In past editions of this series, we have covered both the cyber warfare capabilities of Iran and Israel. Both are regional powers in terms of cyber warfare and espionage capabilities, with both being traditional adversaries in the Middle East.
In both previous articles, we looked at the historical implementation of digital assets in conducting cyber operations. We are now seeing these played out in real time, with both countries conducting vast operations against one another. Exploding pagers and walkie-talkies aside, there are far deeper cyber operations happening that are shaping the geopolitics of the region.
Renewed Attacks of Iran’s Nuclear Facilities
On October 12, 2024, reports began to emerge that cyberattacks affected key sectors within the Iranian government, including the judiciary, legislature, and executive branches. Blame soon began to be levelled at Israel, as they not only have the capability, but the world was still awaiting a response to missiles launched by Iran against Israel on October 1, 2024. According to several reports, Iran’s nuclear facilities were also impacted by cyberattacks, leading many cybersecurity professionals to have visions of Stuxnet, no doubt.
A few days later, subsequent news articles began reporting that Israeli officials told US officials that it would not attack Iranian nuclear or oil facilities, in retaliation for the October 1 attacks. Reading between the lines, it would appear that this reassurance was given in terms of direct and destructive military attacks using missiles or other kinetic warfare means, not for disruptive cyberattacks. Given the difficult nature of attributing cyberattacks, plausible deniability seems to be the foundation to carrying out attacks on both sides.
Iranian Activity Directed Against Israel
Since the terrorist attack on Israel conducted on October 7, 2023, Iranian state sponsored threat groups have steadily ramped up operations against Israeli targets, both government and private. While activity directed at Israel increased, so did actively target Israel’s allies. The activity analyzed by security researchers matched Iran’s broader strategy to defend national interests, deter Western intelligence, and engage in espionage. Added to this, there has been a drive to control online narratives via spreading false news and propaganda.
James Shires, a technology and global affairs expert who co-directs the European Cyber Conflict Research Initiative, said much of Tehran’s work has been centered on influence operations. Iran’s state-sponsored achieve this by spreading propaganda and disinformation. This is done primarily by manipulating social media narratives as part of their broader cyber strategy. This is not only done by Iran, by Israel has also been known to employ the same tactics.
Destructive Malware Used in the Cyber Offensive
A favored tactic of Iranian state-sponsored threat actors has being to deploy wipers against its geopolitical rivals. Wipers or data wipers are a type of malware that intentionally deletes all files on a computer. Further, the malware commonly removes or corrupts the hard drive partition table to make it harder to recover the data.
At the time of writing, security firm ESET reported that several Israeli organizations were receiving phishing emails that pushed data wipers disguised as antivirus software for destructive attacks. ESET’s own logo and branding were used as part of the phishing lures. Further, sent from the legitimate eset.co.il domain, indicating that the Israel division’s email server was breached as part of the attack.
When security researchers attempted to run the malware payload in virtual sandboxes, the executable would immediately crash. Only when run on actual hardware did the wiper complete its assigned task. This shows the threat actor is relatively well-versed in analysis and evasion tactics, and is skilled enough to breach corporate networks and compromise email servers to send malicious emails that would bypass spam filters.
The War in Cyberspace
While the rest of the world debates whether Iran and Israel are at war, that being a full-scaled war, a conflict in cyberspace has been raging for some time. The tit-for-tat digital conflict has been one of the world’s longest running and is fueled by both geopolitical and religious factors.
Speaking to Foreign Policy, Mohammed Soliman, the director of the strategic technologies and cybersecurity program at the Middle East Institute in Washington, D.C summarized the regional cyber conflict, which tends to break its regional borders from time to time, by saying,
Israel has always been the more sophisticated of the two adversaries. This in part is due to close cooperation with the United States and other Western allies, with Stuxnet being an example of this, and extensive investment in its own capabilities.
Israel’s national cyber agency, an example of the level of investment the nation has put forward in this regard, is one of the largest divisions of the Israel Defense Forces (IDF) and is an intelligence-gathering unit known as Unit 8200.
While Israel can be considered a cyber superpower, Iran is most certainly a cyber power. Iranian cyber warfare units reverse engineered Stuxnet to supplement their own cyber capabilities. These capabilities have been on display on several occasions in destructive cyber campaigns that target both Israel, and Iran’s other geopolitical rival, Saudi Arabia. In this regard, Soliman stated,
“I would call Israel a cyber superpower and Iran a rising cyber power…Iran is not really equivalent to Israel in cyberspace, but they are a very agile nation in terms of building their own capabilities, and they have been also learning from the Israelis all these years.”
Both nations have tended to favour the cyber approach over the years as it is generally less escalatory and in a region often described as a match box waiting for a reason to ignite, there is perverse wisdom in this. However, this less escalatory nature to cyber conflict is being sorely tested, with both sides both threatening and using the tools of kinetic warfare against one another.