Cyber Incident Victim: Orot Yosef power plant
Date:
Jul 2022
Location:
Israel
Summary
A fire occurred at the Orot Yosef power plant in Southern Israel, with no injuries reported. While initial reports suggested an air filter malfunction as the potential cause, the Altahrea Team hacking group claimed responsibility via Telegram, alleging they compromised the facility's remote energy measurement system and shared its IP address online. The group, suspected to have Iranian ties and historically known for politically motivated DDoS attacks against Israeli targets, posted provocative messages alongside images of the blaze. Cybersecurity experts expressed skepticism regarding the claim, citing the operation's sophistication as inconsistent with the group's typical low-complexity tactics. The plant, operated by Edeltech, remained operational following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 5 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 15, 2022, a fire broke out at the Orot Yosef power plant in Southern Israel, operated by Edeltech since 1989 with an output capacity of 1,189 megawatts. No injuries were reported during the incident. Initial on-scene reporting by Radio Darom 97 journalist Arnold Nataev indicated the fire originated from an air filter within an Israel Electric Corporation (IEC) facility, with fire services confirming the burning filter endangered adjacent infrastructure. While official authorities had not yet determined the fire's cause at the time of reporting, the Iranian-linked Altahrea Team hacking group claimed responsibility via their Telegram channel. The group asserted they had compromised the plant's remote energy measurement system prior to the fire and publicly shared the system's IP address. Their Telegram posts included images of the fire and taunting messages such as "Do you smell gas or Benzen? Check the store," alongside the local fire department's contact number. The messages did not explicitly state whether the group caused the fire directly through cyber means.
Security researchers immediately cast doubt on Altahrea Team's claims. Yossi Reuven, security research team lead at SCADAfence, highlighted the technical improbability of the group executing such an attack, citing the high sophistication required to remotely compromise industrial control systems compared to their historical operations. Altahrea Team, assessed by Check Point as Iranian or pro-Iranian Iraqi hackers, had primarily conducted politically motivated distributed denial-of-service (DDoS) attacks against Israeli targets including the Jerusalem Post, Channel 9, and port authority systems, alongside international targets like the Port of London Authority and Turkish media outlets in April-May 2022. The incident occurred amid heightened cyber hostilities between Israel and Iran, following prior claims by Israel-linked hackers targeting Iranian steel plants. Edeltech, the plant operator, had not issued public statements regarding the fire's cause or the hacking claims when contacted by reporters.