On October 7, Hamas launched an unprecedented terrorist attack on Israel, killing more than 1,200 people, with hundreds taken hostage. The attack prompted a deadly response from the Israel Defense Forces, which has reportedly left more than 10,000 people dead in airstrikes and a land incursion.
Shortly after the attack, the number of internet-connected honeypots in Israel — manufactured networks designed to lure hackers in — have risen dramatically, according to cybersecurity experts who monitor the internet.
Cybersecurity companies and governments routinely use honeypots to catch hackers and observe their attacks on a decoy network or system that is under their control. In other words, these networks and systems are designed to be hacked to catch hackers or observe their techniques. Israel and Hamas are obviously engaged in real-life, kinetic conflicts, but in 2023, every conflict on the ground has some form of cyber component. Deploying honeypots can help to figure out what hackers are up to during the conflict.
John Matherly, the founder of Shodan, the search engine for publicly exposed devices and networks, told TechCrunch that there has been an increase of honeypots in Israel.
"Most of the honeypots are pretending to be a wide range of products/services. They're not emulating specific devices as much as they're trying to catch any malicious activity happening across Israel," he said.
Matherly said that the increase started in September, but has grown since then.
“It looks like all the honeypots are running web servers. I'm not seeing honeypots pretending to be industrial control systems, which means they're trying to track any sort of wide-scale attacks on Israel and not focused on tracking attacks on industrial infrastructure,” Matherly said.
And since the initial wave, the number of honeypots has been “only going upwards,” according to Matherly, who also noted that the increase could be due to AWS launching a new region in Israel in August.
Piotr Kijewski, the CEO of the Shadowserver Foundation, an organization that deploys honeypots to monitor what hackers do on the internet, also confirmed that his organization has seen “a lot more honeypots now deployed in Israel than pre-Oct 7.”
The increase took Israel to the top three in the world in terms of number of deployed honeypots. Before the war, the country wasn’t even in the top 20, according to Kijewski.
“Technically it is possible someone suddenly rolls out a new honeypot deployment when they have developed that capability and yes in this case it seems Israel focused,” Kijewski said in an email. “We do not normally see such large scale instances appear overnight though, and Israel has not so far been a place for these amounts of honeypots (though of course there have always been honeypots in Israel, including ours).”
According to Silas Cutler, a resident hacker at the cybersecurity firm Stairwell, the deployment of honeypots in the conflict of a war “makes sense tactically.”
Do you have more information about the cybersecurity aspect of the Israel-Hamas war? We’d love to hear from you. Contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email firstname.lastname@example.org. You can also contact TechCrunch via SecureDrop.
Cutler told TechCrunch that during the first few months of war in Ukraine, “there was a lot of unattributed, background, general exploitation against any infrastructure within the conflict area.”
“It's mostly the same stuff background noise of the internet...just a lot more,” Cutler added. “I suspect folks learned the only way to really see what's happening is to spin up infrastructure and look.”
It's unclear who is deploying the honeypots across Israel, or for what reason. Theoretically, having honeypots would be in Israel’s interest as a tactical advantage, as a way to monitor what its adversaries do online.
A spokesperson for Israel Defense Forces did not respond to a request for comment.