Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks
DDoS Attack Downs Several Israeli Government WebsitesServices Now Restored Following Temporary Outage
On Monday evening, many Israeli government websites, including those of the prime minister and the ministries of Interior, Health, Justice, and Welfare, went offline. The Israel National Cyber Directorate later confirmed that a massive distributed denial-of-service attack had hit one of its communications providers, resulting in a temporary loss of access. The INCD added that normal activity was soon restored.
In the past few hours, a DDoS attack against a communications provider was identified. As a result, access to several websites, among them government websites, was denied for a short time. As of now, all of the websites have returned to normal activity.@Israelgov— Cyber Israel (@Israel_Cyber) March 14, 2022
State of Emergency
The INCD did not disclose any additional details of the incident but Israeli publication Haaretz cited an unnamed senior Israeli defense official calling it the "largest-ever" cyberattack carried out against Israel. The source added that a state actor or a large organization is likely to have conducted this attack, but that has yet to be determined as the investigation is ongoing.
Meanwhile, the news agency also claimed that the INCD and the Ministry of Defense jointly declared a state of emergency to study the extent of damage to strategic Israeli websites and government infrastructure, including electric and water companies in the country. No official statement was issued by the government or the defense ministry.
NetBlocks, a watchdog agency that monitors cybersecurity activity, tweeted that the widespread outage of government websites was due to attacks targeted at Israeli telecommunications providers Bezeq and Cellcom.
Confirmed: A significant disruption has been registered on multiple networks supplied by #Israel's leading providers Bezeq and Cellcom as the country's defense authorities and National Cyber Directorate declare a state of emergency pic.twitter.com/lcPyeLvPor— NetBlocks (@netblocks) March 14, 2022
NetBlocks assessed that the reason the outage affected most Israeli government websites was because the Tehila Project - also known as AS8867 - which hosts at least 314 domains and primarily all gov[.]il website domains, had been affected and became unreachable for international audiences. But NetBlocks says that users within the country were still able to access these platforms.
Defense-related websites are not hosted on this domain and thus, Haaretz says, none of them were affected in yesterday's attacks.
Retaliation a Likely Cause
Israeli news agency The Jerusalem Post claims that the Black Shadow group, which is closely affiliated to Iran, is behind this attack. The INCD has not yet confirmed this claim, but The Jerusalem Post says that the threat group may have carried out the DDoS attack in retaliation for an alleged attempted sabotage on Iran’s Fordow Fuel Enrichment Plant.
"Historically, the primary protagonists involved in cyberattacks against Israel have been groups aligned to the Iranian state, which is well known to operate a 'tit for tat' reaction when it considers it has been attacked itself," says Toby Lewis, head of threat analysis at cybersecurity AI company Darktrace.
Lewis cites examples of repeated DDoS attacks against U.S. financial institutions following sanctions against Iran for its nuclear enrichment program between 2011 and 2013. He tells Information Security Media Group that, "On Monday, Iran's Revolutionary Guard Corps claimed it had captured Israeli spies and saboteurs at a nuclear power plant at Fordow" and called that "a likely trigger point for such a retaliatory DDoS attack."
DDOS attacks are largely symbolic: They don't tend to cause significant long-term damage and could simply be about saving face to show action has been taken although the public may not appreciate the superficial nature of such an operation, Lewis says.
He advises security teams in Israel and globally to remain vigilant, saying, "While there is no evidence that this is the case in this instance, DDoS attacks might be used as a distraction technique while more stealthy operations take place behind the scenes."
A major sabotage attack was foiled before it could take place on Nowruz - the end of the Iranian year, which is March 20 - according to news agency Al Jazeera.
Recent Activities of Black Shadow
The Black Shadow group is known to have persistently targeted Israeli organizations in the recent past.
On Sunday, it claimed to have hacked and siphoned off data from Israeli company Rubinstein Software Ltd., which provides software solutions to the diamond industry.
BlackShadow the Iranian hacking team claims to hack into Rubinstein Software; DarkFeed (@ido_cohen2) March 13, 2022
<;We have all data of this company and their clients for sell . Data includes jewelry technical information , client information , payments , databases;#BlackShadow pic.twitter.com/x3dD5wi45f
In November 2021, the group allegedly leaked sensitive health records of nearly 300,000 patients of an Israeli network of medical centers (see: Black Shadow Group Leaks Israeli Patient Records, Data).
And in March 2021, the group reportedly claimed it had hacked Israeli car financing firm K.L.S. Capital and stolen client data, while in December 2020 it leaked thousands of documents containing personal information on the customers of Israel's Shirbit insurance company (see: Hackers Steal Data From Israeli Car Financing Company).