Cyber Incident Victim: Tel Aviv University
Date:
Apr 2023
Location:
Israel
Summary
A cyberattack attributed to the group "Anonymous Sudan" targeted Tel Aviv University and several other major Israeli universities, causing their websites to be unavailable for several hours. The incident was a DDoS (Distributed Denial of Service) attack intended to disrupt services rather than steal data. The group claimed the attack was retribution for actions in Palestine and announced it was part of a broader campaign, with a more significant attack planned for a later date. Services were restored after the attack subsided.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the afternoon of April 4, 2023, a coordinated cyberattack targeted multiple major academic institutions across Israel. The hacker group identifying itself as "Anonymous Sudan" claimed responsibility for these actions. The websites of Tel Aviv University, the Hebrew University of Jerusalem, Ben-Gurion University of the Negev, Haifa University, Weizmann Institute of Science, Open University of Israel, and Reichman University were all rendered unavailable for browsing. These distributed denial-of-service (DDoS) attacks were part of a broader campaign known as OPIsrael, wherein activist hackers attempt to target Israeli internet infrastructure. The primary impact reported was the disruption of public-facing websites, making them inaccessible to users for a period of several hours.
The group publicly stated its motives on its Telegram channel, listing the sites it had attacked. In a statement, the group wrote, "Infrastructure: Universities - Israel education sector has been dropped Because [sic] of what they did in Palestine." This indicated the attacks were a form of hacktivism, politically motivated by the Israeli-Palestinian conflict. The group also issued a warning that the attacks on April 4 were not its main operation, which it claimed would occur on April 7. It was reported that the extent of the attack was not immediately clear, specifically whether it had managed to penetrate beyond the public websites into the internal systems of the targeted universities.
Later the same day, the same hacking group expanded its targets to include private sector entities. One of Israel's largest cybersecurity companies, Check Point, had its website briefly taken down. The attack on Check Point's public website was also characterized as a DDoS attack, though its effects were shorter in duration. After a brief period of disruption, the Check Point website returned to operating normally. A spokesperson for Check Point confirmed the incident, stating, "All our sites are functioning well despite a large-scale attack on them." The spokesperson elaborated on the defensive measures, noting the company's website is protected against DDoS attacks at a high level and described it as one of the strongest websites globally. The company's technical assessment was that the hackers had used a massive volume of requests to affect the site's availability for a few minutes, but thanks to their protections, the site was not damaged and resumed normal operation.
According to reports from Check Point, the group also conducted brief attacks on websites associated with several medical centers. Rambam Hospital in Haifa was named as one of the potential targets. However, the hospital itself subsequently denied that it had been attacked, creating a discrepancy in the reporting. The overall campaign involved a significant number of requests aimed at overwhelming the web infrastructure of the selected targets. The attacks were categorized as service-preventing attacks, meaning their primary function was to disrupt availability and bring down websites rather than to infiltrate systems to steal information or deploy ransomware.
The impact of these incidents was the temporary denial of service for the public websites of the affected universities. This prevented students, staff, and the public from accessing online resources and information hosted on these sites for the duration of the outage, which lasted several hours for the educational institutions. The recovery process for this type of attack was described as relatively straightforward compared to more invasive cyber incidents like data breaches. The nature of a DDoS attack involves flooding a target with illegitimate traffic, and mitigation typically involves filtering that traffic and absorbing the load through robust infrastructure or third-party protection services.
Check Point provided further context on the types of threats posed by such groups. The cybersecurity firm told media outlet Maariv that while these were primarily service-disrupting attacks, it could be assumed that these groups were also attempting to produce more significant attacks, including those involving ransom and data theft. This statement highlighted a concern that DDoS attacks could be a precursor or a distraction for more serious and damaging cyber operations. The immediate response from the targeted organizations involved activating their existing DDoS mitigation protections. For the universities, this process took several hours before full service was restored. For Check Point, with its stated high-level protections, the service interruption was limited to just a few minutes. The incident demonstrated the varying levels of preparedness and resilience among different types of organizations facing the same threat.