Tracking an unidentified and highly proficient cyber threat group known as Cyber Toufan on Telegram, security researcher Kevin Beaumont has uncovered a concerning pattern of behavior. From observing the threat group for roughly six weeks, Beaumont reveals the significant dangers they pose. Unlike the more familiar hacktivist groups that often resort to DDoS attacks, Cyber Toufan has proven to be a more substantial threat, as demonstrated through their compromise of multiple organizations and inflicting greater damage. What sets Cyber Toufan apart is its destructive nature, unlike typical ransomware or DDoS attacks. They have successfully compromised a significant number of organizations, with almost a third of them unable to recover fully even after a month. The victims include private companies and Israeli state government entities. The threat actors claim to be aligned with Palestine.
One key aspect that makes Cyber Toufan's activities unusual is their careful targeting. Beaumont discovered that the threat actors don't engage in indiscriminate attacks; instead, their actions are well-focused, indicating extensive planning and effort. They have published data dumps from 59 organizations they've targeted, affecting entities in various sectors. "I am tracking 59 orgs where they have released data dumps, and a further 40 or so who got hit in a mass MSP (Managed Service Provider) wipe," Beaumont said. Notably, some victims are cybersecurity vendors, and Beaumont asserts there's suspicion that they may have access to even larger infosec vendors. Victims listed include Radware, MAX Security & Intelligence, Israel Ministry of Health, Israel Securities Authority, Allot Ltd, Toyota Israel. Israel Innovation Authority, Lumenis, SodaStream, SpaceX, and many others. Cyber Toufan's actions go beyond mere data theft; they involve wiping systems and causing extensive damage.
Cyber Toufan's tactics include deploying Tor as a hidden service, using legitimate tools like shred to delete files irrecoverably, and sending lobbying emails to victims' customers. They've been careful to stay on Linux systems, as many organizations have less detection capability on Linux compared to Windows. Their primary goal seems to be making a statement, as there's no evidence of credential theft or malware in their actions. As of now, their activities have ceased, but their capabilities underscore the need for heightened vigilance.