Pro-Palestinian operation claims dozens of data breaches against Israeli firms

Pro-Palestinian hackers say they breached dozens of Israeli entities amid the ongoing war in Gaza, which has also extended into cyberspace.

A group calling itself Cyber Toufan said it launched an operation against Israel at the end of November, promising to publish leaked information from hacked websites every day throughout the month.

Earlier this week, the group said on its Telegram channel that it had “fulfilled its promise” and released stolen data from 60 sites. Cybersecurity researchers said that in many cases, the data appears to be real.

The list included not only Israeli companies but also foreign firms doing business with the country such as SpaceX, Toyota and IKEA.

The hackers weren't too selective in picking their targets; they claim to have attacked cybersecurity firms, government agencies, as well as e-commerce platforms, manufacturing companies, schools, colleges, and even a swimming pool cleaner company.

Cybersecurity researcher Kevin Beaumont called the group “incredibly well organized and disruptive.”

“They are not a lame DDoS group, nor are they doing financial extortion. They are wiping large numbers of organizations,” he said. “I have spoken to a few of the named victims and they are still offline weeks later with limited recovery options as backups were erased.”

According to Beaumont, the group has started emailing customers of cybersecurity companies, asking them to boycott various vendors that operate in Israel.

Some of the cyber companies contacted by Recorded Future News have not yet responded to the requests for comment. Beaumont mentioned that about a third of the companies targeted by Cyber Toufan still haven’t recovered after being wiped.

Researchers at Tel Aviv-based Check Point told Recorded Future News that the group's leaks seem “genuine.” The company also said that the hackers' leaks appear to result from a major attack on an Israeli hosting company named Signature-IT. The company has not responded to a request for comment.

Cyber Toufan dismissed the claim that all the leaks are connected to the Signature-IT hack. “We will be releasing more behind the scenes of the operation once the month of leaks completes,” the hackers said.

Check Point called Cyber Toufan an Iranian threat actor. Another cyber firm, SOC Radar, said that the group’s tactics and scale of operations “bear the hallmarks of a sophisticated entity, potentially state-sponsored.”

Cyber Toufan has not commented about its origins.

“The Israeli media and Israel's top cybersecurity firms seem pretty confident in their attribution of us and our work to one foreign state entity or another. We are not surprised,” the hackers said.

“The lies they tell themselves about the capabilities of the resistance is what allowed us to strike as hard as we did on October the 7th, all under the noses of their very own intelligence and military apparatus,” they added.

One of many

After the October 7th attacks by the Palestinian militant group Hamas, the ongoing war has also led to an escalation in cyberspace, with various hacktivists and nation-state hackers taking sides in the conflict.

Hacktivists are using tactics similar to what was seen at the beginning of the Ukraine-Russia war: leaking stolen documents and launching distributed denial-of-service and defacement attacks on government websites, media outlets, and critical infrastructure.

Some operations are more sophisticated. In December, for example, a cyberattack disrupted the operation of gas stations throughout Iran, an ally of Hamas. Iranian authorities attributed the attack to Israel and the U.S.

Many groups involved in the cyberwar with Israel are affiliated with Iran. Among them are CyberAv3ngers and Cyber Toufan, according to Check Point. Their operations often involve claims of retaliation against U.S. entities for using Israeli technology, reflecting a strategy of dual retaliation, the company said in a recent report.

Cyber Toufan often changes tactics depending on what’s happening on the battlefield, Check Point told Recorded Future News. For example, they halted the leaks during a recent cease-fire.

Around 10 Iranian-backed hacking groups are attacking Israel, mostly with less visibility and public noise, but Cyber Toufan is “the most notorious” among them, researchers said.

According to Check Point, Google has blocked the hackers' Telegram channel where they publish leaks, but it is still visible on Apple devices.

In the post announcing the latest leak, the group said that the end of the current operation “is not the end of Cyber Toufan.”

“As long as our brothers keep striking the occupying forces on the ground, we'll continue targeting them and their interests in the cyber domain, whether publicly or without a trace,” the hackers added.