Geopolitical events and military operations often trigger a cascade of online activity, both legitimate and malicious. Recent data from our global threat network highlights the strong connection between military escalations and cyberattacks, with the latest example unfolding in the Middle East.
Operation Rising Lion Triggers Cyber Spikes Across Israeli Sites
On June 13, Israel launched Operation Rising Lion, and the ripple effects in cyberspace were immediate. The following day, traffic to Israeli websites surged to 172% above typical levels, as individuals likely sought real-time updates and information about the unfolding operation.
While much of this spike can be attributed to organic traffic from news readers and concerned citizens, it was accompanied by notable increases in cyberattack activity:
- Spike in Web Application & API Protection (WAAP) Attacks: WAAP threats—including malicious bot traffic, API abuse, and web application attacks—jumped by 63% over the two days immediately following the start of the operation, particularly in the government and financial industries. Government sites had the largest rise, spiking 320% above average in the days following the operation.
- Rise in RPS of Application Layer (L7) DDoS Attacks: After briefly declining immediately following the operation, L7 DDoS attacks began to rise again in subsequent days, leaping to 54% more attacks than average within a week. Although the number of attacks has increased slightly, it remains within the range observed in prior weeks, as Israeli sites are frequently targeted by DDoS. However, the requests-per-second (RPS) rate has grown noticeably in the week following the operation, spiking 1,336% above the rates the week prior. While still below 1 million RPS, these attacks largely targeted sites affiliated with defense.
- No Notable Change in Network Layer (L3/4) DDoS Attacks: Network-layer attacks have also increased since the start of Operation Rising Lion, though again, they have not exceeded the levels seen earlier in the year. Interestingly, despite the higher number of attacks, bandwidth levels have remained modest, averaging around 5 Gbps. These attacks primarily focused on Israeli government sites, possibly aiming to disrupt public communications or degrade critical services.
U.S. Involvement Sparks Further Traffic Shifts
The situation escalated further when the United States launched Operation Midnight Hammer on June 22. In the days leading up to the U.S. operation, we observed increased traffic to U.S.-based sites, especially those in the financial and news industries, likely driven by speculation about potential American involvement following Israel’s actions. Traffic to news sites specifically had two large spikes of about 50% above average, following Israel’s operation and then again after US involvement.
In the chart below, you can see spikes to US news sites at three specific points: as tensions rose in the Middle East, right after Israel began their operation, and right after the US operation. These points underscore the deep global interest in the military and political fallout from these operations.
Historical Context: The Ukraine Invasion Cyber Pattern
These patterns mirror previous cyber trends observed during large-scale conflicts. In February 2022, during Russia’s initial invasion of Ukraine, we recorded a 56% surge in traffic to Ukrainian websites in late February as the world monitored developments, a rise that was sustained for the rest of the year. That traffic spike was accompanied by an uptick in WAAP attacks, as well as distributed denial-of-service (DDoS) attacks on a range of targets, including financial institutions, business sites, and gas stations.
Key Takeaway: Cyber and Kinetic Worlds Are Deeply Interconnected
Our data once again shows how geopolitical crises manifest in cyberspace—through both legitimate spikes in web traffic and malicious cyberattacks. While traffic surges are often driven by users seeking information, attackers frequently exploit these moments of heightened attention to launch targeted campaigns against government, military, and media sites, as well as critical infrastructure like healthcare and transportation.
Organizations—particularly in high-risk regions or industries, like defense, financial services, and government—should remain on heightened alert during geopolitical events and ensure their defenses against DDoS, API abuse, and other web application attacks are fully operational.
The post Surges in Cyber Activity Accompany Regional Military Operations appeared first on Blog.
