Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

← Blog

Analyzing cyber activity surrounding the conflict in the Middle East

Hacktivists take center stage with DDoS, defacement attacks – summary of Week 1 and 2 of the conflict.
The blog was updated on Oct. 24, 2023.

October 17, 2023 · min to read · Threat Intelligence
Hacktivism
Middle East
Threat Intelligence

Introduction

In light of the ongoing escalation in the Middle East, Group-IB’s Threat Intelligence unit has been monitoring the activity of different threat actors involved in the conflict in cyber space.

As we noted in the Hi-Tech Crime Trends 2022/2023 report, any rise in political tensions or the outbreak of hostilities is almost always accompanied by an uptick in hacktivist activity, and the current escalation of the conflict has been no exception.

Group-IB researchers have been closely following the major developments to take place in the digital space against the backdrop of the ongoing military action and providing regular updates into hacktivist operations and other notable cyber threats on the Threat Intelligence X (formerly Twitter) account. All their findings related to the conflict are accompanied by the hashtag #CTI_ISRPAL 

With two weeks now gone since the uptick in hostilities, Group-IB is able to provide an overview of the key threat trends to date, as well as recommendations of steps organizations can take to protect themselves from potential attacks.

Week 2 Summary (Oct. 16 – Oct. 22, 2023)

  • Group-IB researchers identified 649 DDoS and website defacement attacks conducted between October 16 and October 22 confirmed with moderate confidence
  • There was a 3.3% decrease in the number of identified DDoS and defacement attacks compared to Oct. 9 – Oct. 15
  • The number of DDoS attacks decreased by 8.3%, while the number of defacement attacks rose slightly by 0.25%
  • In Week 2, hacktivist attacks peaked on Tuesday Oct, 17, when 155 were registered.
Hacktivist attacks by date, type registered

Figure 1. Hacktivist attacks by date, type registered between October 16 and October 22, 2023.

Week 1 Summary (Oct. 7 – Oct. 15, 2023)

  • Telegram channels have become a major platform for self-coordination of hacktivist operations
  • Group-IB researchers identified over 740 DDoS and website defacement attacks conducted between October 7 and October 15 confirmed with moderate confidence
  • Key targets include government websites, banking and financial sector, telecommunications companies, IT companies, media outlets, and retail organizations
  • Some hacktivists try to generate hype by posting data from past attacks and masquerading them as recent ones in order to attract attention
  • Advanced persistent threat actors and ransomware groups are yet to publicly make their presence known, but it is most likely a matter of time

Hacktivists garner attention with DDoS, defacement attacks

As the conflict flared up on October 7, hacktivists were among the first to spring into action. Many of these groups, which often contain individual cybercriminals who possess limited technical expertise, coordinate their attacks across various platforms including Telegram, IRC, forums, Discord, and Twitter, and the volume of attacks they are able to launch, plus the size of their communities, significantly amplifies their impact.

Hacktivists, on the whole, launch two specific types of attacks: website defacements and distributed denial-of-service (DDoS) attacks.

What is a Website Defacement Attack?
arrow_drop_down

Website Defacement Attack is a type of cyberattack in which a threat actor or group of attackers gain unauthorized access to a website, leading to alterations in its visual aesthetics, content, or functionalities. This illicit modification deviates from the website’s intended presentation, resulting in the display of erroneous information, inappropriate content, or politically or socially charged messages.There are two main attack vectors that facilitate this intrusion: unauthorized access to the Content Management System (CMS) or the web server.

In CMS-based attacks, threat actors typically exploit leaked credentials or vulnerabilities that enable credential acquisition. This grants threat actors  perpetrators control over specific websites governed by the compromised CMS, allowing them to manipulate content. Furthermore, CMS access can be a starting point to infiltrate the web server, often through the uploading of web shells via the compromised CMS.

Attackers can not only modify website content but also introduce malicious code, such as JS-sniffers. These codes are engineered to harvest data inputted by users into online forms, gathering credentials, financial information, and other sensitive data.

The implications of these attacks can extend beyond content defacement. In instances where web servers share administrative oversight or connectivity with internal servers, the attack can escalate. Shared credentials or interconnected systems can be exploited, paving the way for a more extensive cyber-attack.

Additionally, the popularity of underground markets has streamlined the process for potential attackers, especially hacktivists. These illicit marketplaces offer pre-compromised CMS access or web shells, eliminating the need for attackers to compromise the systems on their own. To learn how to protect against defacement attacks, visit the Recommendations section.

