Cyber Incident Victim: Israeli Ministry of Defense
Date:
Jan 2014
Location:
Israel
Summary
A spear phishing attack compromised an Israeli defense ministry computer network via a malicious email impersonating the Shin Bet security service, leading to unauthorized access to 15 systems including one managed by the Civil Administration unit overseeing Palestinian territories. Attackers deployed the XtremeRAT malware, previously linked to regional cyber espionage campaigns, maintaining control over affected systems for several days to target sensitive operations such as border goods monitoring and Palestinian work permits. While forensic similarities suggested potential ties to prior Palestinian hacker activities, the specific intent—whether data theft or manipulation—remained undetermined. The incident highlighted broader cybersecurity challenges in the region, where state and non-state actors frequently target government and critical infrastructure networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 15, 2014, attackers compromised an Israeli Ministry of Defense computer network through a spear-phishing campaign. Hackers sent a malicious email disguised as originating from Israel’s Shin Bet security service, containing a .zip file attachment purporting to include reports and photos related to the death of former Prime Minister Ariel Sharon. The attachment deployed XtremeRat, a remote access trojan previously linked to surveillance operations by entities including the Syrian government. Security firm Seculert confirmed the malware infected 15 computers within the defense network, with at least one system belonging to the Civil Administration—a Defense Ministry unit managing Palestinian movement in occupied territories, including authorization of goods transfers between Israel, the West Bank, and Gaza Strip, as well as entry permits for Palestinian workers. The compromised systems remained under attacker control for several days post-infection. While the exact actions taken during this access period were undetermined, the Civil Administration’s role in regulating contested territories made its systems a high-value intelligence target. Trend Micro analysts noted similarities between this incident and a November 2012 cyber espionage campaign against Israeli law enforcement that also utilized XtremeRat, which had previously forced the government to temporarily disable police internet access and restrict removable media use.
Technical evidence suggested potential links to Palestinian threat actors, including code similarities to prior attacks traced to servers in Hamas-controlled Gaza over a year earlier, though attribution remained inconclusive. The attackers leveraged infrastructure based in the United States during the 2014 intrusion. Israeli officials, including Civil Administration spokesman Guy Inbar, declined public comment on the breach. Security researchers highlighted concerns that compromised subcontractor systems could enable broader attacks against government networks due to typically weaker security postures. No data exfiltration or manipulation was confirmed, though the incident exemplified persistent cyber threats facing Israeli entities, with foreign governments and groups like Anonymous frequently targeting military, governmental, and critical infrastructure assets in the region. The attack underscored operational security challenges in mitigating socially engineered intrusions against high-sensitivity administrative systems governing territorial disputes.