Business Continuity Management / Disaster Recovery, Critical Infrastructure Security, Cyber Warfare / Nation State Attacks
Services are now restored after a temporary outage
Mihir Bagwe •
March 15, 2022
On Monday evening, many Israeli government websites, including those of the prime minister and the interior, health, justice and social affairs ministries, were taken offline. Israel’s National Cybersecurity Directorate later confirmed that a massive distributed denial of service attack had hit one of its communications providers, resulting in a temporary loss of access. The INCD added that normal activity was quickly restored.
In the past few hours, a DDoS attack against a communication provider has been identified. As a result, access to several websites, including government sites, was denied for a short time. As of now, all websites have resumed normal activity.@Israelgov
— Cyber Israel (@Israel_Cyber) March 14, 2022
The INCD did not release additional details about the incident, but the Israeli publication Ha’aretz quoted an unnamed senior Israeli defense official, calling it the “biggest” cyberattack ever against Israel. The source added that a state actor or a large organization is likely to have carried out this attack, but this remains to be determined as the investigation is ongoing.
Meanwhile, the news agency also claimed that the INCD and the Defense Ministry had jointly declared a state of emergency to investigate the extent of damage to strategic Israeli websites and government infrastructure, including including the country’s electricity and water companies. No official statement has been released by the government or the Ministry of Defence.
NetBlocks, a watchdog agency that monitors cybersecurity activity, tweeted that the widespread outage of government websites was due to attacks targeting Israeli telecommunications providers Bezeq and Cellcom.
Confirmed: A significant disturbance has been recorded on several networks powered by #IsraelBezeq and Cellcom, the country’s main suppliers, as the country’s defense authorities and the National Directorate of Cybersecurity declare a state of emergency pic.twitter.com/lcPyeLvPor
—NetBlocks (@netblocks) March 14, 2022
NetBlocks believed that the reason the outage affected most Israeli government websites was that the Tehila project – also known as AS8867 – which hosts at least 314 domains and mainly all governments[.]he website domains, had been affected and became inaccessible to an international audience. Corn NetBlocks says that users inside the country could still access these platforms.
Defense-related websites are not hosted on this domain and therefore, according to Haaretz, none of them were affected by yesterday’s attacks.
Retaliation is a probable cause
The Israeli news agency The Jerusalem Post claims that the Black Shadow group, which is closely affiliated with Iran, is behind the attack. The INCD has yet to confirm this claim, but The Jerusalem Post claims the threatening group may have carried out the DDoS attack in retaliation for an alleged attempt to sabotage Iran’s Fordow fuel enrichment plant.
“Historically, the main protagonists involved in cyberattacks against Israel have been groups aligned with the Iranian state, which is well known for operating a ‘tit for tat’ response when it considers itself to have been attacked. “, said Toby Lewis, responsible for the threat. analysis at cybersecurity AI firm Darktrace.
Lewis cites examples of repeated DDoS attacks on U.S. financial institutions following sanctions on Iran for its nuclear enrichment program between 2011 and 2013. “a nuclear power plant at Fordow” and called it a “trigger point. likely for such a retaliatory DDoS attack”.
DDOS attacks are largely symbolic: they don’t tend to cause significant long-term damage and could simply be face-saving to show action has been taken, although the public may not appreciate the nature surface of such an operation, explains Lewis.
He advises security teams in Israel and around the world to remain vigilant, saying: “Although there is no evidence that this is the case in this case, DDoS attacks could be used as a distraction technique while more stealthy operations take place behind the scenes”.
A major sabotage attack was foiled before it could take place in Nowruz – Iran’s year-end, which is March 20 – according to the news agency AlJazeera.
Black Shadow’s Recent Activities
The Black Shadow group is known to have consistently targeted Israeli organizations in the recent past.
On Sunday, he claimed to have hacked and misappropriated data from Israeli company Rubinstein Software Ltd., which provides software solutions to the diamond industry.
Iranian Hacking Team BlackShadow Claims To Have Hacked Rubinstein Software
#Black shadow pic.twitter.com/x3dD5wi45f
; DarkFeed (@ido_cohen2) March 13, 2022
In November 2021, the group allegedly leaked the sensitive health records of nearly 300,000 patients at an Israeli network of medical centers (see: Black Shadow Group leaks Israeli patient records and data).
And in March 2021 the group allegedly claimed to have hacked into Israeli car finance firm KLS Capital and stolen customer data, while in December 2020 it leaked thousands of documents containing personal information about the company’s customers. Shirbit Israeli insurance company (see: Hackers steal data from an Israeli car finance company).