What is a Distributed Denial of Service (DDoS) Attack?
arrow_drop_down

Distributed Denial of Service (DDoS) Attack is a malicious attempt to disrupt the normal functioning of a network service, server, website, or online resource by overwhelming it with a flood of internet traffic. The main goal of a DDoS attack is to make the targeted service or website temporarily or completely unavailable to its intended users.

Here’s how a DDoS attack typically works:

  • Distribution: Unlike a regular DoS (Denial of Service) attack, where a single computer or network is used to flood the target, a DDoS attack involves multiple sources. These sources can be a network of compromised computers (often called a botnet), which are usually controlled remotely by the attacker. The use of a botnet makes it difficult to trace the attack back to a single source.
  • Traffic Overload: The attacker orchestrates this network of compromised devices to send an overwhelming amount of traffic requests to the target. This surge in traffic saturates the target’s network or server resources, rendering it unable to respond to legitimate user requests.
  • Service Disruption: The sheer volume of incoming traffic can cause the target’s network to slow down significantly or, in extreme cases, crash, making the website or online service unavailable to users. This can have serious consequences, particularly for businesses and organizations that rely on their online presence.

DDoS attacks come in various forms, such as UDP flood, SYN/ACK flood, and HTTP flood, each targeting different aspects of a network’s infrastructure. The motives behind DDoS attacks can vary, including financial extortion, ideological or political reasons, revenge, and even simple mischief.

To learn how to defend your system against DDoS attacks, head over to the Recommendations section of this blog post.

In order to do this, the first step is to identify potential vulnerabilities in their targets, which often include major governmental, media, and financial organizations. They compile all autonomous system numbers (ASNs) associated with the targeted country and scan each IP address with the goal of uncovering any possible asset – be it a database, a specific vulnerability, or any other exploitable element. Group-IB’s Threat Intelligence researchers described this modus operandi in more detail in their recent blog about Mysterious Team Bangladesh.

Even though the coordination of cyberattacks via Telegram isn’t entirely new, the use of this platform has increased during the ongoing conflict, as it provides anonymity and quick communication for hacktivists. Among other things, it has become easier for hacktivists to call on allies for attacks. There they identify targets and other hackers supporting them, also join in the attacks and look for holes in the victim’s systems.

Having analyzed several hacktivists’ Telegram channels, Group-IB’s Threat Intelligence unit was able to confirm, with moderate confidence, more than 740 DDoS and website defacement attacks completed by groups between October 7 and October 15. This research was made possible by the real-time Telegram monitoring capabilities of Group-IB’s Threat Intelligence platform.

In most cases, hacktivists share their successes in Telegram channels and provide links to online tools for checking the availability of websites (for example, Check-host) or archives of device sites (for example, Zone-H or Mirror-h). With this information, it is possible to assess, with moderate confidence, that at the time they posted this information, the availability of the hosts was disrupted.

Hacktivist attacks by date, type registered

Figure 2. Hacktivist attacks by date, type registered between October 7 and October 15, 2023.

The data in the above Figure 1 reveals that hacktivists have carried out slightly more defacements (405) than DDoS attacks (343). Additionally, hacktivist activity peaked on October 9, when 208 attacks were registered.

It is essential to monitor these cybercriminals and the information that they post, such as lists of specific targets or direct IP addresses instead of simple domains, which can amplify the damage from a DDoS attack and lay the groundwork for more sophisticated and comprehensive attacks.

Other major trends in hacktivist operations during this conflict include an uptick in attacks on government websites and IT companies. Other key targets include the banking and financial sector, telecommunications companies, media outlets, and retail organizations.

The importance of verification

In times of political and military escalation, disinformation and conflicting narratives frequently circulate online. Determining the success rate of hacktivist attacks can be challenging, as claims may not always reflect reality. It often requires thorough monitoring and post-attack analysis.

One such claim was refuted by Group-IB’s Threat Intelligence analysts during the first week of hostilities. On October 8, posts appeared in the Telegram channel of the hacktivist group known as Cyber Av3ngers. In these messages, members alleged to have successfully infiltrated and extracted documents from the systems of the Dorad power plant (Figure 3).

Screenshot from the Cyber Av3ngers Telegram group

Figure 3. Screenshot from the Cyber Av3ngers Telegram group posted on October 8, 2023.

Group-IB experts conducted a thorough analysis of the information posted by Cyber Av3ngers, and discovered that the material claimed to have been stolen in a recent attack was in fact the same data that was exfiltrated by the ransomware group Moses Staff in 2022 and uploaded onto their website (Figure 3).

Screenshot of archived page on Moses Staff website

Figure 4. Screenshot of archived page on Moses Staff website containing data from Dorad power plant infiltration.

Group-IB researchers note that the Dorad data is no longer available on the Moses Staff website, but copies of the files were found in several Telegram groups.

