{
	"id": "25afc574-44b0-48f2-a243-80ab76ad256f",
	"created_at": "2026-04-06T00:06:25.438044Z",
	"updated_at": "2026-04-10T13:12:37.671478Z",
	"deleted_at": null,
	"sha1_hash": "af43fee6adc3e620b49931ac5498d49855572dca",
	"title": "'Cyber Toufan' Hacktivists Leaked 100-Plus Israeli Orgs in One Month",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1101609,
	"plain_text": "'Cyber Toufan' Hacktivists Leaked 100-Plus Israeli Orgs in One\r\nMonth\r\nBy Nate Nelson\r\nPublished: 2024-01-04 · Archived: 2026-04-05 18:37:16 UTC\r\nSource: Issam Elhafti via Alamy Stock Photo\r\nSince mid-November, one Iran-linked hacktivist group has managed to breach more than 100 organizations in and\r\naround Israel, wiping servers, leaking sensitive data, and spreading follow-on attacks down the supply chain.\r\nSince October 7, anti-Israel hacktivists have proven largely ineffectual — quick to make grandiose claims on\r\nsocial media, less likely to provide evidence to back those claims up. Not so with \"Cyber Toufan al-Aqsa\"\r\n(\"Toufan\" in Arabic meaning flood). \r\nOn November 16, the group compromised Signature-IT, an Israeli company that specializes in hosting\r\ninternational websites for businesses. Through it, the hacktivists managed to reach dozens of significant\r\ncompanies and government organizations in Israel, as well as international companies doing business with Israel.\r\nAnd though the leaks have slowed (but not stopped) in recent days, the group continues to twist the knife by\r\nperforming follow-on email attacks against victims' employees and customers.\r\n\"We've seen over 150 hacktivist groups operating in the cyber war in Israel,\" says Check Point Software's chief of\r\nstaff, Gil Messing. \"CyberToufan is by far the most prominent one.\"\r\nIsrael's Most Prolific Hacktivist Enemy\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month\r\nPage 1 of 3\n\nCyber Toufan first announced itself to the world by creating a Telegram channel a month into the Gaza war, and\r\nreleasing a statement.\r\n\"Stage one of #OpCyberToufan involved the complete wiping out and destruction of over a [sic] 1,000 servers and\r\ncritical databases of the enemy,\" it read, in part. The operation compromised more than 150 targets, it continued,\r\nspread across government, manufacturing, e-commerce, cybersecurity, and other sectors. \"The attack was carried\r\nout successfully without so much as a hitch,\" it added.\r\nEmpty claims like these have been made ad nauseum since October 7, but this time it was actually true.\r\nShortly after founding its Telegram channel, Cyber Toufan published data belonging to ACE Israel, a branch of\r\nACE Hardware. The next day it was Shefa Online, an Israeli e-commerce company.\r\nThen the group started publishing two leaks per day. On day three it was Radware and Max Security, two Israeli\r\ncybersecurity companies. On day four, the Israel Innovation Authority and Ikea Israel.\r\nOther government targets followed, including Israel's Ministry of Health, National Archive, Nature and Parks\r\nAuthority, Ministry of Welfare and Social Security, Securities Authority, and State Payment Gateway. Israeli\r\nbranches of multinational companies like Toyota and Toys 'R' Us were attacked, as well as companies that simply\r\ndid business with Israeli firms, like Berkshire eSupply, a subsidiary of Berkshire Hathaway, and SpaceX.\r\nThe Extent of the Damage\r\nMany of these victims appear to derive from an initial breach and wiping of servers belonging to Signature-IT.\r\nThis supply chain link bears significantly on the nature of the leaked data. In each case, Messing explains, \"the\r\ndata was always exactly what these companies were using in their specific [Signature-IT hosted] websites. So it\r\ncould be CRM data, it could be order — like for IKEA, there were names and what exactly they bought from\r\nIKEA.\"\r\nThe leaks were only part of the story, though, as even after its leak schedule ceased on December 27, Cyber\r\nToufan is continuing to cause damage to its victims, as well as those connected to them.\r\nOn one front, the group is using its victims' corporate email domains to blast hacktivist messages to as many\r\npeople as possible. For example, in an email sent to contacts stored in Radware's customer relationship\r\nmanagement (CRM) platform, the group asks that recipients \"don't have the blood of our children on your hands,\"\r\nbecause \"purchasing Israeli cyber and tech products/services is financial contribution towards the murder of our\r\nchildren in Gaza and the destruction of their homes, schools, and hospitals.\"\r\nMeanwhile, as a result of having their servers wiped, websites belonging to many Cyber Toufan victims — more\r\nthan a dozen as of last week, according to a blog post by cyber researcher Kevin Beaumont\r\n— remain down.\r\nFor example, more than a month after its breach was first announced, at the time of this writing, the website for\r\nBerkshire eSupply is down. The company has since filed a data breach notification with the Maine Attorney\r\nGeneral, estimating that 16,736 people were affected. In a public disclosure, the company acknowledged that \"we\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month\r\nPage 2 of 3\n\ndo not have the precise scope or content of the data that was accessed,\" but added that it was acting out of an\r\nabundance of caution, and \"in line with the opinion of cyber experts who investigated the matter, these (our)\r\nsystems remained fully secured and were unaffected by the event.\"\r\n\"You cannot compare Cyber Toufan to any other Gaza hacktivist group because the damage they've created is by\r\nfar at a larger scale, and very systematic,\" Messing says. He argues that the scale and sophistication seen here —\r\nalongside overlaps in methodology and the wiper malware utilized against victims, as well as the nature of the\r\ntargets and data leaked — suggests links between Cyber Toufan and Iran.\r\n\"Cumulatively, we're talking about millions of records of Israelis. This is very serious,\" he emphasizes. \"It did not\r\ncripple the Israeli economy, but it did create a lot of damage, and some companies are still paying the price.\"\r\nAbout the Author\r\nContributing Writer\r\nNate Nelson is a journalist and scriptwriter. He writes for \"Darknet Diaries\" — the most popular podcast in\r\ncybersecurity — and co-created the former Top 20 tech podcast \"Malicious Life.\" Before joining Dark Reading,\r\nhe was a reporter at Threatpost.\r\nSource: https://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month"
	],
	"report_names": [
		"-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month"
	],
	"threat_actors": [
		{
			"id": "2d52f649-28b3-4ae9-9ef9-49d1bc85cf7a",
			"created_at": "2024-01-09T02:00:04.211752Z",
			"updated_at": "2026-04-10T02:00:03.514428Z",
			"deleted_at": null,
			"main_name": "Cyber Toufan",
			"aliases": [],
			"source_name": "MISPGALAXY:Cyber Toufan",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433985,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af43fee6adc3e620b49931ac5498d49855572dca.pdf",
		"text": "https://archive.orkl.eu/af43fee6adc3e620b49931ac5498d49855572dca.txt",
		"img": "https://archive.orkl.eu/af43fee6adc3e620b49931ac5498d49855572dca.jpg"
	}
}