Although Hamas’ cyber capabilities do not now constitute a serious threat to Israel, this reality can quickly change in view of the rapid pace of technological progress.
The use of cyber-warfare enables terror organizations and weak nations to take advantage of an asymmetric domain in which military, economic and technological gaps are far less important. Thus, weak players can operate effectively against much stronger ones.
Hamas, a terror organization that is a rather weak sub-state actor mainly with respect to its military capabilities, and certainly relative to those of Israel, is taking advantage of the cyber domain in order to attack Israel with the limited means at its disposal.
In addition to terror activities (firing of rockets at Israel’s population centers, deploying rocket launchers within or in close proximity to civilian neighborhoods, etc.), Hamas uses additional asymmetric means, as part of its Gray-Zone strategy, such as underground warfare, sending thousands of “protestors” to breach the fence on its border with Israel and the use of terrorists posing as civilians in order to launch incendiary balloons toward Israel.
As part of the asymmetric warfare against Israel, Hamas has during the last decade invested not insignificant resources in creating and upgrading its cyber capabilities and primarily its ability to gather intelligence on the IDF. In 2017, it was revealed that Palestinian women take part in cyber training during a recruitment campaign for Hamas.
Various Types of Cyberattacks
Most cyber-attacks can be categorized into four main types:
- Defacement – Breach of an Internet site and creation of propaganda, including the planting of messages by the attacking organization. This attack primarily constitutes psychological warfare and does not cause significant damage.
- DNS poisoning – An attack in which the target computer is directed by a DNS server to a site chosen by the attacker, instead of the actual site that the user was trying to access. In such a situation, the attacker can steal information and implant malware within the target computer.
- Denial of Service Attack (DoS) – This tactic involves an attempt by the attacker to cause an overload of traffic arriving at a particular computer or Internet service. In this way, the service offering the site is essentially paralyzed. These attacks disrupt routine but do not cause significant or irreversible damage. Targets of these attacks can be financial service sites (banks, insurance companies, commercial sites, etc.), the sites of cellular and television companies and commonly used apps.
- Phishing – In this type of attack, the attacker takes on a false identity to obtain information or money from a particular individual. It is carried out by widely distributing requests by email or at malicious Internet sites. If even a small proportion of the targets respond to the offers, this is sufficient for the criminals to obtain a large reward in money or information. A more threatening form of this type of attack is called “spear phishing”, in which the attacker focuses on particular individuals, in general ones who are prominent leaders in business, politics or the military.
During the “Cast Lead” Operation in 2012, Hamas took responsibility for an attack on Israeli sites, including the Homefront Command site and the IDF Spokesman’s site. The spokesman of the movement, Sami Abu Zuhri, declared at that time that the cyber-attacks are an integral part of the war against Israel.
In April 2013, a group of hackers called “The Cyber Hackers of The Izz ad-Din al-Qassam” took responsibility for a DDos attack that lasted for two hours against the “American Express” site. In contrast to the typical DDoS attack (which is based on a network of hacked computers that are joined together into a robot network—a botnet—and controlled by the hackers), the Izz ad-din al Qassam attack made use of a programming language operated on the hacked network of servers, which allowed the hackers to obtain a larger bandwidth for carrying out the attack.
During the “Protective Edge” Operation in the summer of 2014, there was an increase in the attempts to attack civilian and military sites in Israel. In January 2017, it was revealed that dozens of telephones of soldiers and officers had been hacked by Hamas. In addition, the organizations penetrated hundreds of Facebook groups (some of them closed) related to the army and in which users shared information on training exercises, draft notices, etc.
In July 2018, the IDF revealed that Hamas had initiated a sophisticated cyber-attack in which it utilized fake profiles of women on the social networks to take control of soldiers’ mobile phones and computers. Hamas also tried to attack soldiers by means of WhatsApp and even managed to open three dating apps and to upload pictures and messages to the official stores. By way of these attacks, Hamas obtained access to the microphone and camera of mobile phone owners, without them being aware.
As part of that attack, Hamas also opened a Facebook group to do with the 2018 FIFA World Cup. It invited soccer fans to join the group in order to get updates, watch live broadcasts and bet on the games. The users who joined the group and clicked on its links exposed themselves to cyber penetrations and the takeover of their computers.
In August 2018, the “ClearSky” information security company revealed that Hamas had tried to implant spyware in the mobile phones of Israelis using an app that mimicked the “Red Alert” app, which provides real time alerts every time a terrorist fires rockets, mortars or missiles into the State of Israel. This was done by means of a link to the download of the app from fake profiles on Facebook and Twitter. The app took control of the target cellular phone and enabled the attacker to monitor the phone and to remotely carry out various manipulations. Hamas apparently timed the cyber-attack with the launch of hundreds of rockets against Israel.
Hamas is using the online domain also to recruit activists and to direct terror activity. In 2016, a Hamas activist who had been released in the Shalit’s prisoner deal and was located in Austria at the time, contacted two Palestinian residents of Judea and Samaria by way of the Internet in order to recruit additional activists through them, with the goal of carrying out grenade terror attacks in Jerusalem.
An analysis of the cyber methods and means available to Hamas
Based on the attacks by Hamas against Israel so far, it can be concluded that Hamas is becoming bolder in their tactics. Nonetheless, its technological capabilities have not developed to a level that can cause serious damage to Israel and it is doubtful that they will constitute a genuine threat to Israel in coming years.
Hamas activity against Israel in the cyber domain is primarily focused on the gathering of information and intelligence for the purposes of spying, by means of activities with tactical effects on Israeli Internet sites and in particular on the social networks. It particularly makes use of spear phishing which is more sophisticated and dangerous than the regular phishing attacks.
The tactical attacks by Hamas in the cyber domain enable it to obtain information by means of monitoring cellular devices, identifying locations and gaining access to phone numbers, messages, pictures and files located on cell phones. Furthermore, the organization is capable of remotely operating devices it has hacked, including taking pictures and making recordings, making calls, sending messages, obtaining confirmations of locations, etc.
Overall, Hamas’ cyber ability does not exceed that of unsophisticated hackers, whether individuals or organizations. It in no way comes close to Israel’s cyber offensive and defensive capabilities and those of other players in the global cyber domain.
Hamas is interested in strengthening its capabilities in the cyber domain, based on the understanding that it is a form of asymmetric warfare that can overcome its military inferiority relative to Israel. In addition, the use of cyber-warfare is likely to provide Hamas with intelligence victories and will further its strategy of attrition against Israel since the “Protective Edge” Operation, without incurring any significant cost.
Hamas’ current cyber capabilities do not constitute a major threat to Israel. However, this reality can be overturned relatively quickly, in view of the rapid pace of technological progress. Technological capabilities that were not available to weak players and individuals in the past are becoming more accessible over time and the world is flooded with new cyber weapons. Thus, Israel must continue to prepare for this evolving threat.
JISS Policy Papers are published through the generosity of the Greg Rosshandler Family.