Footage beamed live around the world on social media showed paragliders armed with automatic weapons swooping from the sky, terrorists on motorcycles flooding through gaps in a vaunted defensive line, and civilians massacred and dragged from their homes to serve as hostages. A hail of rockets threatened to overwhelm the defensive systems that protect millions of Israelis.1
Not visible were the hackers who eroded the ability of the country’s security organizations to provide warning and took advantage of civilian safety apps to install malware, not to mention the years of reconnaissance they conducted through the personal devices of Israelis. The 7 October Hamas attacks on Israel were notable for many reasons, one of which was their integrated employment of the information environment before, during, and after.2
Hamas’s attacks demonstrate the kinds of asymmetric and nontraditional cyber threats in the information environment that must be addressed to keep U.S. forces secure. While until recently nonstate actors were not generally associated with cyber capabilities, such actors can affect advanced militaries with increasing effectiveness as they gain access to better tools and skills. Furthermore, the integrated attacks illustrate the effects of attacks on individuals within a force unprotected in cyberspace. They demonstrate that the capabilities are a real and growing threat to Marines and sailors operating around the world.
This deserves close examination, given the information warfare–related strategies from the Department of Defense (DoD) and Department of the Navy released in fall 2023.3 The documents speak to the importance the United States places on the information environment and the tools needed to fight and win there. The 2023 Annual Threat Assessment of the U.S. Intelligence Community highlights the growing cyber threat major strategic competitors pose. While a strategic focus on countering state capabilities is reasonable, the recent events in Israel and Gaza offer a reminder of the need to look more deeply at strategy through the lens of asymmetric and transnational actors such as terrorist groups.
Recognizing the threat is an excellent first step, but concrete actions must follow to improve the cyber resiliency of U.S. forces. These steps should include improved cybersecurity training, the proliferation of DoD-approved tools that service members can safely access and employ to keep themselves safe, and expanded use of antivirus (AV) protection. Marines and sailors carry devices in their pockets on a near-constant basis that are connected to the rest of the world. In this way, they also create a direct access line for adversary cyber operations. Failing to address the vulnerabilities these devices and connections create would be negligent and leave military systems at risk.
Catphishing and Jailbreaks
Hamas used cyber capabilities to complement air and ground actions during its attacks. Approximately 12 minutes after Hamas launched the initial rocket salvo, cybersecurity firms detected distributed denial of service (DDoS) attacks aimed at shutting down websites that provide rocket alerts to Israeli civilians.4
On the day of the attacks, hackers hijacked billboards to push terrorizing messages and bombarded phones in Israel with threats via text messages.5 In the days that followed, other groups began attacking sites and services connected to the conflict. Some cyberattacks exploited code issues in apps to send fake rocket alerts, intercept requests, and expose servers. Counterfeit versions of those apps allowed hackers to collect sensitive data from users.6 One pro-Palestinian hacker group, Ghosts of Palestine, claimed to have attacked Israeli organizations including the Ministry of Foreign Affairs and Ben Gurion Airport.7
While it is unclear how much direct control Hamas had over the hacking groups behind these attacks—possibly they were merely hacktivists joining in a larger conflict—the level of coordination at least suggests a close working relationship. Regardless, Hamas used advanced cyber capabilities in an impressively coordinated fashion. This capability did not emerge overnight. Over the past decade, Hamas developed a sophisticated cyber capability that racked up some impressive wins. Hamas began its cyber operations in 2013, using phishing tactics that included pornographic videos, relying on people’s reluctance to report threats given the nature of the videos.8 Since at least 2017, Hamas has been using fake dating profiles to lure Israeli Defense Force (IDF) personnel into downloading images containing malware and allowing Hamas operatives to snoop through phones to gain information on IDF weapons, units, and facilities.9
During the 2018 FIFA World Cup tournament, Hamas created an app to exploit fan interest in the games. It was supposed to let users track results, but it also contained malware targeting IDF personnel.10 This allowed Hamas to control the cameras and microphones of phones remotely, gaining information on IDF troops, bases, equipment, and operations. Hamas-associated hackers have proven adept at using social engineering on popular messaging apps such as WhatsApp to elicit information.11 Hacked IDF devices appear to have provided much of the strikingly detailed intelligence on weapon platforms and facilities that made the 7 October attacks so successful.12
The IDF has not taken Hamas’s cyber activities lightly. It correctly sees them as a serious component of the threat picture. In May 2019, the IDF bombed the headquarters of Hamas cyber operations in response to an attempted widespread cyberattack.13 It followed this up in 2021 by striking Hamas cyber facilities in Gaza, such as storage facilities and hideouts for cyber operators, and targeting operators themselves.14
Nothing New Under the Microprocessor
Advanced cyber tools and “zero-day” exploits are being sold to the highest bidders.15 Tools once the sole domain of organizations such as the National Security Agency now find their way into the hands of rogue states, criminal groups, and terrorist organizations through a thriving gray market. Cartels in Mexico employ powerful Pegasus spyware from Israeli company NSO and other cyber tools to intimidate the cartels’ own personnel as well as journalists and activists.16
Terrorist groups have employed cyber tactics to conduct or support operations for many years. In 2009, Iranian-backed Shiite militants in Iraq hacked U.S. MQ-1 Predator feeds, gaining the same access U.S. operators had.17 Starting in 2012, hackers from the Syrian Electronic Army group hacked accounts associated with media companies, using the platforms to promote their preferred narratives of the Syrian civil war and spread disinformation.18
Perhaps the most consequential hack happened in 2013 when Syrian operatives gained access to the Associated Press Twitter account, from which they tweeted there had been an explosion at the White House. Although quickly debunked, it caused the U.S. stock market to tumble briefly—a real albeit temporary economic effect. In January 2015, ISIS-affiliated hackers briefly took over the U.S. Central Command Twitter account.19 Although embarrassing, the action’s military value was limited because control was quickly restored, and it did not appear to support the group’s actions in any other domain.
