Threats Feed|Unknown|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date15/03/2024

State-Sponsored Cyberattacks Target Israeli Academia and Government Sectors

  • Actor Motivations: Sabotage
  • Attack Vectors: Vulnerability Exploitation,Wiper,Compromised software
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

Recent cyberattacks by state-sponsored groups have targeted Israeli organizations in academia, local government, and managed service providers (MSPs). These attacks aim to cause substantial damage by erasing critical data from servers and workstations using Microsoft's SDelete tool from the SYSInternals suite. The attackers leverage outdated VPN servers to gain initial access, followed by lateral movements within networks to reach their targets. Several organizations have already been impacted, predominantly through an attack on the supply chain, hindering data restoration efforts.

Reference and Credit: Israel National Cyber Directorate - March 2024

Activity of attack groups in the Israeli internet space

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
SectorInformation Technology
Verified
SectorEducation
Verified
RegionIsrael
Verified

Extracted IOCs

  • motogpfans[.]com
  • semidns[.]com
  • vatacloud[.]com
  • 3d5d05f230ae702c04098de512d93d48
  • 4804d09f713ac41c6971083d0c10facb
  • 69fd67c115349abb4a313230a1692642
  • 812e8d0b93bc804f455d62fe5d406bfb
  • 8f78168bf53daf94eb6b9b250ad8f0b5
  • d8fc87666687dac96edf0def8ac335e6
  • fd4212c1eff330aef6fd505789d9f7bf
  • 27f59c451fc3de423bed1176833573435a73b9f7
  • 75fde009649a95012677f83c7d05967c568e499a
  • 85b5802f703f3ee049cbde1a2f6ccb3301705c45
  • e5551c768ba25cf52044bcf4367fed1f2064f474
  • 58cb1ef132fbdd1855f75c2886666275d1bb75a9fb3fed88d05feee4230afd32
  • 715050e2ec86cdda66731e760aa91217b7ea042b659e3fd994e8cbc96bd3471b
  • 85fa58cc8c4560adb955ba0ae9b9d6cab2c381d10dbd42a0bceb8b62a92b7636
  • 8fdd00243ba68cadd175af0cbaf860218e08f42e715a998d6183d7c7462a3b5b
  • 103[.]35.190.203
  • 137[.]74.131.18
  • 137[.]74.131.19
  • 141[.]95.177.134
  • 158[.]69.57.19
  • 161[.]35.172.55
  • 164[.]132.237.68
  • 169[.]150.227.203
  • 185[.]216.13.242
  • 185[.]236.234.161
  • 194[.]165.59.30
  • 194[.]246.115.31
  • 51[.]255.19.177
  • 80[.]71.157.130
  • 89[.]221.225.63
  • 89[.]221.225.71
  • 89[.]221.225.81
  • 89[.]221.225.86
  • 91[.]107.244.64
  • 91[.]121.240.102
  • 91[.]121.240.106
  • 91[.]121.240.71
  • 91[.]121.240.98
  • 91[.]225.218.210
  • 94[.]131.3.160
  • 94[.]131.9.239
  • 95[.]164.16.41
  • 95[.]164.38.68
  • 95[.]164.46.253
  • 95[.]164.46.54
  • 95[.]164.61.64
download

Tip: 49 related IOCs (31 IP, 3 domain, 0 URL, 0 email, 15 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater Deploys New Toolset in Targeted Attacks on Israel and Egypt

Source: ESET - December 2025

Detection (one case): 161[.]35.172.55

UNC1860UNC1860 Targets Middle Eastern Networks with Specialized Tooling

Source: Mandiant - September 2024

Detection (two cases): 3d5d05f230ae702c04098de512d93d48, 69fd67c115349abb4a313230a1692642

MuddyWaterMuddyWater Targets Global Sectors with Phishing and BugSleep Backdoor

Source: Check Point - July 2024

Detection (one case): 89[.]221.225.81

Void ManticoreVoid Manticore and Scarred Manticore's Coordinated Cyber Assaults Unveiled

Source: Check Point - May 2024

Detection (one case): 85fa58cc8c4560adb955ba0ae9b9d6cab2c381d10dbd42a0bceb8b62a92b7636

MuddyWaterDarkBeatC2: MuddyWater's Latest Framework Targets Israeli Networks

Source: Deep Instinct - April 2024

Detection (11 cases): 103[.]35.190.203, 137[.]74.131.19, 164[.]132.237.68, 185[.]216.13.242, 185[.]236.234.161, 80[.]71.157.130, 91[.]225.218.210, 95[.]164.38.68, 95[.]164.46.253, 95[.]164.46.54, 95[.]164.61.64

SeedwormSeedworm's Persistent Cyber Espionage in African Telecom Sector

Source: Symantec - December 2023

Detection (one case): 94[.]131.3.160

MuddyWaterMuddyWater's Shift to MuddyC2Go Framework Targets Jordan, Iraq, and Israel

Source: Deep Instinct - November 2023

Detection (one case): 137[.]74.131.18

MuddyWaterMuddyWater Upgrades: The Emergence of PhonyC2 Framework

Source: Deep Instinct - June 2023

Detection (one case): 137[.]74.131.18

MuddyWaterMuddyWater APT Uses Legitimate Remote Management Tool for Persistence

Source: Group-IB - April 2023

Detection (six cases): 137[.]74.131.18, 137[.]74.131.19, 141[.]95.177.134, 91[.]121.240.102, 91[.]121.240.106, 91[.]121.240.98

MercuryMERCURY and DEV-1084's Destructive Cyber Operations Against Cloud and On-Premises Environments

Source: Microsoft - April 2023

Detection (one case): vatacloud[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Cyber Attackers Targeting Israeli Academia and Local Systems

Several state-sponsored hacking groups launched destructive cyberattacks on Israeli institutions, aiming to delete data and disrupt operations.

The alert attributes the activity to state-backed actors, though it does not name a specific country or group.

The main goal was to cause damage by deleting data on targeted servers and systems, making recovery difficult or impossible.

Victims include universities, municipal systems, and Managed Service Providers (MSPs), especially those with a broad client base.

Attackers entered through unpatched VPN servers, moved laterally across networks, and used a legitimate Microsoft tool called SDelete to wipe files.

These sectors often hold valuable or sensitive data and may have weaker defenses. Attacking MSPs also enables broader impact through their clients.

Ensure all systems are fully patched, monitor for suspicious deletions or admin tool usage, isolate backup systems, and review VPN access controls.

Yes. The cyber authority is aware of dozens of affected organizations, and the threat appears to be ongoing and broad in scope.

About Affiliation
Unknown
View Unknown's Insights