Cyber Incident Victim: Ben-Gurion University of the Negev
Date:
Apr 2023
Location:
Israel
Summary
Ben-Gurion University of the Negev was one of multiple major Israeli universities whose websites were taken down in a DDoS attack claimed by the hacker group Anonymous Sudan. The group stated the attack was a response to actions in Palestine and was part of a broader campaign against Israeli targets. While the attack caused several hours of website unavailability, it was described as a service-preventing attack from which recovery was relatively easy, with no reported data theft or penetration of internal systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the afternoon of April 4, 2023, a hacker group identifying itself as "Anonymous Sudan" executed a series of cyberattacks targeting Israeli online infrastructure. The initial wave of these attacks focused on the education sector, specifically impacting the websites of multiple major universities across Israel. The websites for Tel Aviv University, the Hebrew University of Jerusalem, Ben-Gurion University of the Negev, Haifa University, the Weizmann Institute of Science, the Open University of Israel, and Reichman University were all rendered unavailable for browsing. These institutions experienced significant downtime, with their public-facing websites being inaccessible to users for several hours as a direct result of the offensive actions.
The group publicly claimed responsibility for these attacks through a statement published on its Telegram channel. In this statement, the group provided its motivation, writing, "Infrastructure: Universities - Israel education sector has been dropped Because of what they did in Palestine." This indicated a politically motivated campaign linked to the ongoing tensions between Israel and Palestine. The group further stated that the attacks carried out on April 4th were not its main effort, explicitly warning that a larger, more significant attack was planned for April 7th. It was reported by media outlets that these actions were part of a broader activist campaign known as OPIsrael, which involves coordinated attempts to target Israeli internet assets.
Following the attacks on the academic institutions, the same group shifted its focus to a major cybersecurity firm. The website of Check Point, described as one of Israel's largest cybersecurity companies, was taken down temporarily on the same afternoon. The attack on Check Point's public website was, however, short-lived. After a brief period of disruption lasting only a few minutes, the website returned to normal operation. A spokesperson for Check Point subsequently issued a statement confirming the event, characterizing it as a "large-scale attack" on their sites. The company attributed the brief interruption to a Distributed Denial of Service (DDoS) attack, noting that the hackers had employed a huge volume of requests to briefly affect the site's accessibility.
Check Point's statement elaborated on its defensive posture, asserting that all its sites were functioning well despite the attack and that the company's website was protected against DDoS attacks at what it claimed was the highest level, describing it as one of the strongest websites in the world. The company credited its existing protections for the site's rapid return to normal operation and emphasized that no damage was sustained from the attack. The group "Anonymous Sudan" also listed Check Point among the sites it had attacked in its Telegram communique. According to a report from Check Point provided to the media outlet Maariv, the attacks were characterized as service-preventing attacks that only bring down websites and do not steal information, from which recovery can be achieved relatively easily.
The same report, however, included analysis from Check Point suggesting that groups like Anonymous Sudan might be attempting to produce more significant and damaging attacks in the future, including those involving ransomware and data theft. The scope of the attacks on April 4th also briefly extended to the healthcare sector, according to Check Point. The company reported that the Anonymous group had shortly attacked websites related to several medical centers, including Rambam Hospital in Haifa. The hospital itself publicly denied that any such cyberattack had occurred against its systems, creating a point of contention in the reporting of the incident's full scope. The immediate impact of the attacks was largely confined to the temporary unavailability of public websites, causing disruption to external communications and access to online services for students, faculty, and the public for the affected universities. The operational technology and internal systems of the universities were not mentioned as being compromised, and the primary consequence was a loss of web availability for a prolonged period. The quick recovery of the Check Point website demonstrated a difference in defensive capabilities, with the cybersecurity firm weathering the DDoS attempt with minimal downtime compared to the educational institutions. The event highlighted the vulnerability of public-facing web infrastructure to simple yet volumetrically significant DDoS attacks, even as it demonstrated the effectiveness of robust DDoS mitigation services when properly implemented. The incident served as a disruptive but non-destructive event for the targeted universities, requiring response actions focused on restoring web services and likely involving their IT teams working to mitigate the flood of malicious traffic. The announced threat of a follow-up attack on April 7th by the same threat actor introduced a period of heightened alert for potential targets across Israel.