Integrating cyber action as part of a more extensive military campaign is difficult. Following Russia’s 2022 invasion of Ukraine, many experts pointed to Russia’s seeming inability to sequence cyber effects to support or complement actions on the ground or in the air despite supposedly possessing some of the world’s most sophisticated cyber capabilities—and years of practice with them in Ukraine after the 2014 annexation of Crimea.20
While the scope and scale of Hamas’s cyber integration during its attacks were not as impressive as what an actor such as the U.S. military potentially could achieve, they still bear watching. Notably, Hamas did not need to penetrate secure IDF networks to gather the intelligence required; it went after the larger and softer attack surface of IDF personnel, targeting them in their pockets, where the Israeli cybersecurity establishment was not protecting them. This should serve as a warning: Other groups will increase their cyber capabilities to target militaries’ large, soft cyber underbellies for future operations.
All kinds of actors across the globe do not distinguish between those actively engaged in conflict and those at home scrolling. Bad actors will target Marines, sailors, and their families as service members deploy abroad, conducting espionage and degrading unit capabilities wherever they are able.
Enhancing Personal Capacity
Line of effort no. 1 in the Department of the Navy’s cyber strategy recognizes that cybersecurity training must be improved.21 Human error is the number one vector for cyberattacks on an organization, and the Marine Corps and Navy workforces are as big, diverse, and juicy a target (if not more so) as any other organization’s.
While improvements in the annual DoD Cybersecurity Awareness Challenge over the past several years are welcome, the program still falls short.22 First, the training needs to build on itself, bringing new skills and awareness each year. Instead, the training is viewed as, at best, a rote chore, or, more commonly, as a nuisance to be clicked through as quickly as possible. It can be hard for many to engage with abstract “What if?” scenarios, even if users are deeply aware of how critical brilliance in the cyber basics ought to be. However, presenting service members with real threats and tactics being used against them would likely result in a much higher level of engagement: “What techniques are Russian groups using against Ukrainians? How did Israeli soldiers get compromised by Hamas-affiliated cyber groups?” It is human nature to be more interested in something that has an obvious potential effect on your life. Making clear the linkage between the concepts currently taught—spearfishing links, VPNs, and so forth—and how adversaries are using them to target U.S. users would improve the connections service members make.
In conjunction with improved training, the Department of the Navy should work closely with the Cybersecurity and Infrastructure Security Agency and commercial providers to generate lists of effective cybersecurity tools available to service members to use on their personal devices and incorporate those tools into training.23 It is not enough to tell Marines and sailors that images downloaded from dating apps might contain malware if there is no readily available tool they can reach for to protect themselves. These should include VPN services that allow safer connections as they travel abroad for missions and shore leave. The tools come in numerous varieties; however, a poor understanding of their capabilities and limitations can leave service members vulnerable. A simple toolkit and a basic knowledge of when and how to apply it can go a long way toward hardening the cyber security of the force.
Another prospective easy win would be providing antivirus protection. If you were to brief any commanding officer that the majority of his or her troops lacked personal protective equipment (PPE) for their jobs, he or she would be profoundly concerned. Government-furnished devices all come with commercial antivirus software because of their perceived criticality to setting a defensive baseline. A simple but effective improvement would be to have everyone use antivirus on all their devices, personal ones included. Anecdotal evidence, however, suggests that service members’ personal computers and mobile devices do not possess sufficient “cyber PPE.”
The Defense Information Systems Agency offers a “home-use program” in which service members get one free year of McAfee antivirus protection on one device.24 This is a good start, but many people have multiple devices, and a majority will go without coverage after the first year. Many Marines and sailors know how important this software is, but they may be unwilling or unable to pay the annual fees to maintain the service across personal devices. Antivirus protection should be provided to all service members for free as an element of their issued protective equipment. This would set a new baseline of protection at home and deployed, decreasing the cyber attack surface. It undoubtedly would be costly, taking into account the scale of the Department of the Navy, but leaving such a large vulnerability almost certainly would prove far more costly in the future.
