Iranian state-sponsored advanced persistent threat (APT) groups have reportedly been posing as hacktivists and taking credit for attacks on Israeli critical infrastructure and air defense systems. Despite the silence from threat actors in Gaza, most cyberattacks against Israel in recent months have been attributed to hacktivist operations and nation-state actors, as indicated in a new report from CrowdStrike.
These so-called “faketivists” have had varying effects on the Israeli-Gaza conflict, with limited evidence of truly disruptive attacks. The primary impact of this strategy is the creation of plausible deniability for the state, as well as the public’s perception that these attacks are inspired by grassroots activism. Researchers have highlighted the effort put into maintaining this charade as particularly noteworthy.
Adam Meyers, CrowdStrike’s senior vice president for counter adversary operations, emphasized the evolution of hacktivist activity from traditional website defacements and DDoS attacks to more sophisticated hack and leak operations. He noted that many hacktivist activities appear to be nation-states attempting to maintain a “deniable” capability.
Iran’s “faketivists” have been identified as nation-state actors masquerading as hacktivist groups. These groups, such as “Karma Power” and “The Malek Team,” are linked to Iranian state agencies and have executed cyber operations to support Iran’s geopolitical objectives. To promote their persona, faketivists often adopt the aesthetic, rhetoric, tactics, and procedures associated with legitimate hacktivist outfits. Additionally, they tend to emerge after major geopolitical events, reflecting the interests of their government sponsors.
While Iran’s faketivists have been active in carrying out cyberattacks against Israel’s critical infrastructure and air defense systems, the actual impact of these attacks has been limited. Some breaches have been noted, but the majority appear to be opportunistic, aiming to boost one side’s morale and undermine the other.
Furthermore, cyber activity associated with Hamas has diminished significantly since the October 7 attack. Threat analysts have observed a lack of online activity from Hamas-connected cyber threat actors, likely due to Internet disruptions in the region. Despite this, APT groups affiliated with Hamas, such as CruelAlchemy, have continued their operations, albeit from physical locations outside of Gaza.
In conclusion, Iranian faketivism continues to play a role in the cyber domain, while traditional threat actors associated with Hamas have been less active. The evolving landscape of cyber warfare presents an ongoing challenge for security researchers and organizations alike.