On October 8, as Israel only just began to wake up to the scope of the worst intelligence failure in its history, a previously unknown hacker group, “MalekTeam,” appeared online. “I am Malek. I have all of your personal information. Anyone who serves the Zionists is under my control,” the hackers wrote in their first message on a popular messaging application.
In the following weeks, the hackers, who are believed to be tied to Iranian military intelligence, proceeded to publish tens of thousands of records containing Israeli citizens' private information.
In their most damaging leak to date, the hackers released hundreds of medical records, detailing personal health information and types of wounds belonging to soldiers injured at the border with Lebanon after October 7.
"We have more than 500 GB. We will give you some samples: About 20000 of citizens, and 5000 of the IDF," the hackers announced, claiming to possess files way beyond those publicly available. The hacker group also claims to be behind the hacking of Ono Academic College, and a major media group.
The leaks of such sensitive information were hardly a surprise to Israeli cyber experts who have been warning for many years about key vulnerabilities of Israel in the cyber domain. More than a year ago, in December 2022, the State Comptroller already noted in a report the lack of protection of the personal information of millions of citizens and called for a rapid intervention to correct the deficiencies, yet little was done.
Hospitals, which store soldiers’ medical records and data on their injuries, were recognized to be particularly under-protected, and a far cry from Israel’s self-representation as cybersecurity powerhouse. An Israeli official speaking on condition of anonymity indicates that in many hospitals the computer operating systems are old, there is low awareness in terms of cybersecurity, and no budget for this.
The official adds that hospitals do not effectuate risk assessments to check the risks on an ongoing basis, while unauthorized people can get into the systems.
Such private information will remain online indefinitely and can be used to harm Israelis in multiple ways, such as modifying health data in life-threatening ways, identity thefts, tailored phishing and social engineering attempts which can be used to lure victims into sharing sensitive intelligence to prepare future attacks.
Israeli authorities in charge of cybersecurity are now finally starting to take action to improve cybersecurity, but the harm has been done, and they have largely failed to prevent the widespread diffusion of Israelis' private information.
The warning signs ignored before October 7
Starting in 2010, Prime Minister Benjamin Netanyahu made Israel’s cybersecurity a priority. He launched the “National Cyber Initiative,” tasked to provide Israel with “superpower capabilities in cyberspace.” A few years later, Netanyahu claimed that the goal had been achieved, with Israel turning into “a cybersecurity power.” Israel began to be seen internationally as a cybersecurity powerhouse, allegedly invulnerable to external digital threats.
As on Gaza’s border, where alerts preceding Hamas’ October 7 attacks were not taken seriously, hubris took over, and warnings regarding key cyber vulnerabilities fell on deaf ears. Dr. Tehilla Shwartz Altshuler from the Israel Democracy Institute, noted last year that “there is a systemic problem with Israel's cyber defense readiness” and “Israel's cybersecurity is a ticking time bomb.” Amid the war, the bomb is exploding and these vulnerabilities are being exposed.
Israel’s flaws on the cyber front concern public institutions that are often subject to cyberattacks worldwide, such as hospitals and universities. Israel defines 40 organizations as critical infrastructures, granting them more manpower and funding, and requiring them to meet certain standards.
However, the important organizations that are not defined as critical are more problematic - universities and hospitals, hosting high-value information such as citizens' and soldiers’ health data. In May 2023, the State Comptroller warned about the numerous cybersecurity shortfalls that put state institutions, including hospitals and the health data of citizens, at risk of falling prey to hackers.
The National Cyber Directorate, one of the main bodies in charge of ensuring the country's cybersecurity, could do little following such an alarming report. Before the war, the Cyber Directorate operated without a legal framework granting it monitoring, supervision, enforcement and punishment powers.
As explained in an interview with Dr. Rachel Aridor Hershkowitz, a researcher on cybersecurity and medical data at the Israeli Democracy Institute: “After a cyberattack against a hospital in 2021, little happened, because the Cyber Directorate could not do anything, it had no power, and the Health Ministry said that it had no money to invest in the cybersecurity of the hospitals. It is a known fact that hospitals in the cyber domains are not protected enough, and we are now seeing the problems.”
In broken English, Iranian-backed hackers from the MalekTeam are now exploiting the systemic deficiencies in Israel's cyber defense and sharing links to download files containing Israelis' private health information. “We have the files for soldiers who were admitted to Ziv hospital in the last 10 months. The hospital is one of the main medical centers in the North and Hezbollah attacks from there,” the message reads.
Rather than asking for money, as is usually the case in cyberattacks against hospitals around the world, MalekTeam shares sensitive medical information, such as health records dating from 2020 to 2023, including vaccination records.
The data was verified by Shomrim. Israel’s Cyber Directorate acknowledged on December 18, 2023, that “the attackers succeeded in extracting some data,” pointing the finger at Iran and Hezbollah for being behind the attack, without expanding on their sensitive nature.
Ziv Hospital has been a recurrent victim of cyberattacks, failing to prevent hackers from gaining access to sensitive data in the current war. In response to these attacks and warnings, Ziv Hospital’s spokesperson indicated that “we increased preparedness at the Ministry of Health and the Government Hospitals Division.”
Even more worrisome, Ziv Hospital might be far from an isolated case. An Israeli official reveals that there have been many attacks against hospitals in the last few months; not just against Ziv Hospital, but also against Mayanei Hayeshua, Emek, and the Eitanim psychiatric hospital near Jerusalem. It is unknown if data leaked in those attacks.
The Cyber Directorate is now finally gaining new power in the war, with an emergency regulation granting it the ability to issue binding instructions to firms that have been victims of cyberattacks, but this seems to have happened too late. Dr. Aridor Hershkowitz stresses that “nothing can be done about the leaks which have already taken place.”
