Cyberattack: Anti-Israel message takes over multiple Israeli websites

The bottom of the page credited a group called "Hackers_Of_Savior" for the attack.

Cyberattack on Israeli sites, May 21, 2020. (Credit: Zeliger Shomron PR)
Hundreds of Israeli websites were the target of a cyberattack on Thursday morning, their home pages being replaced with an anti-Israel video and message in Hebrew and broken English: “The countdown of Israel destruction has begun since a long time ago [sic].”
The bottom of the page credited a group called “Hackers_Of_Savior” for the attack. The page title was changed to “Be Ready for a Big Surprise” in Hebrew. Visitors to the sites were asked to allow access to their cameras.
“This is a combined attack that tries not just to harm Israeli sites and to disturb the economy from operating, but also tries to gain personal information from users that enter these sites through control of the users’ cameras, which would allow the recording of personal information and pictures of thousands of Israelis,” according to Avitar Gat, digital systems operator at the Zeliger Shomron PR agency.
Factories in Israel reported a second cyberattack on their websites on Thursday evening, according to KAN. The attackers are demanding a ransom of tens of thousands of dollars in order for the factories to get their information released to them and not published to others. The attackers are threatening to halt production lines. The Manufacturers’ Association of Israel opened a headquarters to help affected factories.
It was unclear if the second attack was carried out by the same group.
Lotem Finkelstein, head of the Cyber Intelligence Department at Checkpoint Software Technologies, explained that as Al-Quds (Jerusalem) Day began on Thursday, hackers from the Muslim world – including Turkey, North Africa and the Gaza Strip – began organizing to attack Israeli sites and replace them with the anti-Israel video and text. The sites were all stored on the same server in the cloud, apparently forming a weak point that allowed some sites on the server to be harmed.
The attack occurred as Israel celebrated Jerusalem Day on the 53rd anniversary of the capital’s reunification.
“Even though there are a large number of sites on this server, in general this is a small range,” explained Finkelstein, recommending that sites use active and updated security products and that users not allow the affected sites access to their cameras.
As of Thursday evening, there was no indication that Iran stood behind the attack. According to cybersecurity firm Check Point, the attack was conducted by nine attackers who have been operating since April. Their profiles seem to connect them to Turkey, North Africa and the Gaza Strip. “This doesn’t mean there aren’t more, but we don’t know [enough] to confirm an Iranian operation at this stage,” he said.
Among the targeted sites: uPress, a Wordpress website hosting service; clothing brand Bang and Olufsen Israel; cultural center Bet Gabriel; Yad L’Achim, an Orthodox Jewish religious organization; Hashavshevet, a company that provides accounting and inventory software; several religious Jewish high schools and post-high school programs; a sub-page of United Hatzalah’s Hebrew website; and photographer Israel Bardugo.
The Petah Tikva Municipality announced on Thursday that the Cramim Directorate for Urban Renewal had been affected by the cyberattack, as the site is built on private infrastructure, unlike the rest of the municipality’s sites.
Bardugo tweeted a screenshot of the site, writing that “The Iranians did something significant last night and broke into my website. It is under control – don’t stress if you bought something from us recently.”
A statement on one of the group’s YouTube videos – also in broken English – stated: “We gather here to take revenge of zionists crimes against Palestinians who have dead or have lost their lifes, families and grounds [sic].”
The attack comes after Iran reportedly targeted Israeli water systems with a cyberattack in April, with Israel allegedly responding by launching a cyberattack on Iran’s Shahid Rajaee Port, located near the Strait of Hormuz.
On May 11, Mohammad Rastad, managing director of the Ports and Maritime Organization, announced that a cyberattack managed to damage a number of private systems at the port, confirming that the attack was carried out by a foreign entity, according to Fars News Agency.
Prof. Yitzhak Ben Israel, head of the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University, emphasized that “there is no reason to get stressed from the current cyberattack. This is a simple attack that can be solved quickly with the backup of the site. This is a ‘defacing’ attack, which doesn’t steal information or control it, but just changes the face of the website. Every IT person can and needs to know how to return the site to how it was quickly.”
Amos Yadlin, executive director of Tel Aviv University’s Institute for National Security Studies and former head of IDF Military Intelligence, told 103FM on Thursday that, “We’ve all known for a decade already that cyber is the new dimension of war in the 21st century: This didn’t happen this week or last month.
“Israel tried to explain to Iran that in cyber they’re much more vulnerable than us and therefore it’s really worth it for them to keep civilian infrastructure outside of the conflict,” explained Yadlin, pointing to the recent cyberattack on an Iranian port that was blamed on Israel. “Israel definitely has additional abilities [and] hinted to the Iranians that it’s worthwhile for them to think twice.”
Yadlin added that cyberwar isn’t only answered with cyberattacks.
“Someone could attack in cyber and respond physically and vice versa. If the Iranians would think to fire rockets at civilian areas in Israel, it could be that the response wouldn’t be rockets, but rather cyber.”
In reference to the cyberattack on the Iranian port, Yadlin clarified that he still wasn’t sure whether Israel was really behind it or not.
According to The New York Times, the attack on the port was a direct response to a cyberattack on Israeli water infrastructure, and was meant to send a message to Iran that they shouldn’t try targeting Israel infrastructure.
The alleged Iranian cyberattack on Israeli water and sewage facilities took place on April 24. The attack caused a pump at a municipal water system in the Sharon region to stop working. Operations resumed shortly after, but it was recorded as an exceptional event, according to the Times.
A security company investigating the incident found that malware caused the shutdown, and the incident was reported to the Israel National Cyber Directorate and other Israeli intelligence agencies. Officials found that the malware had come from one of the offensive cyberunits in the Islamic Revolutionary Guards Corps. The attack and the quality of the attack were described as “miserable” by intelligence officials, the Times reported.