Israeli government websites were taken offline yesterday in what was described as the largest ever cyber-attack to be launched against the country.
The widescale Distributed Denial of Service (DDoS) successfully took down the websites of Israel’s Prime Minister’s Office and its interior, health, justice and welfare ministries. However, all these websites appear to be operational again.
The official Twitter account of the Israel National Cyber Directorate confirmed the incident, writing: “In the past few hours, a DDoS attack against a communications provider was identified. As a result, access to several websites, among them government websites, was denied for a short time. As of now, all of the websites have returned to normal activity.”
The Israeli government has declared a state of emergency to study the extent of the damage caused and determine whether critical infrastructure services, such as electric and water firms, were affected.
Israeli publication Haaretz reported that the Israeli defense establishment said the DDoS attack targeted all websites using the gov.il domain, which is used for all government websites except defense-related ones.
A defense establishment source informed Haaretz that the incident represents the largest cyber-attack to strike Israel. The source also believes the attack was perpetrated by a nation-state actor or large organization but cannot currently determine who was behind it.
The Jerusalem Post reported that Iranian threat actors may have conducted the attack in retaliation for other events amid ongoing tensions between Israel and Iran.
Several alleged cyber-attacks have taken place between the two nations in the past year. For example, Israel was blamed for attacks on gas stations and a nuclear facility in Iran, while suspected Iranian hackers reportedly hit multiple Israeli companies with ransomware.
Commenting on the story, Toby Lewis, head of threat analysis at Darktrace, said: “Historically, the primary protagonists involved in cyber-attacks against Israel have been groups aligned to the Iranian State, which is well known to operate a tit-for-tat reaction when it considers it has been attacked itself. This includes for example, a period of repeated DDoS attacks against US financial institutions following sanctions against Iran for its Nuclear Enrichment programme between 2011-2013. On Monday, Iran’s Revolutionary Guard claimed they had captured Israeli spies and saboteurs at a Nuclear Power plant at Fordow – a likely trigger point for such a retaliatory DDoS attack.
“It’s worth remembering that DDoS attacks are largely symbolic: they don’t tend to cause significant long-term damage and could simply be about saving face to show action has been taken although the public may not appreciate the superficial nature of such an operation.
“Nevertheless, security teams globally should remain vigilant. Whilst there is no evidence that this is the case in this instance, DDoS attacks might be used as a distraction technique whilst more stealthy operations take place behind the scenes. Defenders also shouldn’t rest on their laurels – sophisticated, state-sponsored ransomware remains a popular and concerning tactic that demands advanced technology to thwart.”
Speaking to Infosecurity, Ziv Gadot, CEO of Red Button, noted that DDoS is becoming an increasingly common tactic for state-sponsored actors, exacerbated further by the recent Russia-Ukraine conflict. “Iran has been accused of using DDoS attacks to target the United States, while Russia has allegedly been behind such attacks in Estonia, Georgia and, most recently, Ukraine. In many cases, the main goal of the state sponsor is to undermine the reputation of their adversary, even more than it is to cause actual disruption.
“Since the Russian invasion of Ukraine, we have seen a growing concern regarding DDoS attacks in the US, Europe and Asia. Governments and high-profile businesses that are not directly involved in the conflict are on alert, as it is hard to predict how things will develop. Organizations need to be ready. Now is the time to evaluate if they are vulnerable to DDoS attacks. Fortunately, the mitigation technologies available to them today are relatively mature and easy to deploy.”