Cyber skirmishes on the margins of the Hamas-Israel war.
N2K logoDec 19, 2023

The CyberAv3ngers and Predatory Sparrow engage in the Hamas-Israel war.

Cyber skirmishes on the margins of the Hamas-Israel war.

The CyberAv3ngers (aligned with Iran) and Predatory Sparrow (possibly aligned with Israel but certainly aligned against Iran) have both conducted cyberattacks bearing tangentially on the war between Hamas and Israel.

Water utilities and gas stations.

Early in December the CyberAv3ngers, a group operating under the control of Iran's Islamic Revolutionary Guard Corps (IRGC) succeeded in using default passwords to compromise programmable logic controllers (PLCs) manufactured by the Israeli company Unitronics. The PLCs are widely used in a range of sectors, but the ones targeted were for the most part in small municipal water utilities in the US and, more recently, Ireland. The action was intended to punish users of Israeli technology, and to damage an Israeli tech company.

On Monday of this week, according to the AP, about seventy percent of Iran's gasoline stations went out of operation due to what Iranian media at first described as a "software problem." Reuters subsequently reported that Iran's Oil Minister Javad Owji attributed the outages to a cyberattack. Iranian media attributed the attack to Predatory Sparrow, a group Iran attributes to Israel (and about which Israel had no comment). Like the CyberAv3ngers, Predatory Sparrow has a history in the region. About the present attack, which Iranian gas distributors are seeking to work around with manual backups, Predatory Sparrow itself said in its Telegram channel, "We, Gonjeshke Darande [that is, Predatory Sparrow], carried out another cyberattack today, taking out a majority of the gas pumps throughout Iran. This cyberattack comes in response to the aggression of the Islamic Republic and its proxies in the region. Khamenei, playing with fire has a price. A month ago we warned you that we’re back and that we will impose cost for your provocations. This is just a taste of what we have in store."

The difficulties of coordinating cyber operations in a hybrid war.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented on the difficulty of coordinating cyber action with larger national objectives. That's true of all kinds of cyber operations, whether they're mounted by (presumably) well-disciplined and controlled military units, by hacktivist auxiliaries (less disciplined), privateers (working under general permission), or true patriotic hacktivists (possibly the most poorly controlled of all).

"Israel has some of the most talented cyber hackers on the planet!" Grimes writes. "We know that they have some of the most capable cybersecurity defense software, but that goes hand-in-hand with also having good cyber hackers/attackers. But, in general, any countryman/countrywoman thinking about attacking another nation in a broad attack not coordinated with their government or military needs to understand that nearly every country's defenses is sure to have exploitation holes...and the enemy can come back and take down your infrastructure."

He adds, "There is even a history of an uncoordinated cyber attack leading to a response that incidentally took down a critical infrastructure that was being used and monitored by their country's own military, making their job even harder. I don't know if the Israel hacking operation here was coordinated with their leaders, but there's a risk to uncoordinated offensive cyber attacks and likely not everyone with cyberhacking capability is giving that risk due consideration. I would caution anyone, generally, doing random, uncoordinated, offensive cyber attacks in their nation's name to think long and hard about the possible repercussions."

How a gas-station program might figure into a larger hybrid war.

It's not immediately clear what direct effect an attack on gas stations might have on an adversary. It's a civilian inconvenience, to be sure, but beyond that what effect might the targeting seek to achieve?

Yossi Rachman, Director of Security Research at Semperis, offered some insights from Semperis monitoring of the incident."With today’s cyberattack in Iran paralyzing most of the country’s gas stations, it is a reminder how groups such as Predatory Sparrow are using offensive cyber capabilities to strike back at Hamas and countries that sympathize with them," Rachman wrote. "This is not a random strike, and it was planned out in advance. Time will tell how damaging the attack has been. But know that if access to oil and gas stretches later into the week disruptions will become more widespread."  

Rachman added some notes on the methods used. "From what I have observed and reviewed thus far from the Predatory Sparrow groups various communications channels, they compromised at least one server through-which they took control of Iran's gas stations central management system, by compromising the technical support or other administrative privileged accounts within the system and have been able to obtain sensitive gas station data & payment details."

While Iran and Israel have been in intermittent low-level cyber conflict for years, that conflict seems to have intensified with the war between Hamas (an Iranian client) and Israel. "We can only speculate at this time about Predatory Sparrow’s motives behind today’s brazen attacks. First, the attacks might not be connected to other objectives or campaigns, and it is just a warning shot over the bow of the Iranian government showing what they are capable of doing in the future. However, we should also consider that the attack was perpetrated by a nation state for their own offensive military operations or intelligence gathering purposes. And there is the possibility the group was knowingly or unknowingly sponsored by a nation state, and the stolen personal and payment data exfiltrated from the Iranian gas stations systems could serve as their payment."  

The effect of Predatory Sparrow's attack, like the effects of the Iranian-aligned CyberAv3ngers, seems to have been limited, or, as Rachman suggests, restrained. "It is worth mentioning that the attack is controlled in its impact, as 30 percent of the gas stations were left unharmed by Predatory Sparrow, and that emergency services in Iran were allegedly warned in advance through a Skype chat. In fact, Predatory Sparrow stated in a Telegram channel post that ‘they issued a clear warning before the operation began and ensured a portion of the gas stations across the country were left unharmed.’" Nonetheless, infrastructure operators should take the incident as a cautionary example. "At this time, critical infrastructure operators in the U.S. are primarily privately owned entities, including organizations such as Colonial Pipeline, which suffered from a widespread breach in 2021 at the hands of the Russian-linked DarkSide gang, disrupting oil and gas distribution for days up and down the eastern seaboard. For all critical infrastructure operators, pause for just a minute today and remind yourselves that you can do a better job of building resiliency and more effective cyber defense capabilities in your networks."

Cyber operations and norms of armed conflict.

Neither the water utility nor the gas station attacks have been particularly consequential. Both were quickly detected and soon worked around (indeed, if Semperis is correct, the gas station program was even accompanied by some advance warning). But they exhibit some of the features that motivated the International Committee of the Red Cross (ICRC) to call upon states to bring cyber warfare into line with international norms of arms conflict. ICRC asked that states observe proper discrimination in their cyber operations, and avoid civilian targets generally. The Red Cross also asked that governments control and restrain the participation of civilians--"individuals, hacker groups, and companies"--in cyber warfare. Such participation, the ICRC fears, will blur the vital distinction between combatants and noncombatants, and expose prohibited targets to greater risk of attack. It's unclear what the precise status of either the Cyber Av3ngers or Predatory Sparrow are: they might be anything from regulars to enthusiasts.