Iran upped cyberattacks on Israel after Oct. 7. Experts say a ceasefire won’t change that
This year, the Islamic Republic set a new benchmark for its cyber strategy, which extends far beyond the battlefield to include influence operations and intelligence gathering
Iranian cyberattacks on Israel have surged in the wake of the October 7 onslaught by the Iran-backed terror group Hamas, and as the Israel-Hamas war continues to rage, cybersecurity analysts warn these digital incursions will continue regardless of any ceasefire or de-escalation in the Gaza Strip.
Meanwhile, with Israel-Hamas negotiations stalled, Tehran’s hackers, backed by the regime, are further honing their capabilities in what experts say could become a forever war in cyberspace.
Despite efforts to tamp down the flames of war, experts told The Times of Israel, any calming of hostilities will not stop digital conflict between the two nations.
“I don’t think [Iran] is going to be happy with Israel, even in the case of a ceasefire or some sort of improvement in conditions” in Gaza, said Ben Read, who heads cyberespionage analysis at Mandiant, a Google-owned cybersecurity firm.
Iran’s cyber capabilities have become a key element of its broader strategy to defend national interests, deter Western intelligence, and engage in espionage, said John Fokker, who leads threat intelligence at cybersecurity company Trellix. Under the auspices of a branch of the armed forces and a government ministry, Iran has steadily expanded its offensive cyber programs, he said.
Since the Hamas-led October 7 massacre took 1,200 lives in Israel and saw 251 people kidnapped to the Gaza Strip, Iranian operatives and cybercrime groups aligned with the Khamenei regime have escalated their cyberattacks on Israeli government and private sector infrastructure. In retaliation, suspected Israeli-aligned hackers have launched their own cyber offensives, targeting Iranian critical infrastructure, including gas stations.
Iran’s cyberwarfare capabilities have long been in development. In 2012, its “Shamoon” virus crippled 30,000 computers at Saudi Aramco in one of Iran’s most notorious attacks. More recently, in 2020, its hackers targeted Gilead Sciences to steal COVID vaccine research. In 2019, the regime’s cyber operatives carried out a wave of attacks on American cities and airports, highlighting the regime’s ability to disrupt critical infrastructure, Fokker noted.
“These incidents reflect the rapid advancement of Iran’s cyber capabilities, making it a significant threat,” Fokker told The Times of Israel.
Now, amid the Gaza conflict, Iranian hackers have targeted Israeli assets more aggressively. In November, the Iran-linked “Cyber Av3ngers” hacking group claimed responsibility for breaching industrial water treatment equipment in America. Tehran is in the global public eye again for cyberwarfare after the US intelligence community said its hackers targeted the Donald Trump and Kamala Harris presidential campaigns.
James Shires, a technology and global affairs expert who co-directs the European Cyber Conflict Research Initiative, said much of Tehran’s work has been centered on influence operations. Iran’s state-sponsored actors have been amplifying propaganda, spreading disinformation and manipulating social media narratives as part of their broader cyber strategy, Shires said.
The war itself has hinged heavily on perception and reputation, Shires said, stressing the importance of online perception battles in modern conflicts.
It’s a two-sided game, though. Israel ran its own secret influence campaign targeting US lawmakers, according to a June report from The New York Times that cited officials involved in the effort and documents tied to the operation.
“Anything that can change that perception is massively valuable for both sides,” Shires told The Times of Israel.
Iranian spin doctors have also embraced artificial intelligence tools to spread disinformation. One AI-driven covert campaign produced fake news websites aimed at influencing American voters, though, according to OpenAI, the effort failed to gain significant engagement.
Three government-linked cyber entities have been driving Tehran’s cyber efforts, according to Read at Mandiant.
These advanced persistent threat (APT) groups — APT33, APT34 and APT42 — operate with sophisticated tactics. APT33 and APT42, for example, are linked to the Islamic Revolutionary Guard Corps and have been targeting Israeli military officials and individuals involved in American presidential campaigns. In the past six months alone, the US and Israel accounted for around 60 percent of APT42’s known targets, according to Google threat intelligence findings.
APT34, meanwhile, is likely tied to Iran’s Ministry of Intelligence and Security, and has been found conducting espionage campaigns against African and Saudi Arabian targets. It’s also previously compromised Israeli companies, including a human resources website.
Despite the technical prowess of these groups, experts say Iran’s cyber capabilities fall short of those of cyber titans such as Russia and China. However, the attacks can still be disruptive.
“They can’t necessarily shut down power to the White House,” Read said, “but if they want to get into a US business, that’s well within their capabilities.”
Read described much of Iran’s recent activity as targeting “low-hanging fruit,” including universities and businesses, rather than sensitive defense assets.
Iran’s cyber influence extends beyond its borders, with proxy groups like the Lebanon-based terror group Hezbollah also engaging in cyberattacks. In November, Hezbollah-linked hackers breached Ziv Medical Center in the northern Israeli city of Safed. Meanwhile, Iranian-backed Houthi groups in Yemen have deployed phone spyware against targets across the Middle East, including Saudi Arabia, Egypt, and Turkey, according to mobile cybersecurity company Lookout.
A ceasefire or any reduction in fighting between Israel and Hamas wouldn’t slow the tempo of Iran’s cyber buildup, Shires said, underscoring the ongoing threat that Iran poses in cyberspace. But he stressed that if a positive diplomatic outcome isn’t reached soon, then a miscalculated cyberattack from either side could skyrocket tensions even further.
“That could very quickly be read into this tit-for-tat escalation… where each side is trying to calibrate very carefully what is appropriate and proportionate to respond, while also not going too far,” he said.
Iran’s lesson after October 7 is clear: Cyberspace is not just a battleground for war, but a powerful medium for influence operations and intelligence gathering. And it is just getting started.
“The cyber stuff seems to be a way for Iran to both impact Israel and be seen impacting Israel that does not incur a significant escalation,” Read said. “I don’t see it changing.”
Are you relying on The Times of Israel for accurate and timely coverage right now? If so, please join The Times of Israel Community. For as little as $6/month, you will:
- Support our independent journalists who are working around the clock;
- Read ToI with a clear, ads-free experience on our site, apps and emails; and
- Gain access to exclusive content shared only with the ToI Community, including exclusive webinars with our reporters and weekly letters from founding editor David Horovitz.
We’re really pleased that you’ve read X Times of Israel articles in the past month.
That’s why we started the Times of Israel eleven years ago - to provide discerning readers like you with must-read coverage of Israel and the Jewish world.
So now we have a request. Unlike other news outlets, we haven’t put up a paywall. But as the journalism we do is costly, we invite readers for whom The Times of Israel has become important to help support our work by joining The Times of Israel Community.
For as little as $6 a month you can help support our quality journalism while enjoying The Times of Israel AD-FREE, as well as accessing exclusive content available only to Times of Israel Community members.
Thank you,
David Horovitz, Founding Editor of The Times of Israel