The murderous attack that struck Israel on October 7 marked another especially horrific chapter in the history of terror, with levels of destruction and devastation not seen since the establishment of the state. Unfortunately, this isn’t the only bad news. The development and implementation of advanced technologies and accelerated digitization have opened new destructive possibilities for terrorists worldwide, spawning additional threats and diverse attack methods never seen before. Alongside conventional terror using armed combat means – guns, explosive charges, rockets, or missiles – the last few decades have seen a rise in cyber terrorism.
Some see it as the next evolutionary stage of modern terror, striving to achieve the same goals but with more advanced technological means – and in many ways, more destructive. This is a terror that operates in a different realm – the internet – and uses various cyber-attacks to disrupt networks, computers, and stored data, aiming to achieve the same terrorist goals: instilling fear and using militant and violent means to promote political, religious, or societal objectives.
This threat is not new for Doron Amir, CEO-founder of the cyber unicorn CyTaka, who has held numerous roles in cybersecurity and information security in recent decades. Amir describes a particularly disturbing array of offensive actions by hackers, organizations, or states within the cyber realm, happening on a daily basis. “The goals can be varied and change according to the specific target,” he explains. “Stealing classified information from individuals or organizations for fraud, illicit commercial activities, disruption of operations, thefts, or demanding ransom payments, for example.”
Dependence on the Digital Space Grows
Another arena in this space includes the battle for consciousness. “The world has long relied on digital media as a basic information consumption tool and attributes relatively high credibility to social networks, also due to their accessibility and visualization,” says Yigal Unna, former head of Israel’s National Cyber Directorate and the Shin Bet’s cyber division. “This is precisely what hostile elements are trying to exploit – in routine and especially now during this period and around the war.”
Unna, who currently serves as a member of CyTaka advisory board, notes that this is a battleground in every respect. “In it too, we must achieve victory in the battle for consciousness and truth,” he says. “Such a victory is not at all self-evident, especially when many attempts are made to distort reality and undermine the support Israel needs. Israel is a cyber superpower – and it’s time we use this power against those who seek our destruction on social networks.”
This is a real threat that has become a more significant and tangible threat, especially in recent weeks with the intensification of the war. The National Cyber Directorate recently estimated that 15 different attack groups – mainly directed from Iran – initiate thousands of attacks on Israel every day. Meanwhile, Israeli cyber giant Check Point reported an 18% increase in cyber attacks on Israeli targets since the start of the war and a jump of over 50% in attacks against governmental and security targets.
Attackers use a variety of tools: Trojan horses, rogue software, viruses, spoofing IP addresses, and even addresses embedded in network cards of modems and computers. “The tools available to attackers are becoming more sophisticated each year, while dependence on cyberspace is increasing,” Amir continues, describing the magnitude of the threat and warning of another significant threat – widespread cyber attacks directed against states, municipal bodies, or large corporations. “Attacks of such scale and power can disrupt, paralyze, and lead to extensive destruction of vital infrastructure, cause physical damage and significant economic losses – even real harm to human life,” he warns.
Before the war broke out, Doron Amir (47) devoted most of his time to other areas – developing the cyber sector in Israel and abroad and promoting the Abraham Accords in Muslim countries. He did so primarily through the cyber initiative he founded and manages – CyTaka – which works to strengthen cyber capabilities in countries supporting Israel. But like many others called to action following the terror attack of October 7, Amir decided spontaneously and independently to put all business aside and enlist for a new purpose – fighting cyber terror.
“From the moment of the incident and throughout the past weeks, we are mobilizing all the resources and connections we have in Israel and the world,” he says, “including, by the way, Muslim cyber experts from various countries who have volunteered to help and fight together.” In a special war room established right on October 7, ‘special teams’ began working around the clock – from pinpointing critical information to targeted neutralization of any hostile activity supporting terror that they managed to detect.
“Our company’s global platform was initially created to share vital information in the cyber field and was designed to fight against ransom and cyber attacks – specifically in civilian cyberspace,” Amir explains the routine activities. “The war brought the need for rapid change. We integrated the platform against cyber terror – affecting the credibility layer of information reaching international media, causing deviation and hatred through the spread of fake content, psychological warfare, and the use of offensive cyber for extorting money used by terrorist organizations.”
In other words, civilian defensive activity in routine times quickly turned into offensive activity in wartime, and civilian-defensive cyber support became offensive cyber support. “We are actually connecting between hackers who initiate attack actions or seek to volunteer for anti-terror missions,” Amir clarifies. “These groups include very well-known hackers from many countries, including Muslim ones that condemn and oppose terror. Just like network warriors fighting for the environment.”
It’s clear to everyone that this is not something political but a basic human act. After all, you don’t have to be Israeli to have an interest in destroying Hamas and ISIS. You just need to be a human being who opposes brutal terror.
