Predatory Sparrow and other weapons of hybrid warfare: Cheap, fast, undetectable and effective

Security companies warn of the increase in cyberattacks with different strategies, actors, intensities and objectives

Raúl Limón
A Ukrainian soldier on a computer on the outskirts of Donetsk, on February 10.SOPA Images (SOPA Images/LightRocket via Gett)

Hybrid warfare is a novel term for a strategy as old as military conflicts. It alludes to the combination of conventional force with any other means, such as insurgency, migration, terrorism, propaganda or the limitation of basic resources. Information technologies have added one more complex and challenging element: cyberwarfare. Google’s Threat Analysis Group (TAG) teams have completed a report, coinciding with other similar works by S21sec and Kaspersky, on its use in the two most recent conflicts, and have detected that, even though they use the same weapons, the strategy in the wars in Gaza and Ukraine show substantial differences in the timeframes, the actors, the intensity and the objectives which, far from being limited to the war zones, are expanding all over the planet through the actions of hacker groups such as Predatory Sparrow (Gonjeshke Darande in Farsi), thought to be behind cyberattacks against gas stations in Iran.

The Art of War, the work attributed to the Chinese strategist Sun Tzu about 2,500 years ago, talked about the combination of resources other than physical force, stating that “subduing the enemy without fighting is the apogee of ability.” The military leader was already aware of the importance of information and deception, two fundamental aspects of cyberwarfare. Both are present in the conflicts in Gaza and Ukraine, but with different models, according to Google’s analysis, which coincides with that of other internet security groups.

The invasion of Ukraine was preceded by a large increase in threats and cyberattacks against Kyiv in order to weaken its defense capabilities. On the contrary, before the Hamas incursion into Israel on October 7, which left 1,200 dead and 240 hostages in a single day, these actions were at their usual intensity. “The operational security risks of a cyberoperation outweighed the potential benefits, so we didn’t see something like what we saw in Ukraine, where, in the days and weeks before the invasion, a huge increase in activity was detected,” explains Sandra Joyce, vice president of Mandiant Intelligence. In other words, for Hamas, an increase in attacks on the web could have drawn attention to their upcoming action and would not have provided benefits.

With both fronts open, cyberwarfare has become another weapon of war. While Russia maintains its online activity in all areas and combines cyberattacks with missile launches, in the Gaza war, cyberwarfare focuses more on collecting information, disrupting essential services and deploying all types of propaganda.

In both cases, information technologies have demonstrated unique characteristics: cyber capabilities can be deployed quickly at minimal cost, which is why they have become a primary resource. These tools provide the ability to gather information or spread propaganda quickly and disrupt everyday life while remaining below the level of direct military action. “As swift as wind, as gentle as forest, as fierce as fire, as unshakable as mountain,” Sun Tzu wrote about the qualities of an attacker in The Art of War.

“These actors,” explains Joyce, “have historically relied on simple but very effective tools, techniques and procedures. But there are signs of evolution and, potentially, some more advanced capabilities have been developed, such as quite elaborate social engineering to attack Israel-based programming engineers.”

John Hultquist, chief analyst at Mandiant, adds that some strategies are no longer aimed at the progressive infection of a system but at the interruption of its functionalities without leaving a trace, as happened during an intentional blackout in an entire region of Ukraine: “The advantage is that you are not introducing malware that is signed and can be investigated and identified. Essentially, it is acting as a system administrator and it is really difficult to find.”

The actors also differ. In the Ukraine war, Russia uses its own force, both in conventional and information warfare, although Kyiv has denounced China’s support. However, in Gaza, the main actor is located outside the territory in conflict: Iran has actively participated in 80% of the attacks against Israel and allied countries, according to Google data. The company’s analysts have detected attacks on individuals and on essential services such as water distribution systems, as well as the use of sophisticated social engineering to take control of critical elements. Cell phones and missile attack warning systems, as well as the websites of the police and hospitals, have also been infected in order to create confusion and terror in the population. For its part, Iran attributes to Israel the activity of the Predatory Sparrow group that, among other actions, disabled the country’s gas stations.

This model of war knows no borders. As the conflict continues, the possibility of broader regional instability increases. Critical infrastructures in the United States and Europe have been targets of cyberattacks, and Lebanon and Yemen have joined the list. “They are global actors and that means that what is happening there [the territory in conflict] has implications for the world,” says Shane Huntley, director of Google’s TAG, who points out upcoming electoral processes and events of international relevance, like the Olympic Games, as potential targets.

Other reports

Google’s conclusions are consistent with those of other online security groups, such as S21sec, from Thales Group. This company’s Threat Landscape Report underscores the proliferation of online activists to carry out denial of service (DDoS) attacks and for data leaks, system infiltration, the deployment of ransomware and participation in espionage.

Their activity, according to the investigation, has been deployed through channels such as Telegram and Dark Web forums (sites that are not indexed and can only be accessed through specialized browsers) such as BreachForums, Dread Forum, Cracked, Nulled and Leakbase. A quarter of the actors support Israel, while the rest allegedly favor Palestine.

“The majority of these threat groups are ideologically or religiously motivated, selectively attacking both Israeli and Palestinian entities, as well as others located in countries not related to the conflict, including in the Americas, Europe, Asia and Africa,” says Sonia Fernández, Head of the S21sec Threat Intelligence team.

Experts at the cybersecurity company Kaspersky agree that what is known as geopolitically motivated hacktivism will intensify and lead to a more complex and challenging threat landscape. “Ransomware is still a big problem and hackers are getting better at attacking large, profitable companies with more advanced methods; Hacktivists motivated by social issues are also increasingly active, generating an increase in potential threats; and the transportation and logistics sector is especially vulnerable to these changes due to its increasingly digital systems. This combination of cybercrime and traditional crime constitutes a serious threat to global supply chains,” said Evgeny Goncharov, Head of Kaspersky ICS CERT.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition

More information

Archived In

Recomendaciones EL PAÍS
Recomendaciones EL PAÍS