In recent weeks, Iran has carried out several highly sophisticated cyber operations, primarily targeting its regional adversaries. Among the primary victims is Israel. The country has faced numerous attempts by Iranian hackers to infiltrate critical infrastructure. The increasing efficiency and sophistication of these cyber-attacks have led some experts to label Iran as a new cyber power.
Israel is the main, though not the only target
A recent extensive cyber attack targeted the Israeli technological and educational sector. The government reported on its impacts and progress in early November. It involved organisations with a so-called wiper, a malware designed to destroy or damage data on the victim´s systems. The initial penetration into the victim´s devices occurred earlier this year. The objective of the operation was to obtain sensitive information and intellectual property. The attack was attributed to Agrius, a well-known Iranian hacking group active since around 2020. Agrius primarily engages in cyber espionage and destructive attacks. This group is also responsible for another operation from May of this year targeting Israel. During that incident, several organisations were attacked with the Moneybird ransomware. At the time, there was a discussion about a significant shift in Iran’s cyber capabilities due to the technical parameters of the malware. However, Agrius is by no means the sole Iranian actor initiating cyber activities against Israel.
Iranian cyber espionage campaign with profoundly negative impacts has targeted military, financial, government and telecommunication sectors across the Middle East, including Israel, as a recurrent victim. However, this time, the ramifications extended to several other states, encompassing Oman, Saudi Arabia, Jordan, the United Arab Emirates, and Iraq. The cybercriminals were reportedly successful in mapping out the functioning of the cyberinfrastructure of the attacked states. In addition, they may have gained access to various types of classified information and state secrets. Hackers could subsequently use this information to carry out further cyber activities in the future. The attack is believed to be carried out by Iranian hackers with links to the government known as Scarred Manticore.
Yet another malicious initiative was a phishing campaign attempting to deploy a remote management tool. The attack is attributed to the Iranian actor MuddyWater, which has been operating in the cyber domain for over six years. There are claims of a direct connection between the hackers and the Iranian Ministry of Security and Intelligence.
Iran´s operations during the Israel-Palestine conflict raise many questions
All these activities take place in the context of the ongoing conflict between Hamas and Israel. Ever since the beginning of Hamas´s attack on Israel, we have observed various cyber activities by which the actors are trying to support one side or the other. This is why Iran’s current cyber activities raise many questions. Israel claims that Iran is actively attempting to hack the camera systems of the Jewish state in cooperation with Palestinian Hamas and Lebanese Hezbollah. Since the outbreak of the latest wave of armed conflict, there has been a discussion about possible support that Hamas may receive not only from Tehran but also from Hezbollah. These concerns are supported by incidents such as the hacking of private camera systems near the borders with Lebanon. The acquired recordings could be instrumental in the event of a potential ground operation by Hezbollah into Israel. Microsoft also reported an improving level of Tehran´s cyber attacks in May of this year. The company has also claimed that Iran is using this to aid Palestinian resistance to the Israeli occupation. The involvement of Iranian hackers in such activities is not fundamentally surprising. Tehran and Tel Aviv have long-standing complicated diplomatic relations, which naturally manifests in the cyber domain. It should not be forgotten that Iran has faced several cyber attacks by Israel in the past. Many of them had profoundly negative consequences for the country. An example is the well-known joint operation of Tel Aviv and Washington in 2010, where critical parts of Iran’s nuclear program were targeted with Stuxnet malware. The intention was to prevent the enrichment of uranium, which could then be used to build atomic weapons. This operation caused significant complications for Iran, especially in securing the operation of nuclear centrifuges. In the following years, it led to increased investments in cyber capacities. As Iranian Defence Minister Mohammad Reza Ashtiani stated, the deteriorating security situation in the Middle East requires, inter alia, a redefinition of national defence strategies. These strategies are supposed to extend beyond the country’s borders and particularly address a new strategic domain – cyberspace. It is this realisation of the importance of the cyber domain that we have been seeing live in recent months. The first warning of Iran’s growing capabilities was an extensive attack against Albania in 2022. Since then, the sophistication and effectiveness of attacks have further improved, placing Iran among the cyber powers.
This brief is supported by
NATO’s Public Diplomacy Division