Threat Intelligence

#OpJerusalem 2022

Introduction

Following the #OpIsrael campaign that culminated on April 7th, an additional campaign named #OpJerusalem which targets Israeli websites is now in motion, intended to launch on April 29th, marking Iran’s annual Al-Quds Day and the end of the Muslim holy month of Ramadan.

Iran initiated Al-Quds Day, or Jerusalem Day, in 1979, the year of the Islamic Revolution. It commemorates it with anti-Israel speeches, events, and threats to “liberate Jerusalem from Israeli occupation”. In the last 3 years, the campaign has expanded to the cyberspace and cyber attacks on Israeli targets are highly expected to occur on that day, presumably by anti-Israel hacktivists who seek to spread propaganda messages through websites corruption, DDOS Attacks, and even ransomware and DB leakage.

In general, the past few months have been especially sensitive in Israel, with several national security events including the uprise in the West Bank region, terrorist attacks in central Tel-Aviv, riots in the Temple Mount and continuous attempts to incite the region by Hamas.

Recent Activity Against Israeli Companies

Cyberint has monitored several social media accounts and pages of anti-Israeli hacktivists that are known to participate in former ‘OpJerusalem’ campaigns, in order to identify any groups that might also partake in activity against Israel within the new upcoming campaign, or to detect any intention to target particular Israeli companies.

We have found that most of the ‘OpJerusalem’ activity on the social media platforms is related to the physical space as a lot of anti-Israeli hacktivists call to ‘free Palestine’ and that ‘Jerusalem is the capital of Palestine’.

A Telegram Channel named ‘AlQuds Day’ associated with campaign, stating “the way to Jerusalem is one”
A Telegram Channel named ‘AlQuds Day’ associated with campaign, stating “the way to Jerusalem is one”

To date, the anti-Israeli hacktivists groups only published a general warning to all Israeli companies and did not provide concrete target lists of Israeli companies or sectors, nor any valuable IOCs to encourage the attacks.

Nonetheless, on April 25th, a hacktivist group named ‘Hackers of Savior’ allegedly Iranian published a video that emphasizes that they have succeeded in hacking into the banking system used to transfer money between Israeli banks and Israeli citizens’ accounts. Although ‘Hackers of Savior’ have not affiliated themselves with the ‘OpJerusalem’ campaign, it is most likely that this attack is related to the sensitive period of Al-Quds day and the OpJerusalem campaign. This indicates that this campaign might be still destructive to Israeli companies, regardless of the lower volume of posts it gained so far.

A screenshot from the video which was published by ‘Hackers of Savior’ on April 25th
A screenshot from the video which was published by ‘Hackers of Savior’ on April 25th

‘Hackers of Savior’ is known to be active since at least 2020, when the group associated itself with the exploit and defacement of more than 2,000 Israeli websites showing an image of Tel-Aviv burning in flames with a fear-mongering caption. Notably, the attack continued into May 2020, following ‘Jerusalem Day’.

In addition, Cyberint traced a Telegram channel named ‘Daily Dark Web’2 in which a forum’s post of a Threat Actor named ‘JenxKito’ was echoed:

Posts that by ‘JenxKito’, indicating Israeli organizations as targets
Posts that by ‘JenxKito’, indicating Israeli organizations as targets

The Threat Actor was claiming to have Israeli companies and Banks’ Database attaching (only) screenshots of a forum’s post. However, it seems to be more of a provocation attempt since the post is no longer available, and no further evidence of the claimed leak was found.

Conclusions & Recommendations

Cyberint witnessed a high volume of ‘OpJerusalem’ online activity in the physical space. This, however, does not conclusively indicate that the threat this campaign truly poses from a cyber perspective is indeed lower.

We will keep monitoring the mentioned groups on the different social media platforms throughout the campaign period to identify any activity or IOCs that could indicate potential targets in this campaign.

We will also trace carefully the Threat Actor ‘JenxKito’ in case he will publish additional information regarding the leaked DBs of Israeli banks and companies.

It is also advised to reinforce the security network infrastructure against typical cyber attacks that were recognized as commonly used by the hacktivist groups of this campaign.

 

Want to speak to our experts?
Contact us!