Similarly, an Israeli cyber analyst notes that while Israeli agencies have improved the cyber defense of the Israeli private and public sector during the war, “the questions that we can raise is whether what was done before October 7 was enough in order to deter Iran from actively hacking many companies in Israel, and getting a pretty good foothold in the Israeli cyberspace over time.”
Exploiting Israel's weaknesses in the digital battlefield
MalekTeam is far from the only Iranian-affiliated group that has exploited Israel’s cyber deficiencies. The Cyber Directorate noted in a recent report that over 15 groups associated with Iran, Hezbollah and Hamas attacked Israel in cyberspace since October 7.
“To Smotrich, Minister of Finance: Are you ready to pay the price?,” asks Iranian-linked hackers from the newly formed group “Cyber Toufan.” Since October 7, the group has tried to weaken Israel’s economy by sharing twice a day large data dumps, hacked from nearly 100 organizations, including government services such as the Israel Innovation Authority, and sensitive cyber security firms which were reviewed by Shomrim.
Each set of data usually contains thousands of names, phone numbers, emails, addresses and passwords belonging to Israeli citizens. The hackers then often proceed to directly threaten the individuals present in the leaks by sending them messages, via emails obtained in the leaks, calling them to “boycott Israeli cyber and tech.”
The Cyber Directorate’s spokesperson acknowledges that some of these leaks took place, indicating that they originated from a single hack of the website hosting company Signature-IT, and mentioned that no credit card information was stored on the platform’s servers.
However, cybersecurity researcher Kevin Beaumont, who has closely tracked this group of hackers, demonstrates that some of Cyber Toufan's victims are not customers of Signature-IT, revealing that the group’s reach extends beyond the website hosting firm. In addition, a third of the targeted organizations have yet to recover, with some having seen their data wiped from their internal systems.
Again, these leaks stem, in part, from a lack of preparation for Israel’s cyberdefense, notes Beaumont in an interview. “Companies in Israel need to ask themselves and their suppliers if they are set up, cybersecurity wise, to be able to handle adversaries in a time of war. In the case of Cyber Toufan, it looks like the suppliers involved were simply not equipped to deal with the level of threat,” he explained.
Iranian-backed hacker groups seem to be well aware of Israel’s cyber flaws, as well as the country’s political fault lines. Take for instance KarmaGroup, a group posing as a left-wing Israeli group, relying on malware, nicknamed “Bibi-Wiper” and compiled on Netanyahu's birthday, October 21, to cause data destruction and release leaks from Israeli organizations, including against a data-hosting firm and defense contractors. “#no2Bibi #no2CrimeMinister,” they write, before releasing leaked information, trying to deepen social rifts by portraying itself as an Israeli left-wing organization while conducting cyber operations.
The group attacked private sector firms as a way to get a foothold in government services, explains an Israeli cyber-security expert. “KarmaGroup, which is linked to Iranian military intelligence, targeted and leaked information from various Israeli institutions, including Octopus Computer Solutions and other private sector firms.
"Most likely the reason to target such companies is their connection to big companies and governmental agencies. Hackers are aiming for these firms 'on the periphery' to obtain information, as state agencies can exert less control over private firms.”
In addition, additional groups seek to gain publicity by exploiting the current international focus on the war against Hamas and sharing a mix of old and newly acquired databases belonging to Israelis.
As noted by the Cyber Directorate spokesperson, “since the outbreak of the war, there has been an increase on the Darkweb and social networks of mention of leaks of various types. It is important to note that some of the leaked files published at the beginning of the war are from old or recycled events.” Nevertheless, leaks dating even from prior to the war may contain information that remains up to date and a source of threats for Israelis.
Cyber leaks and real-world risks: Threats to Israeli citizens in the current war
Beyond exposing vulnerabilities in Israel’s cyber defense, and undermining the country’s image as an invulnerable cyber power, these leaks pose multiple potential threats to Israeli citizens in the context of the war. These risks have been particularly exemplified in the war in Ukraine, with Russian hackers using leaked data to sow mistrust and place citizens at risk.
As summarized by Aleksandar Milenkoski, senior threat researcher at cybersecurity firm SentinelLabs, “data breaches create opportunities for espionage, disruption, or financially motivated operations with potentially severe consequences, ranging from large-scale supply-chain attacks and targeted phishing campaigns to intrusions into private networks and the misappropriation of financial resources.”
For example, at the start of November 2023, the IDF exposed fake profiles on social media, working on behalf of Hamas, and trying to make contact with soldiers to extract sensitive information. These avatars can exploit the personal information found in the leaks to appear more convincing and lure their targets into sharing information.
The leaks also represent an entry-point for convincing phishing attempts, with hackers sending emails calling individuals to click on a malicious link, leading to further data breaches.
The risks are also particularly high with the medical data found in some of the leaks. These leaks not only violate patients’ privacy and expose some of the type of injuries suffered by Israeli troops, but also expose them to life-threatening scenarios, with hackers modifying health records after having gained access to a hospital record.
An Israeli official underlines that, such leaks “can allow hackers to change a blood type in the system, this can harm human life.” A wounded soldier, promptly evacuated from Gaza or the northern front to a hospital, may be exposed to faulty treatments, with fatal and irreversible consequences, if doctors rely on partial or incorrect data following cyberattacks and leaks similar to ones currently taking place in Israel.
It is not difficult to imagine how deficiencies in cyberspace and lack of attention paid to prior warnings quickly spill onto the battlefield.
- Reprinted with permission from Shomrim - The Center for Media and Democracy