How Hamas Cyber Force hacked the Israeli army’s secrets

Cyber Force was one of the pillars of 7 October, and its successful role in supporting the operation shocked and outraged Israelis despite official denials that it caused serious disruption.

Al Majalla

A relatively recently formed part of Hamas's Cyber Group has had a rapid rise and significant success in gathering intelligence and breaching digital defences despite a series of assassinations of its leaders.

How Hamas Cyber Force hacked the Israeli army’s secrets

Kawthar Zantour

last update on 05 Nov 2023

Cyber attacks were among the first tactics used by Hamas when it launched Operation Al-Aqsa Flood and started war with Israel.

The group has a specialist unit that uses the internet as its battleground. Called Cyber Force, it is part of Hamas’ military wing, the al-Qassam Brigades. Israel has described Cyber Force members as “shadow soldiers” and has assassinated some of its leaders.

In 2021, the Israeli army and the Shin Bet security agency said that they destroyed training centres used by the unit in what they called Operation Guardian of the Walls.

But Cyber Force survived to become one of the pillars of 7 October, and its successful role in supporting the operation caused both surprise and outrage in Israel, despite official denials that it caused serious disruption.

Emblem of the Hamas Cyber Weapon soldiers.

According to Cloudflare, the global, US-based internet security company, cyberattacks were launched at 03.30 GMT on 7 October, aimed at blocking Israeli websites. So-called “distributed denial of service” attacks aim to deluge sites with requests for information, overwhelming their ability to provide it, and knocking them out of action.

The first attack peaked at 100,000 requests per second and lasted 10 minutes. A second attack was much larger, peaking at 1 million requests per second and lasted six minutes. They targeted sites and applications that provide essential information and alerts to the Israelis.

Cyber Force survived to become one of the pillars of 7 October, and its successful role in supporting the operation caused both surprise and outrage in Israel, despite official denials that it caused serious disruption.

Cloudflare pointed out that similar tactics were used when Russia invaded Ukraine, with online campaigns becoming an essential part of modern warfare. It said its systems detected the Hamas cyber attacks and automatically responded.

However, some experts do not classify denial-of-service attacks as total cyber warfare. François Deruty, CIO at online security firm Sekoia, told the Agence France Presse that the impact is temporary, designed to block traffic for hours with deliberately heavy traffic.

Secrets and weaknesses

Nonetheless, Cyber Force also demonstrated strong intelligence-gathering capabilities. It drew up a database of what The New York Times called "Israel's secrets and weaknesses", which was an integral part of the planning for Operation Al-Aqsa Flood.

The US newspaper's report said Hamas had "amazingly accurate knowledge of the secrets of the Israeli army" in its intelligence gathering, boosting the operation's success and helping it target hacking when it was underway to delay the Israeli response on 7 October.

It substantiated this claim via interviews with multiple Israeli intelligence officials and soldiers, survivors of the 7 October, documents from Hamas fighters discarded in the attacks and footage found in a camera that was attached to the hat of one of the movement's gunmen.

Palestinian militants move towards the border fence with Israel from Khan Yunis in the southern Gaza Strip on October 7, 2023.

It found that the Cyber Force's detailed research and planning meant they knew precisely where communications servers were. They put them out of action in several military bases.

The NYT report said the group had "a surprisingly sophisticated understanding of how the Israeli military operated, where it stationed specific units, and even the time it would take for reinforcements to arrive."

The extent of Hamas' intelligence stoked concern that either Israeli forces have neglected to protect sensitive information properly or that spies and agents have infiltrated the army. It is likely that an inquiry is underway even before the war is over.

There has been wider concern at the threat posed by Cyber Force in official Israeli circles and in the country's media for at least nine years. And the Cloudflare investigation shows such concern was well-founded.

The extent of Hamas' intelligence stoked concern that either Israeli forces have neglected to protect sensitive information properly or that spies and agents have infiltrated the army. It is likely that an inquiry is underway even before the war is over.

Range of targets

The US company's report, entitled "Cyber Attacks in the Israel-Hamas War", found a range of Israeli websites and apps were involved, as various pro-Palestine hackers hit out at the country alongside Cyber Force.

The AnonGhost group exploited a vulnerability in the Red Alert system, which warns Israelis of military strikes. This enabled them to send misleading alerts to some users of the application, including a warning of a nuclear bomb strike.

And hackers were using what Cloudflare called "malicious apps" targeting Android phones to access users' sensitive information.

After a lull beforehand, denial of service techniques were used heavily in the days after 7 October, with around 56% of the attacks happening then, concentrated on sites run by the media and broadcasters, more tactics that were reminiscent of Russia's in the Ukraine war.

After the media, computer software companies were the second-biggest target for denial of service attacks, followed by banks, wider financial services companies, insurance firms and then government websites.