As the Adversary Moves, So Must We
It is impossible to make cyberspace 100 percent safe or expect 100 percent compliance with best practices. Even if every Marine and sailor were to become a fully certified cybersecurity expert, they are still human and will make human mistakes. But mitigating the size and depth of the present security vulnerability is worth substantial investment. Believe the adversaries who are more than happy to exploit the connections in a service member’s pocket for military gain: It is worth the time and resources to improve cybersecurity for the masses. Given the crucial role cyber plays in the information environment, it is critical to protect that space by improving the training given to all service members, providing real tools for them to use to protect themselves, and furnishing some basic cyber PPE.
1. Daniel Byman, Emily Harding, and Michael Leiter, “Hamas’ October 7 Attack: The Tactics, Targets, and Strategy of Terrorists,” Center for Strategic and International Studies, 7 November 2023.
2. MWI Podcast, “Understanding Hamas—From Tactics to Strategy,” West Point Modern War Institute, 14 November 2023.
3. Summary of the 2023 Cyber Strategy of the Department of Defense (Washington, DC: Department of Defense, September 2023); Department of Defense, “DOD Announces Release of 2023 Strategy for Operations in the Information Environment,” 17 November 2023; and Department of the Navy, “The Department of the Navy Releases Inaugural Cyber Strategy,” 21 November 2023.
4. Omer Yoachimik and Jorge Pacheco, “Cyber Attacks in the Israel-Hamas War,” The Cloudflare Blog, 23 October 2023.
5. Colin Demarest and Tzally Greenberg, “‘Hacktivists’ Join the Front Lines in Israel-Hamas War,” C4ISRNet, 31 October 2023.
6. Blake Darche, Amen Boursalian, and Javier Castro, “Malicious ‘RedAlert—Rocket Alerts Application’ Targets Israeli Phone Calls, SMS, and User Information,” The Cloudflare Blog, 13 October 2023.
7. Sam Sabin, “Hackers Make Their Mark in Israel-Hamas Conflict,” Axios, 10 October 2023.
8. Simon P. Handler, The Cyber Strategy and Operations of Hamas: Green Flags and Green Hats (Washington, DC: Atlantic Council, November 2022), 12–13.
9. MWI Podcast, “What Was Hamas Thinking?” West Point Modern War Institute, 23 October 2023.
10. Handler, The Cyber Strategy and Operations of Hamas.
11. “Hamas Using WhatsApp to Hack Israel Soldiers,” Middle East Monitor, July 2019.
12. Michele Groppi and Vasco da Cruz Amador, “Technology and Its Pivotal Role in Hamas’s Successful Attacks on Israel,” Global Network on Extremism and Technology, 20 October 2023.
13. Judah Ari Gross, “IDF Says It Thwarted a Hamas Cyber Attack during Weekend Battle,” Times of Israel, 5 May 2019; and Israel Defence Force, twitter.com/IDF/status/1125066395010699264, 5 May 2019.
14. Eviatar Matania and Lior Yoffe, “Some Things the Giant Could Learn from the Small: Unlearned Cyber Lessons for the U.S. from Israel,” Cyber Defense Review, Winter 2022.
15. A “zero-day” exploit is a computer vulnerability that is unknown to security researchers or computer companies, meaning they have had zero days of notification to fix the issue.
16. Cecile Schilis-Gallego and Nina Lakhani, “‘It’s a Free-for-All’: How Hi-Tech Spyware Ends Up in the Hands of Mexico’s Cartels,” The Guardian, 7 December 2020; and Alan Feuer and Emily Palmer, “An I.T. Guy’s Testimony Leads to a Week of Cyber Spy Intrigue in El Chapo Trial,” The New York Times, 13 January 2019.
17. Mike Mount and Elaine Quijano, “Iraqi Insurgents Hacked Predator Drone Feeds, U.S. Official Indicates,” CNN, 17 December 2009.
18. J. Dana Stuster, “Syrian Electronic Army Takes Credit for Hacking AP Twitter Account,” Foreign Policy, 23 April 2013.
19. David C. Gompert and Martin C. Libicki, “Decoding the Breach: The Truth About the CentCom Hack,” RAND Corporation, 3 February 2015.
20. Gavin Wilde, “Cyber Operations in Ukraine: Russia’s Unmet Expectations,” Cyber Conflict in the Russian-Ukraine War (Washington, DC: Carnegie Endowment for International Peace, December 2022).
21. 2023 Cyber Strategy (Washington, DC: Department of the Navy, November 2023), 5-6.
22. Department of Defense, “Cyber Awareness Challenge 2024.”
23. CISA has a list of free cybersecurity tools online, ranging from basic to advanced. However, these tools are not well advertised and training on how to employ them is lacking. See www.cisa.gov.
24. Defense Information Systems Agency, “Antivirus Home Use Program (AV HUP).”