Thousands of Israeli websites defaced by ‘Hackers of Savior’

A relatively new hacker group calling itself ‘Hackers of Savior’ has been found attacking and defacing thousands of Israeli websites since April by exploiting a WordPress vulnerability.

The campaign was discovered by experts at cyber security firm Radware who noted that a majority of the websites targeted by ‘Hackers of Savior’ were hosted on uPress, a popular WordPress hosting provider. The hackers exploited a vulnerability in a WordPress plugin to distribute their defacing exploits, forcing uPress to take urgent steps to restore the affected Israeli websites.

Even though Radware did not find any evidence of the hacker group being connected to a nation state, it said that the group's campaign began around the same time when Iran launched a cyber attack targeting Israel's national water infrastructure, forcing the latter to conduct a cyber attack targeting Iran's port facilities.

The firm said that Hackers of Savior carried out its first attack towards the end of April and publicized the attack on Israeli websites as "their first big surprise". The group has promised to target Israeli infrastructure in the future and according to Radware, the group's primary aim is to spread propaganda.

"Expect the Hackers of Savior, and potentially other threat actors, to exploit the tensions between Israel and Iran over the coming days. These attacks will likely be linked to Quds Day or #OpJerusalem. When attributing these attacks, caution should be exercised to avoid attributing them to Israeli or nation-state operators," the firm added.

While it remains to be seen how Israel reacts to the latest spate of cyber attacks specifically targeting thousands of Israeli websites, the country carried out an airstrike on Hamas' headquarters for cyber operations after the organisation carried out a cyber attack on Israeli assets in May last year.

"We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed," Israeli Defence Forces posted on Twitter on 5th May.

The attack on Hamas' headquarters for cyber operations located in the Gaza strip took place around the same time when Israeli forces carried out punitive airstrikes on buildings owned by Hamas after the organisation allegedly fired over 700 rockets on Israeli territory that resulted in the death of four Israeli citizens.

Copyright Lyonsdown Limited 2020