second cyberattack on their websites on Thursday evening, according to KAN news.

Lotem Finkelstein, head of the Cyber Intelligence Department at Checkpoint Software Technologies, explained that as Al-Quds (Jerusalem) Day began on Thursday, hackers from the Muslim world – including Turkey, North Africa and the Gaza Strip – began organizing to attack Israeli sites and replace them with the anti-Israel video and text. The sites were all stored on the same server in the cloud, apparently forming a weak point that allowed some sites on the server to be harmed.

The attack occurred as Israel celebrated Jerusalem Day on the 53rd anniversary of the capital’s reunification, and as anti-Israel activists prepared for Al-Quds Day, which is marked with anti-Israel events around the world.

“Even though there are a large number of sites on this server, in general this is a small range,” explained Finkelstein, recommending that sites use active and updated security products and that users not allow the affected sites access to their cameras.

The attack was conducted by nine attackers who have been operating since April, according to Checkpoint. Their profiles seem to connect them to Turkey, North Africa and the Gaza Strip. “This doesn’t mean there aren’t more, but we don’t know to confirm an Iranian operation at this stage,” he said.

Among the targeted sites: uPress, a WordPress website hosting service; Bang and Olufsen Israel, a clothing brand; Bet Gabriel, a cultural center; Yad L’Ahim, an Orthodox Jewish religious organization; Hashavshevet, a company that provides accounting and inventory software; several religious Jewish high schools and post-high school programs; a sub-page of United Hatzalah’s Hebrew website; and Israeli photographer Israel Bardugo.

The Petah Tikva Municipality announced on Thursday that the Directorate for Urban Renewal of Kramim had been affected by the cyberattack, as the site is built on private infrastructure, unlike the rest of the municipality’s sites.

Bardugo tweeted a screenshot of the site, writing that “The Iranians did something significant last night and broke into my website. It is under control – don’t stress if you bought something from us recently.”

A statement on the group’s only YouTube video – also in broken English – stated: “We gather here to take revenge of Zionists crimes against Palestinians who have dead or have lost their lifes, families and grounds.”

The attack comes after Iran reportedly targeted Israeli water systems with a cyberattack in April, with Israel allegedly responding by launching a cyberattack on Iran’s Shahid Rajaei Port, located near the Strait of Hormuz.

On May 11, Mohammad Rastad, managing director of the Ports and Maritime Organization (PMO), announced that a cyberattack managed to damage a number of private systems at the port, confirming that the attack was carried out by a foreign entity, according to Fars News Agency.

Prof. Yitzhak Ben Israel, head of the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University, emphasized that “there is no reason to get stressed from the current cyberattack. This is a simple attack that can be solved quickly with the backup of the site. This is a ‘DeFacing’ attack, which doesn’t steal information or control it, but just changes the face of the website. Every IT person can and needs to know how to return the site to how it was quickly.”

“We’ve all known for a decade already that cyber is the new dimension of war in the 21st century: This didn’t happen this week or last month.” said Amos Yadlin, executive director of Tel Aviv University’s Institute for National Security Studies and former head of IDF Military Intelligence, to 103FM on Thursday.

“Israel tried to explain to Iran that in cyber they’re much more vulnerable than us and therefore it’s really worth it for them to keep civilian infrastructure outside of the conflict,” explained Yadlin, pointing to a recent cyberattack on an Iranian port that was blamed on Israel. “Israel definitely has additional abilities [and] hinted to the Iranians that it’s worthwhile for them to think twice.”

Yadlin added that cyber war isn’t only answered with cyber attacks. “Someone could attack in cyber and respond physically and vice versa. If the Iranians would think to fire rockets at civilian areas in Israel, it could be that the response wouldn’t be rockets, but rather cyber.”

In reference to the cyberattack on the Iranian port, Yadlin clarified that he still wasn’t sure whether Israel was really behind it or not.

According to The New York Times, the attack on the Iranian port was a direct response to a cyberattack on Israeli water infrastructure, and was meant to send a message to Iran that they shouldn’t try targeting Israel infrastructure.

The alleged Iranian cyberattack on Israeli water and sewage facilities took place on April 24. The attack caused a pump at a municipal water system in central Israel’s Sharon region to stop working. Operations resumed shortly after, but it was recorded as an exceptional event, according to the Times.

A security company investigating the incident found that malware caused the shutdown, and the incident was reported to the Israel National Cyber Directorate and other Israeli intelligence agencies. Israeli officials found that the malware had come from one of the offensive cyberunits in the Iranian Revolutionary Guards Corps (IRGC). The attack and the quality of the attack were described as “miserable” by intelligence officials, the Times reported.