Cyber Incident Victim: Weizmann Institute of Science

On April 4, 2023, a significant cyber incident targeted multiple Israeli academic and private sector websites. The attack was attributed to a hacker group identifying itself as "Anonymous Sudan," which claimed responsibility through a statement published on its Telegram account. The group's stated motivation was a response to actions in Palestine, as indicated by their message: "Infrastructure: Universities - Israel education sector has been dropped Because of what they did in Palestine." This activity was reported to be part of a broader campaign known as OPIsrael, where activists coordinate attacks against Israeli internet targets.

The incident began with a series of distributed denial-of-service (DDoS) attacks aimed at disrupting online services. Among the primary targets were several of Israel's largest and most prominent universities. The websites of Tel Aviv University, the Hebrew University of Jerusalem, Ben-Gurion University of the Negev, Haifa University, the Weizmann Institute of Science, the Open University of Israel, and Reichman University were all rendered unavailable for browsing. These sites remained down and inaccessible to users for a period of several hours, indicating a sustained and effective disruption of their public-facing web services. The attack on the academic sector was widespread, impacting a significant portion of Israel's higher education infrastructure simultaneously.

Following the attacks on the universities, the same hacker group turned its attention to the cybersecurity firm Check Point, one of Israel's largest companies in that sector. The group successfully executed a DDoS attack that briefly took down Check Point's website on the afternoon of April 4th. The website was restored after a short interval, returning to normal operation. In a public statement, a Check Point spokesperson confirmed the attack, describing it as a large-scale effort. The company characterized its website as being protected against DDoS attacks at the highest level and noted that the hackers had employed a huge volume of requests to momentarily affect the site's accessibility. The spokesperson emphasized that due to these protections, the site resumed normal function and was not damaged by the attack, characterizing it as a temporary disruption lasting only a few minutes.

The scope of the attacks extended beyond education and cybersecurity. According to reports from Check Point, the Anonymous Sudan group also briefly targeted websites associated with several medical centers. Rambam Hospital in Haifa was specifically named as one of these targets. However, the hospital itself subsequently denied that it had been successfully attacked or that its systems were penetrated, creating a discrepancy between the attacker's claims and the victim's account.

The hacker group provided a strategic communication following their actions. In their Telegram statement, they listed the sites they had attacked and explicitly stated that the incidents on April 4th did not constitute their main offensive. They announced an intention to launch a more significant attack scheduled for April 7th, though the nature of this planned attack was not detailed. It was reported that the clarity regarding whether the university attacks had penetrated beyond the public websites into the institutions' internal systems was lacking, leaving the full depth of the intrusion uncertain.

The impact of the incident was primarily operational, causing service outages that prevented public access to important institutional websites. For the universities, this meant a multi-hour interruption to their online presence, potentially affecting prospective students, current students, faculty, and staff who rely on these portals for information and services. The attack on Check Point, while shorter in duration, was notable for targeting a leading cybersecurity entity. The company's public response served to reassure its clients and the market of its resilience and ability to withstand such attacks without sustaining damage.

The technical nature of the attacks was identified as DDoS, which aims to overwhelm a target's servers with a flood of internet traffic, rendering them unable to respond to legitimate requests. Check Point's analysis, as provided to another news outlet, categorized these as "service-preventing attacks - those that only bring down websites and do not steal information and that can be recovered from relatively easily." This assessment indicates that the immediate objective was disruption and publicity rather than data exfiltration or system compromise. However, the same analysis also noted that it could be assumed these groups were attempting to develop capabilities for more significant attacks in the future, including those involving ransomware and data theft, suggesting a concern that the DDoS actions might be a precursor to more severe cyber threats.

Recovery actions were undertaken by the affected organizations. The universities worked to restore their web services, and as reported, some of the sites attacked on Tuesday became available again within the same news cycle. Check Point's restoration was swift, attributed to their robust defensive measures. The overall consequence was a temporary denial of service for the targeted websites, with no confirmed reports of data breaches or permanent damage to the underlying systems of the universities or Check Point. The incident highlighted the vulnerability of critical online infrastructure to DDoS attacks and demonstrated the operational effectiveness of a motivated hacktivist group in coordinating a multi-pronged assault on national institutions.