A week ago, the world was engulfed in geopolitical uncertainty with the Ukraine war raging, disinformation flying, and infrastructure being disrupted – including in countries supporting the Ukrainian effort. We may soon view those as the good old days.
Now there’s war in yet another region, with actors involved who have been and continue to stay actively engaged in social destabilization and infrastructure disruption using cyber methods. Yes, activists and cyber mercenaries have chosen sides in the Israel-Hamas conflict and the denial of service, records theft, and disruption attacks are underway and do not show signs of abating. Many are asking how that can hit home in the US, UK, EU, and elsewhere. Here are some current and potential problems for which we should monitor and prepare for:
Threats to Jewish organizations worldwide
In the past few days, we’ve seen anti-Semitic images and rhetoric in New York and Paris, including swastikas. Of course, that brings the real possibility of physical violence against Jews in America, a country with growing, brazen antisemitism over the past few years. The new violence could incite activists to take cyber-action against Jewish organizations, which could include extortion using ransomware, denial of service attacks, or destructive “wiper” malware. Iran could also target Jewish organizations outside of Israel in the coming months.
As the U.S. has deployed a carrier group to the Mediterranean, potential combatants are assuredly very interested in any American strategies to become involved, should Hamas, Hezbollah, or Iran escalate the war. Increased monitoring of digital communications in federal agencies (not just the U.S. Department of Defense) as well as federal defense contractors is good advice, as Iran has been known to use phishing and impersonation – fake profiles – as a means of initial access. This may necessitate a prohibition on the use of personal messaging services to include e-mail and social media while working in these organizations.
Threats to the health sector
Healthcare organizations should watch for disruptive cyber events. Iran has also been known to attack the health sector and now that activists and mercenaries have joined, those attacks may become very specifically directed. It is noteworthy that recent health care data breaches have shifted from phishing to vulnerability exploits as an initial access vector, so scanning of Internet-exposed devices and services should be frequent and matched against the CISA Known Exploitable Vulnerabilities (KEV) catalog with urgency. Additionally, patches for Apple, Microsoft, Android, and Adobe products are all important to address immediately.
Disinformation to destabilize the population
Social media right now has evolved into a cesspool of poorly moderated dis- and misinformation. On-the-ground images and videos are being broadcast – some of which are not current, many of which are completely fabricated. They try to get citizens to take sides and become vocal and aggressive about perceived war crimes and atrocities. Given the very poor state of (especially) American media literacy, this tactic works very well. Witness the events the other day in Kirkland, Wash. – a small town near Seattle not known for demonstrations that are precariously close to opposing sides becoming violent with one another. The number of examples of how this pits citizens against citizens continues to grow, and this meets strategic objectives of several nation-states, notably China and Russia – not known for leaving an opportunity like this on the table. Unfortunately, efforts to address online disinformation and counter it with fact-checking have been vilified by one political party, leaving the problem solely to operators of the services to deal with. Poorly.
The unfolding events have also become an opportunity to increase infrastructure attacks, and especially infrastructure that’s potentially involved in assisting the Israeli war effort. Media and emergency services are being attacked in Israel, yes. More broadly, the focus on the Middle East seems in suspicious timing proximity to the disruption of the gas pipeline between Finland and Estonia and NATO has vowed to act if this was a deliberate act. But correlation is not causality, and this may indeed be a coincidence in timing. Nonetheless, operators of critical infrastructure and especially in the energy, communications, public health, and emergency management should adopt a highly defensive stance at this time.
The confusion caused now by two wars has increased the opportunity for means to be applied against motives. Shields up.
Mike Hamilton, founder and CISO, Critical Insight