Cyber Incident Victim: Mossad

On April 25, 2023, coinciding with Israel's official Independence Day, a series of cyber incidents targeted high-profile Israeli entities. The attack campaign was claimed by the group Anonymous Sudan. The first confirmed event involved the official personal website of Israeli Prime Minister Benjamin Netanyahu being knocked offline. The disruption was the result of a distributed denial-of-service (DDoS) attack, which functions by flooding a website with a massive volume of unwanted web traffic, rendering it inaccessible to legitimate visitors. This attack was brief, and the website was restored to functionality after a short period of downtime.

In a separate but related incident, the Facebook account of Prime Minister Benjamin Netanyahu was hijacked by unauthorized parties. The attackers successfully gained control of the account and updated it with a video depicting prayers at a mosque, accompanied by audio of Arabic verses from the Quran. The unauthorized post was live for a brief period before access was restored to the account's legitimate administrators. According to media reports cited in the incident analysis, the method of compromise did not involve a direct breach of Facebook's systems or the theft of login credentials. Instead, the hackers exploited a specific Facebook feature designed to allow collaboration between different pages. This feature was misconfigured, permitting the attackers to post content to the Prime Minister's page illegitimately.

The same group, Anonymous Sudan, claimed responsibility for these attacks on the Prime Minister's digital assets. Furthermore, the group stated it had executed additional attacks on the same day, Wednesday, April 26, 2023, against other Israeli targets. These included the websites of the Haifa Port and the Israel Ports Development company, which is the entity responsible for managing the country's ports. These websites were also overwhelmed with traffic from the DDoS attacks, making them temporarily inaccessible to the public. The group also claimed to have conducted attacks two days prior, on Monday, April 24, 2023. On that date, they asserted they had successfully brought down the websites of the National Insurance Institute and Israel's intelligence agency, Mossad.

The technical impact of these DDoS attacks was the temporary unavailability of the targeted websites. These are largely informational portals, described as being akin to a glorified leaflet that provides information to visitors. The attacks did not result in a compromise of the underlying systems hosting these websites. No sensitive information was accessed, exfiltrated, or stolen. The primary consequence was a temporary disruption of service and a brief inability for the public to access the information presented on these sites. The hijacking of the Facebook account resulted in the publication of unauthorized content, which was subsequently removed.

The response to these incidents involved investigations into the specific methods used. For the Facebook account compromise, the focus of the investigation was on the misconfiguration of the social media platform's collaboration settings. It was determined that the proper controls to lock down and manage which entities could share content with the Prime Minister's page were not adequately implemented. The social media team managing the account was expected to review and adjust these settings to prevent a recurrence of such an exploit. The response to the DDoS attacks likely involved the targeted organizations working with their internet service providers or DDoS mitigation services to filter out the malicious traffic and restore normal service. The nature of these attacks, being volumetric in nature, is a common occurrence and often mitigated through such standard operational procedures. The incidents generated significant media attention due to the high-profile nature of the targets, particularly the Prime Minister and the Mossad intelligence agency. The choice of timing, on the national holiday, was noted as a characteristic tactic used by hacktivist groups to maximize visibility and symbolic impact. The ease of executing such DDoS attacks and their high likelihood of generating headlines was identified as a probable reason why hacktivist groups frequently engage in this type of activity rather than attempting more technically sophisticated intrusions that could yield sensitive data.