Analysis

Slapdash attempt to hack rocket sirens may be cause for serious alarm about Iran

Boasts by ‘Sudanese’ hackers may be farfetched, but their goal of keeping civilians from shelter shows the deadly aims of Iranian cyber warfare, possibly backed by Russian know-how

Dr. Avi Davidi edits The Times of Israel's Persian edition

Photo illustration: Rockets are fired from the Gaza Strip into Israel on May 12, 2021. (Edi Israel/Flash90; Egor Suvorov/iStock)
Photo illustration: Rockets are fired from the Gaza Strip into Israel on May 12, 2021. (Edi Israel/Flash90; Egor Suvorov/iStock)

Hackers believed to be linked to Russia and Iran made unsuccessful attempts to sabotage Israeli rocket alert applications during a bout of violence with Gazan terrorists earlier this month, according to Telegram messages seen by The Times of Israel.

The bid to shut down the life-saving early warning network by the so-called Anonymous Sudan group and an Iranian hacking collective known as Asa Musa — Persian for Moses Staff — managed only to take some ancillary websites offline temporarily, without affecting the official mechanism that alerts Israelis to incoming missile attacks via siren and phone notification.

However, it did underline a growing threat for Israel from what appeared to be cooperation between hackers and Palestinian attackers, with Tehran’s fingerprints evident on both keyboards and rocket launchers.

“There will be rockets and cyberattacks at the same time,” one person claiming to be a hacker linked to Iran told the owner of rocket warning app Cumta, which was targeted in the May 2 hack.

With violence between Israel and Gaza erupting anew last week, following the initial flareup, hackers have continued boasting of being able to harm Israel’s civil defense infrastructure; though the strategy of overwhelming servers hosting government websites and third-party apps is unlikely to affect much damage, there still may be cause for concern.

On Saturday, Gedera residents received faulty rocket alert warnings on their phones, leading the military to recommend users reinstall their alert apps, the Kan broadcaster reported. Though no cause for the malfunction was given, it came amid already rampant speculation that Iran is attempting to boost its cyber capabilities, possibly under Russian tutelage.

The initial hacking attempts came on May 2, as Palestinian Islamic Jihad-led fighters launched dozens of missiles at towns near Gaza to avenge the death of an accused senior terror official who had been on a hunger strike in an Israeli prison.

Trails of smoke are seen as rockets are fired from Gaza at Israel, in Gaza City on May 2, 2023. (MOHAMMED ABED / AFP)

Moments after a barrage of dozens of rockets, Anonymous Sudan claimed on Telegram that it had hacked Cumta and fellow rocket alert application RedAlert, both of which are privately developed and privately managed phone apps that duplicate official Home Front Command alerts. They also claimed to take down the website of Tel Aviv-based Evigilo, a private company that provides emergency notification services to the Home Front Command as well as other major clients worldwide, and the landing page of Halamish, a government company focused on urban renewal projects. The assaults took the form of distributed denial of service, or DDoS, attacks, which can take a website offline by flooding a server with data requests, albeit without damaging any internal infrastructure.

Screen capture of Anonymous Sudan Telegram messages on May 2, 2023. (Courtesy)

“We have downed all alert systems in Israel, iron dome isn’t getting full alerts,” the group said on its official Telegram channel, referring to Israel’s vaunted anti-missile system.

It also took credit for Iron Dome failing to down a number of the rockets. While most of the rockets landed in open areas, meaning they would not have triggered an interception attempt, a number of them impacted populated areas of Sderot, including one projectile that hit a work site, injuring a foreign national there.

“All 22 missiles hit their targets without any interceptions immediately after our attack. This is unprecedented,” the group claimed.

The military later said Iron Dome had suffered a technical malfunction, which was quickly resolved. Despite Anonymous Sudan’s claims, Iron Dome’s ability to track and intercept projectiles is considered incredibly unlikely to be linked in any meaningful way to the state-run early warning system, nor any third-party application created by a private developer.

The site where a rocket fired from Gaza into southern Israel, hit and damaged a car in the southern Israeli town of Sderot, May 2, 2023. (Yonatan Sindel/Flash90)

The group did initially admit difficulty in making good on its threats to take out the alert system, blaming weak infrastructure at its home base.

“We sincerely apologize that we are a bit late in bringing down the alarm system, due to the current weakness of the internet in Sudan, and unfortunately there is a great deal of outage,” wrote the group, which recently turned its attention to taking Israeli websites offline as part of a campaign championed by Iran that is meant to stoke global anti-Israel sentiment.

In actuality, Anonymous Sudan is thought to have no real connection to the Saharan country currently locked in deadly civil strife.

Anonymous Sudan first began taking credit for hack attacks in January, and had seemingly focused on targeting European countries for perceived anti-Muslim activity.

Experts noted that most of its Telegram messages were in Russian or English and linked the group to Russian hacker gang Killnet, which has launched DDoS attacks in European countries that back Ukraine.

