SiegedSec Promising “Seven Days of Siege”, Supply Chain Attacks Against Israel

Since yesterday, the mixed-bag threat actor, SiegedSec, claims to have begun releasing new data from breaches related to their hacktivism against organizations accused of aiding Israel.

Before I get into this story/profile, I just wanted to bring up the fact that this article is going to touch on the topic of Gaza/Palestine. People are being killed, and they need our help. If you’re looking for an org to donate to, World Central Kitchen resumed operations in the region just a few weeks ago. The famine has never been worse, and they could use your support. They take donations in a number of formats, including PayPal tips and crypto. Please think about it!

It should come as no surprise at this point that the Israeli incursion into Gaza has inspired a wave of hacktivism–both truly capable threat actors and the usual attention-seekers–seen at levels only rivaled by the cyber conflict in eastern Europe. I’ve covered it extensively in the past, both in audio and written format.

First announced on July 3rd and promised to continue until the 10th, this most current string of attacks by the group still seems to have gone largely under the radar. My usual sources haven’t confirmed the breaches as of midnight on the 4th, here in Central European time.

Initially, SiegedSec claimed to have gained access to an admin portal of IT consultancy, Impact Networks. Impact services a number of high-profile entities. SiegedSec claims to have used this breach to gain access to the Finnish Embassy, Ben Gurion University, and Xtend Defense Systems–a company developing drones and automated systems for military and intelligence applications. Impact seems to have not yet publicly acknowledged the breach.

On July 4th they claimed to have conducted a similar breach of Comoz Technologies, who also service a number of public sector and government-adjacent organizations. While I have no way of verifying most of the claims they made in this statement (as the handful of images are the only proof they provided), I can confirm that I was unable to reach any of the targeted email addresses that they published.

So far, they’ve claimed 124 networks as compromised. It’s unclear as to whether or not this will be the extent of all seven days’ effort, or if this is just what they’re deciding to announce up to this point.

If this is true, it would mark a substantial supply chain attack. It’s also the group’s first publicly announced activity since the middle of last month, and their main Breach Forums account hasn’t logged in to announce this event, either:

Why Should We Care About SiegedSec?

SiegedSec is an interesting group, who have dipped into cyber espionage, data theft, and more baseline hacktivist activities (such as defacement). That said, there’s plenty of evidence out there that SiegedSec is capable of far more disruptive actions. The group has gained notoriety for its aggressive tactics, including data leaks and high-profile attacks on government and corporate targets. Since arriving on the scene in early 2022, it’s obvious that their capabilities have grown.

The most well-known profile on them was published here on SOCRadar.

And yes, they’re widely known as the self-stylized “gay furry hackers”. While they have a tendency towards the juvenile (as many in this space do), their public Telegram chatroom does seem to make an attempt at a safe space for young, gay hacktivists.

Previous High-Profile Attacks

June 2022:
SiegedSec targeted anti-abortion states in the U.S., attacking multiple government websites and leaking data in protest against anti-abortion legislation​​.

February 2023:
SiegedSec claimed responsibility for hacking Atlassian, an Australian software company, and leaking employee information and office floor plans​. This turned out to be another supply-chain attack, conducted with stolen credentials. Atlassian is a particularly worrisome target to many, as their products largely revolve around developing and coordinating intellectual property for some of the largest technology firms around the English-speaking world and Europe.

May 2023:
The group attacked NewsVoir, an Indian news distribution platform, leaking a number of documents and data. They hinted at a possible interest in financial compensation for their actions, suggesting a shift towards data extortion​.

July 2023:
SiegedSec claimed to have breached NATO’s Communities of Interest (COI) cooperation portal, stealing hundreds of sensitive documents. NATO confirmed it was investigating these claims, and additional cybersecurity measures were put in place​.

August 2023:
The group claimed responsibility for breaches against Romania’s National Office for Centralized Procurement (ONAC) and First Credit and Investment Bank, collaborating with another threat actor, 6ix, for these attacks​.

September 2023:
NATO was once again targeted by SiegedSec, with the group claiming to have stolen nearly 3,000 documents from various NATO platforms, including the Lessons Learned Portal and the Logistics Network Portal. NATO confirmed they were actively investigating these incidents​​.

Motivations?

SiegedSec‘s motivations appear to be a mix of financial gain, political objectives, and disruption. Their activities often align with hacktivist principles, usually with a focus on exposing sensitive information and causing operational disruptions to their targets.

SiegedSec demonstrates a high level of sophistication in their operations, utilizing advanced malware, zero-day vulnerabilities, and a deep understanding of network defenses. Their capability to blend espionage with hacktivism makes them a versatile and unpredictable threat actor. They’ve shown the ability to adapt quickly to new security measures. They generally behave more like an APT (advanced persistent threat) and less like your usual hacktivist.

SiegedSec also seems to be friendly with another hacktivist group, GhostSec. Members from both groups have been seen collaborating on various operations.

I guarantee this isn’t going to be the last time I write/talk about this entity. While it’s easy to dismiss most hacktivists outright, SiegedSec, at least, appears to remain a serious threat, and shouldn’t be taken lightly. These “Seven Days of Siege” should be monitored closely, and the various claims verified as soon as possible.