{
	"id": "ed21590c-63ce-4c3b-ae77-976495793482",
	"created_at": "2026-04-06T00:18:07.414204Z",
	"updated_at": "2026-04-10T13:12:43.998084Z",
	"deleted_at": null,
	"sha1_hash": "0cad7fccc67d40c7e990e8e9663c89fec9f42b7d",
	"title": "2 Month Review of Cyber Activities in the Israel Hamas Conflict",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 673694,
	"plain_text": "2 Month Review of Cyber Activities in the Israel Hamas Conflict\r\nBy DarkOwl Content Team\r\nPublished: 2023-12-14 · Archived: 2026-04-05 12:52:28 UTC\r\nDecember 14, 2023\r\nIntroduction \r\nIt has been 2 months since Hamas’s October 7th surprise attack on Israel. In that time there have been many\r\ndevelopments both on the ground and in the cyber realm. A number of groups emerged in the aftermath of the\r\nattack pledging their support to either Hamas, Palestine or Israel and cyberattacks increased in the region targeting\r\nboth sides to varying degrees of sophistication. DarkOwl analysts have been tracking these events and activities,\r\nand in this blog we review some of the notable cyberattacks that have occurred and the groups that have taken\r\nresponsibility.  \r\nIn the first few days of the conflict, attention was largely focused on images and media reportedly coming out of\r\nIsrael and Gaza highlighting the atrocities which were occurring. Telegram, which is monitored by DarkOwl,\r\nappeared to be being used as a de-facto news source, providing details of what was happening in certain areas and\r\nalso posting images of the aftermath. Channels appeared or grew in size supporting one side or the other and while\r\nsharing information, there were also reports of false or fabricated information and media being shared stoking the\r\nflames on both sides.  \r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 1 of 10\n\nFigure 1: Telegram channel posts image of Hamas breaching into Israel \r\nThe cyber world also reacted to the conflict with existing hacktivist groups quickly pledging allegiance to their\r\nchosen side or already fighting for the cause. Groups quickly began to post online about the targets they had\r\nsuccessfully compromised with attacks ranging from DDoS (distributed denial-of-service), defacements to data\r\nleaks. As the conflict has progressed, the level of activity has ebbed and flowed, with some groups turning their\r\nattention back to previous targets.  \r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 2 of 10\n\nFigure 2: Selection of Cyber groups profile images \r\nAfter the initial invasion and activity, several cyber incidents accompanied the air and ground conflicts in the\r\nMiddle East. Key activities we identified as part of the conflict are detailed below although this is not an\r\nexhaustive list and does not describe all reported activities.\r\nOctober Events\r\nDragon Force Malaysia targeted and defaced several Israeli websites \r\nA leak purportedly from the Palestinian Foreign Ministry was published on cracking[.]org which\r\ncontained details of Chinese and Palestinian projects as well as correspondence documents and PII for\r\napproximately 500 people. DarkOwl was able to obtain this leak for review.  \r\nGhosts of Palestine openly announced they will target NATO countries who support Israel although\r\nTurkey was excluded from targeting.  \r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 3 of 10\n\nJFK airport was targeted by hacktivist group R_70  which is a Pro-Hamas group. The groups reported via\r\ntheir Telegram channel that they had taken down the JFK website due to their links to “Zionism.” \r\nBlackSec joined the digital operations arena, claiming it would target Israel and not remain neutral in the\r\nconflict.  \r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 4 of 10\n\nThe RedAlert app which was used to alert Israelis to rocket attacks was subject to a spoof attack which was\r\nreported to collect personal information. It was unclear who was behind this attack but demonstrated cyber\r\nactors taking advantage of the military conflict for their own gain.  \r\nStucx Team claimed an attack on an Israeli SCADA system via their Telegram channel, Supervisory\r\nControl, and data acquisition (SCADA) controls industrial processes. Targeting these types of systems can\r\nbring down water plants and electrical facilities and are usually one of the most concerning attacks for\r\ncyber security experts. A high level of sophistication is usually required to successfully attack these\r\nprocesses. However, they became a common Israeli target as the conflict continued.   \r\nFigures 3 and 4: STUCX Team Telegram post from DarkOwl Vision and on the channel \r\nThe group GlorySec posted on Telegram that they considered a firewall on Palestinian websites, indicated\r\nPalestine had prepared well in advance for a conflict in the cyber realm as well as the physical realm. They\r\nalso said they’d release the data right to Israel to support their operations and encouraged them to\r\ninvestigate this. It is unclear what information they had or if this was shared.  \r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 5 of 10\n\nFigure 5: Telegram post by GlorySec via DarkOwl Vision\r\nAnonymous Algeria publicly warned the UAE and alerted its airline, Emirates, to a possible system\r\ncompromise for what they view as “not supporting Palestine”:  \r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 6 of 10\n\nFigure 6: Anonymous Algeria Telegram Post\r\nReports indicated that Pro-Hamas hacktivists groups were targeting Israeli Entities with Wiper Malware,\r\nthe destructive malware appeared to have signatures within it linking it to the Middle East. This\r\ndevelopment highlighted the use of sophisticated tools as part of the ongoing conflict and suggests a “cyber\r\nwar” may also be taking place. \r\nAs the month of October concluded, hacktivist activity relating to the Gaza conflict appeared to decrease. While\r\nthe start of the conflict saw a large amount of emerging activity, with actors and groups choosing sides and issuing\r\nthreats online, digital activity surrounding the Israel-Hamas conflict tapered down. However, increases were\r\nexpected as the conflict continued.\r\nNovember Events\r\nAnonGhost Indonesia \u0026 Anonymous Indonesia warned the Japanese government that for supporting\r\nIsrael that they would carry out cyberattacks, the groups had already been active in targeting countries they\r\ndeemed to be anti-Palestine or Pro-Israel.  \r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 7 of 10\n\nGhostSec claimed to have successfully targeted several Israeli PLCs via their Telegram channel. \r\nAnonymous claimed to have information relating to Mossad spies which they threatened to disclose on\r\nTelegram it is unclear where this information came from or if it relates to valid data.  \r\nFigure 7: Anonymous post on Telegram \r\nAlthough the hacktivist groups on Telegram appeared to quiet in this period security research reported on several\r\nactivities which indicated that Iranian hackers were using new tools to target Israel and that a Hamas linked APT\r\nwas also targeting Israel with a new backdoor tool. Indicating that nation states and Nation State sponsored groups\r\ncontinued to be active in the cyber sphere. These groups tend to avoid the publicity that hacktivist groups seek.  \r\nDecember Events So Far… \r\nCyber incidents began to increase after the temporary ceasefire between Hamas and Israel completed.  \r\nPro-Palestinian hackers reportedly stole Israeli Defense Force (IDF) patient records as part of a cyberattack\r\non Israeli hospital\r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 8 of 10\n\nCyber Toufan hacking group claimed to have breached Israeli company SodaStream, and exfiltrated\r\n100,000 records:  \r\nFigure 8: Post for SodaStream data on dark web forum via DarkOwl Vision \r\nConclusion\r\nHacktivist groups and cyberattacks have been a component of the Israel Hamas conflict since it began, with many\r\ngroups getting involved and attacks across of a scale of sophistication being conducted on both sides. Although\r\nthe activities have ebbed and flowed in the first two months of the conflict, it is clear that they are likely to\r\ncontinue for the length of the military conflict – if not longer. DarkOwl will continue to monitor the activities of\r\nthese groups as the conflict continues.  \r\nSign up for our weekly research roundups to not miss any DarkOwl research.\r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 9 of 10\n\nSource: https://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nhttps://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/"
	],
	"report_names": [
		"2-month-review-of-cyber-activities-in-the-israel-hamas-conflict"
	],
	"threat_actors": [
		{
			"id": "93b7776d-9b37-496d-94a5-30bc36fd8800",
			"created_at": "2023-11-07T02:00:07.10019Z",
			"updated_at": "2026-04-10T02:00:03.407781Z",
			"deleted_at": null,
			"main_name": "GhostSec",
			"aliases": [
				"Ghost Security"
			],
			"source_name": "MISPGALAXY:GhostSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d52f649-28b3-4ae9-9ef9-49d1bc85cf7a",
			"created_at": "2024-01-09T02:00:04.211752Z",
			"updated_at": "2026-04-10T02:00:03.514428Z",
			"deleted_at": null,
			"main_name": "Cyber Toufan",
			"aliases": [],
			"source_name": "MISPGALAXY:Cyber Toufan",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434687,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0cad7fccc67d40c7e990e8e9663c89fec9f42b7d.pdf",
		"text": "https://archive.orkl.eu/0cad7fccc67d40c7e990e8e9663c89fec9f42b7d.txt",
		"img": "https://archive.orkl.eu/0cad7fccc67d40c7e990e8e9663c89fec9f42b7d.jpg"
	}
}