In just the past few weeks, as we’ve all seen, the picture of cyber warfare has changed radically. In 149 distributed denial-of-service (DDoS) attacks hackers went after 110 organizations in 16 countries. In total, twelve different hacktivist movements have been directly responsible for these coordinated attacks, mainly as a reaction to the increasing violence in the Middle East. The attacks were specifically targeted at public infrastructure and apparatus of the state. This is another example of how cyber actors use geopolitical turmoil to further their own interests.
Keymous+, DieNet, and NoName057 are the principle actors within this wave of raids. Combined, they account for an incredible 74.6% of all hacking activity. The current war has created an unprecedented wave of cyber attacks. Organizations around the globe are having to reassess their cybersecurity posture.
Proliferation of Hacktivist Activity
Meanwhile, Sophos has tallied an unprecedented uptick in hacktivist activity largely fueled by pro-Iran hacker groups. The Handala Hack team and APT Iran have been extremely prolific in their activities since this period. The Hider Nex — or Tunisian Maskers Cyber Force, as they called themselves — executed the first of these campaign DDoS attacks on February 28 of this year. Second, they had the temerity to aim for the region’s critical infrastructures.
The Iranian Islamic Revolutionary Guard Corps (IRGC) has had a direct hand in most of these attacks. In particular, they focused on attacks that impacted the energy and digital infrastructure sectors throughout the Middle East. The most prominent examples are attacks against Saudi Aramco and an Amazon Web Services data center in the United Arab Emirates.
“Iranian threat actors have historically demonstrated a willingness to blend espionage, disruption, and psychological impact operations to advance strategic objectives.” – Nozomi Networks
This targeting of public infrastructure reveals the intentional strategy to undermine essential services and spark fear and terror among marginalized communities. Nearly 47.8% of all targeted entities globally are of the government sector. The finance sector represents 11.9% of total employment, and telecommunications 6.7%.
The Role of Key Groups
The Middle Eastern hacktivist threat landscape seems very lopsided in favor of a few major players. According to Radware, two organizations—Keymous+ and DieNet—are responsible for the majority of the attacks. They are responsible for almost 70% of all documented attack activity from February 28 through March 2. This centralization of power is worrying for the threat of increasingly powerful attacks.
One of our original hotshots, Cotton Sandstorm aka Haywire Kitten, returns to reboot her career. Since then, it has developed new programming and returned to its original roots as the Altoufan Team. This resurgence is seen as a harbinger of greater, more damaging intrusions throughout the Middle East and has triggered warnings from cybersecurity professionals.
“The hacktivist threat in the Middle East is highly lopsided, with two groups, Keymous+ and DieNet, driving nearly 70% of all attack activity between February 28 and March 2.” – Radware
As enterprises continue to come to terms with the ever-changing threat landscape, authorities have made clear that waiting is no longer an option. Smart organizations will want to do a complete exposure review over all of their connected assets. They need to establish good segmentation between IT and OT (operational technology) networks.
Mitigating Cyber Risks
Against this backdrop of increasing cyberattacks, businesses should deploy strong cybersecurity measures to reduce the impact of such threats. Relentless detection and updating Discovery [threat intelligence] signatures are an important first step to limiting their external attack surfaces in the world. Moreover, proper isolation of Internet of Things (IoT) devices is essential to prevent unauthorized access that could compromise sensitive information.
“In periods of instability, these operations often intensify, targeting critical infrastructure, energy networks, government entities, and private industry far beyond the immediate conflict zone.” – Nozomi Networks
Experts note that Tehran has a long track record of obfuscating its position on individual cyber activities. This ambiguity especially applies to attacks specifically targeting countries like the U.S. and Israel. This indicates that Iranian state actors are capable of mobilizing these cyber operatives to defend against potential threats or military operations.
“Tehran has long preferred to turn a blind, or at least indifferent, eye to private cyber operations against targets in the US, Israel, and other allied countries.” – Cynthia Kaiser
As tensions in the Middle East increase, so does the digital front with real-world violence. Hacktivist groups are targeting more countries than ever — creating new and unique challenges for cybersecurity professionals.