The Anonymous Sudan logo. (Screen Capture: Telegram)

At the time, Killnet and Anonymous Sudan had often amplified each other’s messages on social media. However, in April, the group began shifting its attention, and in the past several weeks, attacks on European countries and messages in Russian have been replaced with attacks on Israel and the United Arab Emirates and messages in Arabic or English.

As the group was attempting to take Israeli warning applications offline on May 2, a person with the username Easa Musa, a variant spelling of Asa Musa — the Iranian hacker group known in the West as Moses Staff — contacted the owner of the Cumta app by private message to boast that the alert app was being taken down, according to screen captures of the chat seen by The Times of Israel.

During the lengthy conversation that ensued, the purported hacker first claimed to be someone named Suleiman from Yemen who is “coordinating with brothers in Iran” and acting upon “the brothers’ guidance.”

A screen capture showing a vandalized logo of the Cumta rocket alert app, sent to the app’s owner by a suspected Iranian hacker. The message below reads ‘Can your plastic dome stand up to this bloody weapon which appears in the new picture for your precious channel?’ (Courtesy)

The person later answered “yes” when asked “so you are Iran?” but later on said, “I already told you I have no connection to Sudanese or Iranians. There is cooperation between me and the brothers and in Iran.” At another point, they threatened that rockets would attack from Lebanon.

While much of the conversation took place in Hebrew, there were instances where the interlocutor switched to Arabic and even Persian. The stilted sentence structure of the Hebrew in many cases bore hallmarks of having been auto-translated from Persian.

Moses Staff was first publicly documented in September 2021, and is widely believed to be sponsored by or linked to the regime in Iran.

The group does not make ransom demands and is motivated by politics, with a strong bent toward attacks against Israeli interests, according to research by Israeli cybersecurity firm Check Point. Thus far, the group claimed credit for a cyberattack that caused false-alarm rocket sirens to go off in Jerusalem and Eilat in June 2022 and published footage from dozens of cameras throughout Jerusalem and Tel Aviv after allegedly hacking into the police’s surveillance system. It also claimed it leaked sensitive information about soldiers, though the data was apparently publicly available on LinkedIn, and took credit after an army observation balloon crashed in the Gaza Strip in June 2022, though the military said the balloon was not tethered correctly.

Palestinians watch a pre-recorded speech by Iranian President Ebrahim Raisi on ‘Jerusalem Day,’ which is called al-Quds Day after the city’s Arabic name, at a soccer field in Gaza City, April 14, 2023. (AP Photo/ Fatima Shbair)

The emergence of the group coincided with Iranian attempts to ratchet up cyberattacks on Israeli installations, in retaliation for years of cyberattacks and industrial sabotage blamed on Israel as part of a shadowy campaign aimed at reversing Tehran’s nuclear program.

The past six years have seen the cyberwar between the archfoes escalate significantly, and though it has had limited success in doing any damage to Israel, Iran has not given up trying.  It has sought to upgrade its cyber capabilities with the help of Russia, and will seize opportunities as they arise, like attempting to amplify the damage from rocket attacks by coordinating with both terrorists and hackers to take the warning system offline just as missiles are fired.

The apparent connection between Anonymous Sudan, Moses Staff and Islamic Jihad’s rocket launches drives home the shifting nature of the dangers facing Israel as Iran wields its various proxies to establish a multi-front threat to the Jewish state.

Palestinian fighters from the Islamic Jihad terror group display weaponry at in an anti-Israel rally in Rafah, south of Gaza City, August 24, 2022. (Fatima Shbair/AP)

Israelis experienced a taste of those dangers in April, when it faced rocket barrages from both Gaza and Lebanon at nearly the same time. While the Lebanese fire was blamed on Hamas terrorists there, the attack was likely backed by Iranian proxy group Hezbollah.

That came days after the head of the Islamic Revolutionary Guards Corps Quds Force expeditionary unit met in Lebanon with the heads of Hezbollah and Hamas. And on April 14, 2023, the Iranian president delivered an unprecedented virtual address to Palestinians at a Jerusalem Day rally in Hamas-controlled Gaza.

Until now, most of the cyberattacks carried out by Israel and Iran against each other appear to be forms of psychological warfare, i.e., operations aimed at influencing public opinion in the target country to put pressure on the ruling regime, or to spark destabilizing protests.

Such attacks usually do not cause irreversible damage or end with innocent civilians being killed. The list of soft targets thought hacked by Iran in recent years includes The Technion — Israel Institute of Technology (2023), the LGBTQ website Atraf (2021), and the Shirbit insurance company (2020).

Even if its execution was comically poor, the attempt to silence life-saving rocket alert systems could mark a shift in the lengths Tehran is willing to go to pursue its goals against Israel. Whether a sign of desperation or vicious overconfidence, Iran’s abandonment of red lines so far adhered to by both sides, combined with its utilization of diffuse proxy arms, could mark the opening of a dangerous new phase for Israel.

Most Popular
read more: