This new modus operandi is also characterized by the increasing use of wipers designed to maximize operational disruption. Notably, these trends were shaped during the Russian-Ukrainian war and have parallels in the ongoing conflict between Israel and Hamas. However, despite the intensity of these activities and the substantial resources invested, the actual impact they have on the dynamics of warfare is questionable.
Anonymous Sudan, an entity that emerged in early 2023 and is commonly affiliated with Russia, has been actively targeting Western entities under the guise of supporting Islamic causes. This group has executed numerous Distributed Denial-of-Service (DDoS) attacks on a global scale, impacting critical infrastructure and various other sectors.
The high-profile targets of Anonymous Sudan include the infrastructure and websites of companies such as Microsoft, Twitter (X), Telegram and Scandinavian Airlines. In the single year of its existence, Anonymous Sudan has been responsible for some of the most successful DDoS attacks ever recorded, including a major assault on Microsoft’s services. The group’s operations consist of collaborations with Russian-affiliated attack groups like Killnet, particularly when it comes to cyberactivity related to the Russian-Ukrainian war and anti-Western entities. Unlike other hacktivist collectives, Anonymous Sudan is believed to utilize rented server infrastructure for its attacks, suggesting it has access to substantial financial resources. These characteristics, coupled with the predominant use of English and Russian and the minimal use of Arabic (despite it being the official language of Sudan), have led researchers to speculate that there is a definite connection to or support from Russia.
In December 2023 the biggest destructive attack since the beginning of the Russia-Ukrainian war, was executed against Ukraine’s largest mobile network operator – Kyivstar. Previously low-profile hacktivists group Solntsepyok, took responsibility on this attack. Ukraine links this hacktivist activity to Sandworm APT group, which is operated by Russian military intelligence. Reportedly, the attack completely destroyed the core of the telecom’s operator.
In recent years, Iran has also significantly developed and employed its cyber capabilities, while focusing heavily on cyber-enabled influence operations. This trend has escalated within the context of the Israel-Hamas war. Unlike Russian state-affiliated hacktivism, which primarily focuses on distributed denial-of-service (DDoS) attacks, Iranian-associated hacktivist groups have adopted a more aggressive and technologically advanced approach focusing on destructive and hack-and-leak operations.
Historically, Iran has been a strong supporter of Hamas in terms of financial aid and training, and this has intensified since the beginning of the war, on October 7th 2023. Following a strategy similar to Russia's, Iran has deployed cyber “hacktivist” forces to engage in digital warfare.
The Iranian-affiliated hacktivist KarMa group launched its English-speaking telegram channel on October 8, quickly gaining significant attention with over 10,000 subscribers. KarMa serves as a cyber persona, an online front for the Iranian Ministry of Intelligence and Security (MOIS) which operates the “ Scarred Manticore”APT, the Dev-0842, and several other groups. Through its Telegram channel, KarMa disseminates information obtained from breaches of Israeli entities by Scarred Manticore espionage operations. Some of these breaches were accompanied by wiper attacks, which inflicted damage on the affected companies' infrastructures. The deployed Linux and Windows dedicated wiper, called “BiBi-Wiper” after Israeli PM Benjamin Netanyahu, was attributed to Dev-0842. This is typical of the increasing prevalence of destructive malware, which has become a new norm in hacktivist operations.
The same mode of operation was previously used by Iranian-affiliated actors against Albanian government entities in 2022. In a series of attacks, a cyber persona called “Homeland Justice” operated a dedicated Telegram channel and website that was used to leak materials of Albanian Government entities whose systems were breached and suffered wiper attacks. The attacks were executed by MOIS-affiliated actors, including Scarred Manticore and Dev-0842. This pattern of using cyber personas operating dedicated communication channels for leaking breached materials and wiper attacks reflects a consistent strategy employed by these Iranian-affiliated groups. During December 2023, Iranian “Homeland Justice” resumed to its activity, with another wave of destructive cyber-attacks against key Albanian entities.
Another Iranian MOIS affiliated APT group known as Agrius or DEV-0227, launched a separate attack on the Israeli Ziv hospital in late November of 2023. While Agrius has a history of deploying wipers that are sometimes disguised as ransomware, the attack on Ziv reportedly failed to disrupt the hospital’s network, although sensitive information was stolen. Similar to how KarMa operates, the stolen data was later published on the Telegram channel and website of another cyber persona named Malek Team, which also appeared in the early days of the war.
Cyber Toufan Operations, another recently introduced Iranian-affiliated cyber persona, was launched in November 2023 and operates a Telegram channel in Arabic and English. This group disclosed information obtained from various Israeli businesses following a breach of an Israeli hosting service. Similar to previous incidents, this breach involved data theft followed by destructive malware. Other Iranian-affiliated hacktivist groups that had been dormant but were reactivated during the current conflict include AlToufan and Moses Staff, attributed to the Islamic Revolutionary Guard Corps (IRGC).
A significant portion of these cyber operations is focused on information and psychological warfare. This is where the main objective is to disclose supposedly successful cyberattacks, thus emphasizing the targeted victims' vulnerabilities. These threat actors commonly exaggerate the impact of their destructive operations that actually occurred and also publish news or data from fictitious attacks. Cyber Av3ngers, a group acting as a front for Iranian-affiliated activities, published details of attacks dating back to 2022, some of which were already reported by other groups. This strategy of blending genuine breach reports with fabricated ones is also employed by several other online groups, including one known as Soldiers of Solomon, which is closely related to the Cyber Av3ngers. Those groups’ main focus was on programmable logic controllers (PLCs) and IOT cameras. Both Cyber Av3ngers and Soldier of Solomon were publicly attributed to the IRGC.
Similar to the Russian cyber-operations during the Ukraine conflict, which expanded a few months into the war to target additional Western countries in particular NATO member states, Iranian cyber activities also extended their reach westward. For example, Cyber Av3ngers targeted Israeli-made digital control panels, breaching several US and Irish water facilities.
Reflecting on the patterns observed in the Ukrainian conflict, cyber activities in this recent conflict were not solely the domain of state-affiliated hacktivist groups. In the first weeks of the Israeli-Hamas war, the cyber warfare landscape saw numerous regional hacktivist groups, predominantly with Islamic affiliations, step up their activities together with the formation of hundreds of new anti-Israeli hacktivist groups. These groups primarily emerged on Telegram. The operations carried out by these organic hacktivist entities mainly involved minor DDoS attacks and website defacements. The impact of these activities was generally minor, with their effects largely limited to screenshots shared on Telegram channels. However, significant DDoS attacks were observed in the early stages of the conflict, with Israeli websites facing intense targeting.
In the midst of this, Russian-affiliated hacktivist groups did not maintain neutrality. Notably, Anonymous Sudan claimed responsibility for several cyberattacks against Israel. These included a strike on the official Israeli app used for incoming-missile-alerts to the civil population, and an attack that took down the digital domain of The Jerusalem Post, a leading English-language Israeli newspaper.
Hacktivism has evolved to a point where state-affiliated groups now dominate much of the impactful cyber activity. Despite this heightened involvement from hostile governments, and the increased focus on destructive and disruptive activities, the actual effectiveness of these cyber operations remains debatable. A significant portion of this activity often goes unnoticed in the mainstream media, overshadowed by conventional warfare reports. As a result, these cyber actions often leave only a minimal impression on public opinion. Considering their limited visible impact, there is a question of whether resources allocated to such cyber endeavors are justified. The ongoing assessment of the effectiveness of these state-backed cyber operations will be crucial in determining their future role in modern warfare strategies.