Screenshot of Telegram posts from June 2022 containing data from Dorad power plant attack

Figure 5. Screenshot of Telegram posts from June 2022 containing data from Dorad power plant attack carried out by Moses Staff.

This case study is a potent reminder of the need to stay alert for fakes amid the ongoing conflict. Be sure to follow Group-IB’s Threat Intelligence X (formerly Twitter) feed for up-to-date information related to cyber threats surrounding this conflict, as well as, more broadly, the global threat landscape.

Hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. However, as the ongoing conflict shows, their actions can be far more devastating and costly. It’s essential to map and properly mitigate the risk of hacktivism as part of a comprehensive threat intelligence program.

Recommendations

DDoS Attacks:

  • Use Group-IB’s Threat Intelligence to obtain up-to-date information about hacktivist groups’ TTPs and their upcoming attacks. Our tailored threat intelligence provides organizations with contextual information about their specific threat landscape and relevant risks. Through customized reports and notifications, businesses receive comprehensive insights, moving away from generic threat bulletins and ultimately improving the time and efficiency in risk mitigation.
  • Many threat actors employ automated DDoS tools to execute their attacks. These tools often utilize predefined lists of proxy addresses. These lists are collected, regularly updated, and provided by Threat Intelligence systems. Additionally, some attackers conceal their real IP addresses using standard methods like VPNs, proxies, or TOR. Group-IB’s Threat Intelligence also collects this information and can enhance lists of suspicious IP addresses to facilitate  the process of blocking incoming malicious traffic.
  • Check if you have anti-DDoS protection and make sure it is enabled right now.
  • Diversify Providers: use multiple ISPs or cloud providers to ensure redundancy. If one is attacked, you can fall back on others.
  • Upstream Filtering: some ISPs offer traffic filtering to block malicious traffic before it reaches your network.
  • Scale Resources: be ready to automatically scale resources to handle traffic spikes. This is easier if you are using cloud services that provide auto-scaling.
  • Rate Limiting: set thresholds for the number of requests a user can send in a certain time frame
  • If you are facing an L7 DDoS attack on web apps and the current provider has issues, check whether your organization has bot protection in place.
  • Implement geofencing to block non-region-related IP access for critical applications in the active face of an attack.
  • Use blacklisting and whitelisting.
  • Save logs during DDoS attacks: technical information about the attack can significantly improve your detection and prevention capabilities after an in-depth analysis. Furthermore, it offers valuable insights for further investigation.

Defacements:

  • Regular Backups: store backups both on-site and off-site to ensure you can quickly restore your website after a defacement.
  • Make sure that your Content Management System (CMS) is not accessible from the internet and is regularly updated to the latest version. Update all plugins, themes, and extensions. Outdated plugins can be a common vector for attacks.
  • Regularly update web-server backend software to prevent exploitation with common CVEs.
  • Web Application Firewall (WAF): configure a WAF to inspect incoming traffic, block malicious requests and attempts to exploit vulnerabilities.
  • Start searching for your publicly facing shadow IT assets to uncover potential vulnerabilities that can be exploited by threat actors. We recommend solutions such as Attack Surface Management.
  • Limit your exposure by disabling unnecessary services that are not in use and do not use default URLs for login or admin panels.
  • The emergence of underground markets has simplified the attack process for potential intruders, including hacktivists. These illegal marketplaces provide pre-compromised CMS access or web shells, removing the need for attackers to breach these systems themselves. Use Threat Intelligence platforms to obtain information about any unauthorized access that may be up for sale. It can preempt potential threat activities, neutralizing risks before other malicious actors purchase and exploit this access.
  • Implement geofencing during the active phase of an attack.

Data leaks:

  • Use Group-IB Threat Intelligence to monitor for compromised corporate credentials of your employees. Make sure your employees’ passwords are regularly updated and that they do not reuse old passwords.
  • Strengthen your password policy. Make sure your employees’ passwords are regularly updated and that they do not reuse old or same passwords. Companies should not only establish strong password policies but also regularly update them to stay ahead of evolving threats and security best practices. Employee training and enforcement of these policies are equally important to ensure compliance and data security.

Supercharge cybersecurity with Group-IB Threat Intelligence

Defeat threats efficiently and identify attackers proactively with a revolutionary cyber threat intelligence platform by Group-IB

Request a demo
More posts
Multi-Stage Phishing Kit
November 13, 2025
Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure
November 5, 2025
Ghosts in /proc: Manipulation and Timeline Corruption
October 31, 2025
Detecting the NPM Supply Chain Compromise Before It Spread
View all
Table of contents