Cyber Incident Victim: Israel Security Agency
Date:
Jul 2014
Location:
Israel
Summary
The Israeli Defence Force's Twitter account was compromised by the Syrian Electronic Army, leading to unauthorized posts including a false nuclear leak warning at the Dimona facility and a pro-Palestine message, causing brief public alarm. The organization swiftly removed the fraudulent tweets, issued an apology, and reaffirmed its commitment to combating cyber threats. This incident followed a prior defacement of the IDF's official blog by the same group, which displayed an Arabic-language message. The attackers, known for credential theft via phishing, targeted high-profile entities but the specific intrusion method remained undetermined in this case.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 4, 2014, the Syrian Electronic Army (SEA) compromised the official Twitter account of the Israeli Defence Force (IDF), posting two unauthorized tweets that caused public alarm. The first false alert warned followers of a "possible nuclear leak" following purported rocket strikes at the Negev Nuclear Research Center near Dimona, a facility located 13 kilometers from residential areas. This message reached the IDF's 252,000 followers, triggering brief panic among residents of Southern Israel. A second tweet proclaimed "Always via @Official_SEA16 Long live #Palestine," directly attributing the breach to the hacking group. The attackers gained access through the IDF's Hootsuite dashboard, a social media management platform used to schedule tweets, send direct messages, and monitor account activity. The SEA publicly shared a screenshot confirming their control over the dashboard interface. This incident occurred less than a week after the same group defaced the IDF's official blog, replacing its content with an Arabic-language message while the site displayed a "under maintenance" notice.
The IDF detected the compromise and swiftly removed both fraudulent tweets within hours. Officials issued a public apology via Twitter, stating: "We apologize for the incorrect tweets Our twitter account was compromised. We will combat terror on all fronts including the cyber dimension." No technical details regarding the intrusion method were disclosed, though the SEA has historically relied on phishing campaigns to steal credentials, as demonstrated in contemporaneous attacks against media companies like Taboola and Outbrain. The group self-identifies as Syrian activists countering what they deem false media narratives against their government. Beyond targeting Israeli entities, the SEA's operations have compromised major international outlets including the Financial Times, BBC, CNN, and The Onion. The Dimona hoax highlighted the potential for social media breaches to amplify disinformation during geopolitical conflicts, though no physical consequences or additional system compromises beyond the Twitter account and blog were reported in this incident.