Iranian state-backed Advanced Persistent Threat (APT) groups have masqueraded as hacktivists, claiming attacks against Israeli critical infrastructure and air defense systems.
While they threaten actors in Gaza itself they remained in radio silenceAccording to a new report from CrowdStrike, most of the cyberattacks against Israel in recent months were carried out by hacktivists and state actors who “played them out on TV.”
These so-called “falsitivists” have had a mixed impact on the Israel-Gaza war so far, claiming many public relations victories but leaving evidence of few truly disruptive attacks.
What is clearer are the benefits of the model itself: the creation of a layer of plausible deniability for the state and the impression among the public that their attacks are inspired by the grassroots. While this deniability has always been a key factor in state-sponsored cyberattacks, researchers called this case noteworthy for the effort behind the charade.
“We’ve seen a lot of activity from hacktivists who appear to be nation-states trying to have that ‘deniable’ capability,” Adam Meyers, CrowdStrike’s senior vice president of enforcement operations, said in a press conference this week. “And so these groups continue to maintain activity, moving from what were traditionally website defacements and DDoS attacks, to numerous hacking and leak operations.”
Iranian faketivists
Faketivists can be actors of nation-states – such as “Karma Power”, the BANISHED KITTEN front linked to the Ministry of Intelligence, or “The Malek Team”, actually SPECTRAL KITTEN – or corporate such as HAYWIRE KITTEN – associated with Islamic Revolutionary Guard Corps contractor Emennet Pasargad, who at various times operated under the nom de guerre Yare Gomnam Cyber Team and to Toufan Team (aka Cyber Toufan).
To sell their identity, faketivists prefer to adopt the aesthetics, rhetoric, tactics, techniques and procedures (TTPs) and sometimes real names and iconography associated with legitimate hacktivist customs. Keen eyes will note that they typically arise soon after major geopolitical events, without an established history of activity, aligned with the interests of their government sponsors.
It is often difficult to separate faketivists from hacktivists, as each may promote and support the activities of the other.
Post-October The activity of Iranian faketivists – real and otherwise – has involved alleged attacks against critical infrastructure and the Israeli “Iron Dome” missile defense system, as well as frequent information operations.
And the former is often just a thin guise of the latter. While faketivists have reached a select number of notable violationsmost of them appear to be opportunistic attacks of low material impact, intended to raise the morale of one party and degrade that of the other.
“We’ve seen disruption against Israel, a lot of focus on things like airborne warning systems that warn of incoming missile attacks. We’ve certainly seen attempts to destroy infrastructure inside Israel,” Meyers said, adding that such activity is likely continue to terrorize Israelis. “It’s basically the same playbook that Russia used in Ukraine, on how to terrorize the population and delegitimize their government, and make them distrust things.”
The gap left by Hamas threat actors
At the same time that Iranian faketivism has exploded in Israel, cyber activity associated with Hamas has undergone a dramatic decline.
Since the October 7 terrorist attack in Israel, threat analysts have found nothing from Hamas-linked cyber threat actors like Extreme Jackal (aka BLACKSTEM, MOLERATS) and Renegade Jackal (aka DESERTVARNISH, UNC718, Desert Falcons, Arid Viper).
This, CrowdStrike speculates in its report, could be explained by significant internet outages in the region. Since the war began, she explained, connectivity in Gaza has been hampered by a combination of kinetic warfare, power outages and distributed denial of service (DDoS) attacks.
Case in point: There is a Hamas-linked group – CruelAlchemy – whose command and control (C2) infrastructure has remained active since the start of the war. Although linked to Gaza, the group appears to be physically located in Türkiye.
So while Hamas remains absent online, its allies are making a difference (in volume, if not in quality).
“The bottom line is that APTs continue to proliferate. Every year we see more and more threat actors, and every year more and more activity from those threat actors,” Meyers says.