Listen to this Post
A newly formed hacktivist group, Phoenix Backup, has claimed responsibility for a cyberattack targeting two Israeli technology firms—Nibit Communications and Computers and IMLAW. The breach, which involved data exfiltration, was first identified by cybersecurity analysts at FalconFeeds.io on April 23, 2024.
This incident highlights the intensifying cyber conflict between Iran and Israel, with tactics commonly associated with state-aligned threat actors. The attackers reportedly used phishing emails to gain entry, deployed custom malware, and exploited unpatched vulnerabilities to escalate access. The stolen data includes customer records, internal communications, and technical documents, some linked to defense contracts.
With Iranian-backed cyber groups historically targeting Israeli infrastructure, the attack raises concerns about potential espionage, cyber sabotage, and downstream supply chain risks. As the cybersecurity landscape evolves, organizations must bolster threat intelligence, patch management, and network segmentation to counter such sophisticated breaches.
Attack Methodology & Technical Insights
Phoenix Backup’s attack involved a multi-stage intrusion:
- Initial Access: Phishing emails disguised as business inquiries tricked employees into downloading malicious attachments.
- Malware Deployment: Custom malware bypassed endpoint detection and established persistence within the network.
- Privilege Escalation & Lateral Movement: The attackers exploited Microsoft Exchange Server and Oracle WebLogic vulnerabilities to escalate privileges and spread across systems.
- Data Exfiltration: Using PowerShell scripts and living-off-the-land binaries (LOLBins), the attackers compressed and encrypted stolen data before exfiltrating it via HTTPS tunnels to cloud storage.
- Evasion Techniques: The use of encrypted traffic made detection difficult, allowing the attackers to operate undetected for an extended period.
The stolen data includes sensitive customer databases, internal emails, and technical documentation that could be used for espionage or cyber-ransom demands.
Iranian Cyber Tactics & Historical Context
The attack follows a well-documented pattern seen in Iranian cyber operations, often attributed to groups like CyberAv3ngers and APT34. These actors have historically targeted Israeli critical infrastructure, deploying wiper malware and industrial control system (ICS) exploits.
Phoenix Backup’s strategy—using Telegram for coordination and data leaks—is reminiscent of Iran’s 2016 Telegram breach, where attackers intercepted SMS verification codes to hijack accounts. In 2023, a data breach involving an unofficial Telegram client exposed 42 million Iranian users, demonstrating the risks of third-party applications.
By choosing Telegram, Phoenix Backup leverages encryption, anonymity, and wide reach within hacktivist circles, making it an effective platform for their operations.
Implications for Cybersecurity
The compromised data poses serious risks, including:
– Espionage: Stolen documents could provide intelligence advantages.
- Supply Chain Attacks: Nibit Communications’ involvement in defense networks raises concerns over secondary breaches targeting Israeli military contractors.
- Dark Web Market Sales: Exfiltrated data could be sold or traded for further cybercriminal activities.
- Disinformation Campaigns: Leaked information might be used to manipulate public opinion or influence geopolitical narratives.
Reports suggest Iranian hackers are refining Operational Technology (OT) and IoT-focused malware, such as the IOCONTROL backdoor, which was previously used to target U.S. fuel management systems.
With state-sponsored cyber warfare blurring the lines between hacktivism and geopolitical cyber conflict, organizations must enhance their cyber defenses, intelligence sharing, and response protocols.
Mitigation Strategies & Industry Response
To mitigate risks associated with data exfiltration, security experts recommend:
✅ Zero-Trust Architecture: Limiting user access based on strict authentication policies.
✅ Network Segmentation: Isolating sensitive data from general enterprise networks.
✅ Behavioral Analytics: Monitoring traffic patterns for anomalies.
✅ Patch Management: Regularly updating software, as 60% of 2023 breaches were due to unpatched vulnerabilities.
✅ Multi-Factor Authentication (MFA): Avoiding SMS-based authentication in favor of hardware security keys.
✅ Threat Intelligence Sharing: Collaborating with industry peers to track emerging threats.
In response to Phoenix Backup’s activity, Israeli cybersecurity agencies have issued advisories urging third-party app audits and reinforcing security best practices. Telegram, meanwhile, has reiterated warnings against unofficial forks, emphasizing the security risks they pose.
With Iran investing in asymmetric cyber warfare, organizations must assume breaches are inevitable and build resilient defense strategies.
What Undercode Says:
The Phoenix Backup breach is not just another cyberattack—it is part of an escalating digital war between Iran and Israel. This incident underscores how cyber operations have become an extension of geopolitical conflicts, with state-backed hacktivists playing a growing role.
1. The Evolution of Iranian Cyber Warfare
Iranian cyber tactics have evolved significantly over the past decade. Initially focusing on website defacements and DDoS attacks, Iranian groups have transitioned to espionage, supply chain compromises, and infrastructure sabotage. Notable past incidents include:
- Shamoon Wiper Attack (2012 & 2016): Targeted Saudi Aramco, wiping 30,000 computers.
- Triton Malware (2017): Designed to manipulate industrial safety systems, nearly causing physical damage.
- U.S. Fuel System Hack (2024): Iranian actors infiltrated fuel management networks, disrupting services.
2. Telegram: A Double-Edged Sword for Hackers
Phoenix Backup’s reliance on Telegram highlights how encrypted messaging apps have become cybercriminal hubs. While Telegram is widely used for privacy and secure communication, threat actors abuse its features for:
– Data Leaks & Ransom Negotiations
– Phishing Kit Distribution
– Command & Control (C2) Infrastructure
Despite Telegram’s security measures, threat actors continue to exploit third-party forks to avoid detection. Governments and cybersecurity firms must increase efforts to monitor these channels without infringing on legitimate users’ privacy.
3. The Growing Threat of Cyber Sabotage
Unlike financial cybercrime, state-backed attacks prioritize disruption and long-term strategic advantage. The targeting of defense-related firms suggests Iran aims to undermine Israel’s military infrastructure.
Potential next steps could include:
🔴 Supply Chain Attacks on defense contractors
🔴 Ransomware Deployment to
References:
Reported By: https://cyberpress.org/israeli-companies-cyberattack/
Extra Source Hub:
https://www.twitter.com
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2