And how does this happen in practice? How do hackers operate offensively against ‘cyber terror activists‘?
“There is a variety of offensive actions in this space. Attacks like Hybrid Attack, for example, to discover passwords of sites and profiles that distribute inciting information encouraging terror. Setting up Phishing sites impersonating terror supporters and managing to locate ‘cyber terrorists’ who, after verification by additional vectors, allow for ‘targeted technological neutralization’ against them.
“The information we collect also helps us to perform Social Engineering – special techniques designed to maneuver suspected users to share information or perform actions that reveal their connection to cyber terror activities. Some of the successes we’ll see soon result from the penetration of Rootkit into terror-supporting systems – that is, software that allows the operating team to broadcast activity with high permissions and without restrictions. We also use special AI software that allows us to quickly identify fake profiles using algorithms for comparing images, including comparisons to information disseminated with deep-fake and edited photos uploaded to social networks.”
From Amir’s words, as well as the prominent passion with which he describes the course of events, it is easy to discern that in his eyes, this is a mission. The terror attack of October 7 took him back 22 years – to the Twin Towers attack of September 11.
“The Israeli cyber is the best in the world, but unfortunately, it did not prevent the terror attack. About 1,200 Israelis were killed. In comparison to the Twin Towers attack – in terms of population size – it’s like about 40,000 Americans killed. Relatively, we are dealing with something big even in comparison to the USA. But right now, the most important goal is returning the hostages.”
Back to the Past
Now, Amir is using his cyber capabilities for the war effort “within the law and without breaking the rules,” he is keen to clarify. “We’re not NSO, and we don’t have espionage software, but there are enough groups of free hackers who understand that terror is not only immoral and merciless, it’s also without religion and nationality.”
It’s already clear that for many years to come, there will be discussions about the series of intelligence failures that preceded the horrific events of October 7. The intelligence community, which failed miserably in reading the map and collecting critical information, suffered a severe blow to its image and professionalism – but so did Israel’s image as a global cyber superpower.
“The Israeli cyber is the best in the world, even if, unfortunately, this cyber did not prevent the terror attack,” he says. “Despite that, the defensive cyber is still prepared and ready at all times for defense – 24/7. Our enemies are lurking in the corner, just waiting for us to make a mistake. We all saw the horrifying results that happen when there’s no army standing behind the fence even for one day, and I don’t want to imagine what would happen if the cyber defense were to disappear even for one hour. Therefore, it’s clear that Israeli cyber is still the strongest in the world, and for a simple reason – no country in the world suffers cyber attacks like Israel. Not in quality and not in quantity. The number of attacks we fend off is among the highest in the world, including attacks by states and organizations targeting infrastructure and strategic systems non-stop – and as the number of attacks increases, so does our capability.”
Know Your Enemy: The Major Attack Groups in Cyber Terrorism
🇷🇺 Cozy Bear, Russia
A Russian attack group affiliated with Russia’s intelligence agency, the SVR. The group initiates cyber offensive operations and cyber warfare primarily against commercial companies and government organizations in Western and pro-Western countries in Europe, North America, and East Asia. Recently, it has focused mainly on cyber attacks on institutions and sites in the USA and Ukraine.
The attack group was responsible for a series of attacks aimed against American institutions, research institutes, and organizations during the 2016 US presidential election campaign, aiming to influence and manipulate public opinion in America.
In March 2020, the attack group was responsible for breaching more than 200 companies and government bodies in the USA, in what is still considered the most severe cyber attack in history.
🇮🇷 Rocket Kitten, Iran
An Iranian attack group conducting cyber offensive operations primarily against Israel, the USA, and Saudi Arabia. The group mainly uses targeted phishing attacks to target security and commercial companies and government sites, as well as news sites, journalists, opposition figures, and human rights activists.
In the past, it was reported that the group, which receives direct sponsorship and funding from the Iranian government, collected sensitive details from thousands of users from Saudi Arabia, the USA, Israel, the Netherlands, and Iran (mainly opposition figures and regime opponents) using targeted phishing pages.
In August 2016, it was reported that the Iranian hacker group breached the accounts of about 15 million Iranian opposition activists and regime opponents using the instant messaging app ‘Telegram’.
🇨🇳 Red Apollo, China
A Chinese attack group. Conducts cyber offensive operations against Japan, India, the USA, and Western entities. The group focuses mainly on attacks for the purpose of espionage and intellectual property theft from commercial aviation companies, engineering companies, and telecoms. According to the FBI, the group has been operating under the Chinese Ministry of Defense since 2006.
🇰🇵Unit 180, North Korea
A North Korean attack group. Conducts cyber offensive operations against American and Western entities. The attacks are primarily against financial institutions and commercial companies, using social engineering, malicious macro commands, the distribution of malware, and ransomware.