Numerous Israeli websites were targeted Thursday morning in a cyberattack, with hundreds of websites estimated hit, including some belonging to major firms, political groups and other organizations and individuals.
The attack came days after a cyberattack on computer systems at an Iranian port was blamed on Israel.
The website attack was linked by one expert to an activist group with ties to Turkey, North African countries and the Gaza Strip, but with no clear indication of ties to Iran. Channel 12 news, late Thursday, said it did not appear to have been initiated by Iran, but may have involved Iranian hackers.
The local authorities of Mitzpe Ramon and Ramat Hasharon were among those hacked, as was the Cofix chain of coffee shops and convenience stores, United Hatzalah emergency responders, and the personal website of Meretz MK Nitzan Horowitz. Victims also included the websites of right-wing groups such as Regavim, the Israel branch of Danish electronics firm Bang & Olufsen, and many more.
The affected websites displayed a video of Israeli cities being bombed and messages threatening the destruction of the Jewish state. Despite the number of websites that were defaced, cybersecurity experts said the scale of the attack was relatively small because they all were attacked via a single access point.
The attack came as Iran was set to commemorate Quds Day on Friday, annually marked with anti-Israel speeches, events and threats to “liberate” Jerusalem from Israeli control. Cybersecurity officials last week said they were expecting a coordinated attack by anti-Israel activists on this day.
Israel’s security firms and agencies have been preparing for a potential Iranian or Iran-linked cyberattack in response to an attack this week blamed on the Jewish state that was said to have crippled computer systems at a strategic port in the south of the Islamic Republic. That attack was apparently in response to an alleged Iranian attempt to hack into Israel’s water infrastructure system earlier this month.
— כאן חדשות (@kann_news) May 21, 2020
The targeted websites displayed the phrases “Be ready for a big surprise” in Hebrew and English and “The countdown of Israel destruction has begun since a long time ago [sic].”
A video then appeared to show explosions in Tel Aviv and a battered and bloodied Prime Minister Benjamin Netanyahu swimming away from a burning city. It also showed Jerusalem, with thousands of Muslims praying on the Temple Mount.
“Israel won’t survive the next 25 years,” read a message in Hebrew at the end of the video.
The attack also added a link on some websites, asking users to click on the link and activate their device’s camera.
The National Cyber Directorate initially said Thursday that it had received reports of dozens of Israeli websites coming under cyberattack. However, later reports on Hebrew-language media said hundreds or even thousands of websites were affected.
Check Point Software Technologies put the number of affected websites at an estimated 300.
The Directorate later said in a statement that an initial investigation had indicated it was a “superficial defacing of websites of private bodies in Israel done via a single storage firm hosting those websites.”
It said it was continuing to deal with the attack, and urged website owners to only work with storage providers that have an “adequate security level.”
It stressed that no damage had been done to official state infrastructure.
The cybersecurity service said the situation was being dealt with, and recommended that the public refrain from clicking on links on the targeted websites.
There was no official indication as to who was thought to be behind the attacks, although the images did feature Iranian flags and symbols.
The attack focused on just one Israeli server that had a vulnerability that the hackers used for their attack. The server belongs to Israeli cloud-service provider uPress, which provides services to thousands of Israeli websites. uPress uses software by WordPress, a web content management system, and made use of a vulnerability in the system that had previously been discovered and fixed. However, apparently uPress was not using the most updated version of WordPress software, and thus had the vulnerability through which the hackers conducted the attack, researchers said.
In a statement, uPress claimed the hackers were Iranian, without offering further details. It said it was working with the Cyber Directorate to investigate and deal with the attack.
The end of the video featured the logo of a group called “Hackers of Savior,” which has a private Facebook group that was created April 11, indicating that the group had been working on the attack since last month.
Lotem Finkelstein, head of cybersecurity intelligence at Check Point, said it was a group of nine hackers that could immediately be linked to Turkey, North Africa and the Gaza Strip.
He said, however, that it was too early to rule out the involvement of more attackers and a potential link to Iran.
In terms of effectiveness, said Finkelstein, the cyber attack did manage to deface quite a large number of websites, but it was still considered a “small” attack because it focused on only one server provider and was thus limited in scope.
He said users should avoid giving targeted websites access to the device’s camera when asked for it.
The links gave the hackers the ability to take users’ pictures and store them in a file, Check Point researchers said.
That attack came days after a cyberattack on Iran’s largest port, Shahid Rajaee, located near the city of Bandar Abbas. While some reports said the attack had caused “total disarray,” Iran denied this, and said the damage was limited in scope. Israel has long accused Iran of using the port to send weapons to terror groups Hamas and Hezbollah.
The New York Times reported that the attack caused only minor damage, by design.
Israel has refused to officially comment on any links to the attack, although the IDF chief of staff seemed to allude to it.
Security officials on Tuesday instructed agencies and sensitive facilities to raise their awareness and preparedness for the option of a retaliatory cyberattack as part of an apparent new tit-for-tat war, Hebrew-language media reported.
Times of Israel staff contributed to this report.