HamasCyberHQ.exe has been removed—but what does that actually mean?
8 May 2019|

Amid the latest volley of rocket fire in Gaza, the Israel Defense Forces launched an airstrike on a building allegedly used by Hamas to conduct cyber operations. The strike occurred shortly after Hamas attempted to mount a cyberattack against unspecified Israeli targets. We know this because within hours of the strike the IDF had put out a press release, tweeted a mocking notification (‘HamasCyberHQ.exe has been removed’), provided pictures and video, and given comments from senior officers to the media.

The media swiftly picked up the story, framing it as ‘a first’, ‘unprecedented’ near real-time kinetic response to a specific cyberattack (although it isn’t the first time airpower has been used to target hackers—the US did it in 2015 against Islamic State hacker Junaid Hussein).

There are reasons to be somewhat sceptical of this narrative, however. First, although we know almost nothing about the details of the cyberattack, two things we do know are that it was easily blocked by the IDF before the airstrike and that there was nothing particularly novel or threatening about the attack itself. The commander of the IDF’s cyber division, Brigadier General ‘D’, emphasised the ease with which the IDF was able to deal with the attack, and Hamas’s lack of sophistication in cyberspace generally, saying, ‘We were ahead of them all the time. The moment they tried to do something, they failed and [we] removed the threats, as we always do.’

This raises the question of why, if this was such an ordinary and easily thwarted cyberattack, it would merit such an extraordinary response.

Another point is worth noting. While much of the media coverage has (not unreasonably) jumped to the conclusion that the building targeted by the IDF was the place from which this particular cyberattack was launched, careful parsing of the IDF’s statements doesn’t actually confirm that.

The IDF’s tweet announcing the strike reads, in part: ‘Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work’ (emphasis added). ‘A building where the Hamas cyber operatives work’ is not the same as ‘the building from which this cyberattack was launched’.

Nor does the relevant sentence in the IDF’s press release—‘In the course of the technical counterterrorism activities, IDF fighter jets attacked a structure from which Hamas’s cyber network operated’—actually say that the specific cyberattack foiled shortly before had come from that location.

It has to be at least considered that the building in question may in fact have already been on the IDF’s hit list, like other Hamas-linked buildings targeted (and similarly announced on Twitter) in recent days. This particular building may just have been next on the list, or it may have been opportunistically moved up the list after the cyberattack was thwarted.

Why does it matter? It might seem like splitting hairs, but whether this was a case of a building being identified and targeted in a near real-time response to a specific cyberattack or whether it was a strike on a previously identified target which was already planned to be hit has serious implications for attribution, proportionality and the use of violence in response to cyber warfare.

If the building was a target prior to the most recent cyberattack, the IDF presumably would have had the time to confirm that Hamas attacks were indeed launched from that specific location. Attribution in cyber operations is complex, and it’s not something that should be done hastily—particularly if what is at stake is an airstrike on a building in a civilian area.

If the building had been a target for some time, the IDF would also presumably have had time to weigh the benefits of disrupting operations from that location against the risks to civilian lives (it’s very unlikely that the seven-storey building was occupied only by Hamas hackers).

Framing it as one thing if it is indeed the other may have seemed like a great idea to the IDF’s media team at the time. It has certainly grabbed plenty of international headlines. However, put bluntly, the current narrative makes it sound like the operation was a knee-jerk revenge strike rather than a reasonable and proportional response to a significant threat.

It has also created at least the appearance of a precedent for the immediate use of force on an at least partially civilian target in response to an already negated cyberattack—in other words, a violent response in a situation in which there was no current cyber threat. And whatever the truth of the matter, if the current narrative is allowed to stand, this apparent precedent could well have lasting consequences for the future use of kinetic force in cyber warfare.