The US company's report, entitled "Cyber Attacks in the Israel-Hamas War", found a range of Israeli websites and apps were involved, as various pro-Palestine hackers hit out at the country alongside Cyber Force.

Intelligence failure

The 7 October attacks revealed serious shortcomings in Israel's awareness of the threats it was facing.

The Israel Hayom newspaper pointed out that just months before the attacks, the army had reduced the number of its troops stationed in Gaza before transferring them to the West Bank. It called this a "massive intelligence failure".

Senior Israeli army officials said the decision was based on information that Hamas had no plans to escalate its fight with Israelis because it was keen to keep borders open to the thousands of Gazans crossing into Israel each day to work.

And yet, all the time, the detailed planning for 7 October was underway. "Where was the intelligence, and why did it take so long?" the daily Hebrew-language paper asked. It also listed other "difficult questions that the investigative committees must answer".

On 7 October, Hamas shocked the world, when thousands of its militants invaded southern Israel in an attack that demonstrated an unusual level of complexity.

Electronic army

The importance of Hamas's Cyber Force has increasingly grown in the past few years. It was officially recognised on 13 October 2022, although it is thought to have been operating without acknowledgement for around eight years before that.

The announcement of its existence came, in part, to honour its founder, an engineer called Jomaa Tahla. He was killed in Israeli air strikes in May 2021.

Hamas described him as a martyr who "worked to establish, rehabilitate, and develop" the Cyber Force. They said Tahla set up the Cyber Force in 2014, saying that "he was the one who came up with the idea of establishing the electronic Quds Army."

The al-Qassam Brigades acknowledged that the recruitment operations are based on "the idea of mobilising as much talent as possible at the level of the Arab and Islamic nations, talent that has experience in the cyber field" to launch cyberattacks against Israeli interests and systems.

It went on to list examples of its success:

A large-scale cyberattack on military bases, sites, security installations, and sensitive targets that affected 30,000 targets during the May 2019 aggression.
Hacking a siren system and activating sirens in various areas of Israel.
Hacking and tapping the frequencies of Israeli army radio signals on the Gaza border several times.
Hacking into the device of the director of the cyber department of Israel Aerospace Industries.
Pirating security and military data and information in a size of 19 gigabytes.
Hacking the Egged bus network system.

The Israeli military acknowledged that it had faced qualitative attacks, and in 2018, it confirmed that phones belonging to dozens of its soldiers had been hacked.

Over the years, Hamas's Cyber Force has hacked a siren system and activated sirens in various areas of Israel, hacked into the device of the director of the cyber department of Israel Aerospace Industries, and several other successful operations.

Operation Broken Heart

According to the Hebrew-language website A24, the Israeli army launched Operation Broken Heart to counter these security breaches.

It reported that the response followed a hack from Hamas that gathered information about army headquarters, including photos of facilities, including command rooms. Chat apps were used in the process, but Israel denied there was any significant security damage.

But this was when Israel started targeting Cyber Force, with the Hamas group's members receiving training in Malaysia, Turkey, and Iran.

In 2018, Mossad assassinated Dr. Fadi Al-Batsh, a leading member of the Cyber Force. In 2021, Mossad attempted to kidnap one of Cyber Force's leaders, Omar Al-Bilbeisi, a computer expert who specializes in hacking Android devices. He faced a kidnapping attempt in Kuala Lumpur.

Then, during Operation Guardian of the Walls, the Israelis killed Cyber Force's founder, Jomaa Tahla, who was also the right-hand man of the leader of Hamas' military wing, Mohammed Deif.

Israeli website Ynet listed 20 Cyber Force commanders killed in 2021, which was when the building used for training by the group was destroyed, in an article headlined "Hamas' capabilities fatally damaged".

But a 2022 US study, prepared by the Atlantic Council and published by the Israel Defence Centre, came to a very different conclusion.

It said that Hamas' ability to run cyber offensives had been ignored, especially in the field of intelligence gathering, both internally and externally.

There is a misconception Israel is protected from cyber-attacks. We're far from being protected in many places, and the attacks that have occurred will definitely damage the reputation of the Israeli cyber industry.

Ram Levy, Israeli cyber ecosystem developer

Test ahead for Cyber Force

What happens during the ongoing war in Gaza will reveal the extent to which Hamas has developed its cyber capabilities and how they have been affected by the campaign against it.

But whatever else happens, the Cyber Force's contribution to 7 October was significant. This is shown in the words of Ram Levy, formerly one of the developers of the Israeli cyber ecosystem in the Israeli prime minister's office, speaking to the BizPortal website:

"Israel is already seen as a cyber power, and when we created the cyber ecosystem, we wrote that Israel should have capabilities that would influence the whole world through high-precision intelligence, but that doesn't mean Israel is a protected country."

"There is a misconception that we're protected. We're far from being protected in many places, and the attacks that have occurred will definitely damage the reputation of the Israeli cyber industry."

+ / -