FRESH AIR

Iranian cyberattacks on Israel are unsophisticated, but remain a constant and serious nuisance

April 12, 2022 | Oved Lobel

(Shutterstock/Global News Art)
(Shutterstock/Global News Art)

Iran continues to demonstrate that, while it lags far behind other adversaries like Russia, China and North Korea as a cyber actor, it still has the capacity to be a major nuisance in this sphere.

In mid-March, a cyberattack briefly blocked access to several Israeli government websites. Initially described by one source as the largest cyberattack in Israeli history, it turned out to be nothing but an unsophisticated distributed denial-of-service (DDoS) attack, one which may not even have been targeting Israeli government websites specifically. Erez Tidhar, head of the Israeli cyber authority’s Computer Emergency Response Team (CERT), told Haaretz, “This was a routine attack – albeit one with serious volume – but not rare or significant.” While the attack has not been officially attributed to Iran, it is the most likely culprit given the timing, targets and lack of sophistication.

Shortly thereafter, Iranian-linked hackers published material allegedly stolen from the hacked phone, apparently old, of Mossad chief David Barnea’s wife. The group is most likely linked to “Moses Staff” which, according to cybersecurity company Cybereason, “leverages cyberespionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear.” The hacking of the old phone is not a security threat, and cybersecurity experts have been warning officials and commentators not to play up what is essentially Iranian trolling, the purpose of which is propagandistic – to make it seem like Iran is capable of effective cyberattacks against Israel. These hacks, leaks and DDoS attacks, in reality, are actually evidence that it probably is not.

The last time Iran attempted a genuine cyberattack against Israel was two years ago, when its Islamic Revolutionary Guard Corps (IRGC) launched an abortive attack against Israeli water infrastructure. There was conflicting information on the level of sophistication involved in that attack, with one official describing it as “miserable”, but nothing of that scale has been attempted since. It’s unclear whether Iran was actually deterred from further cyberattacks against Israeli civilian infrastructure by Israel’s purported response, which shut down Iran’s Shahid Rajaee port, or whether it simply doesn’t have the capability to launch serious cyberattacks.

What has been clear for quite some time is that while Israel is able to cause chaos across Iran in cyberspace, Iran is only capable of temporarily defacing websites, spreading disinformation, criminal hacks and leaks and DDoS attacks – nothing of strategic consequence, unlike Israel’s ability to shut down fuel distribution and ports.

Iran also continues to conduct large-scale cyber espionage campaigns, something AIJAC has been covering for several years. In April, Facebook parent company Meta disrupted two Iranian groups involved in such activities, one of which, while unnamed, resembled the methods of an Iranian group known as Tortoiseshell, Imperial Kitten or Threat Actor 456 (TA456) –  called among “the most determined” Iranian hacking groups by cybersecurity firm Proofpoint. According to Meta, the “previously unreported group… targeted industries like energy, telecommunications, maritime logistics, information technology, and others.” The other actor, UNC788, has been active for years. Social media companies disrupt such networks every few months, but they often pop right back up again.

These groups depend almost entirely on human error, impersonating known individuals and companies online or inventing companies and fake profiles to trick their targets into downloading malware or entering personal information via phishing, thus giving hackers access to their devices and networks. However, routine cybersecurity hygiene is enough to foil most such attempts.

Iran’s proxies, like Hamas, have also been using these methods to try and to spy on or compromise Israeli soldiers, police officers and officials. Cybereason revealed this week that a Hamas-linked cyberespionage campaign running for the past six months using the aforementioned approach – mostly involving fake “honeypot” profiles of attractive Israeli females to lure IDF soldiers and police into downloading malware – demonstrated a “new level of sophistication”.

This activity by Hamas is not new. As AIJAC wrote in May 2019:

Hamas was able to hack the phones of hundreds of IDF soldiers via malware implanted in World Cup streaming apps and dating apps, and used fake “honeypot” profiles of attractive members of the opposite sex to lure soldiers into downloading malware. It also infiltrated hundreds of Facebook groups, some closed, relating to IDF activities to monitor members and discussions, and created an online FIFA World Cup group for Israelis which caused those participating to download malware when they clicked links on the page.

However, according to one Cybereason researcher, “They set up fake accounts, but while usually such accounts are quite easy to spot, in this case they would seem very real to an untrained eye.” The company’s report added that “They were extremely active accounts, they were very well versed in Israeli politics and current events, they chatted with their victims and posted in perfect Hebrew, with none of the tell-tale signs of fake foreign accounts.” Furthermore, the malware being spread by this catfishing campaign is reportedly far more advanced than that previously utilised by Hamas.

While both Iran and its proxies might be improving the quality of their phishing and catfishing, overall, this remains an unsophisticated approach and indicates that, at least for now, Iran is probably not capable of meaningful cyberattacks against infrastructure. Then again, the easiest means to bypass cybersecurity protocols is through human negligence – all it takes is for one important security or government official to fall for these tricks, and all information thereby gleaned will be passed to Iran. As we wrote in 2019 about these catfishing campaigns by Hamas and Hezbollah over the past ten years, “[technical] sophistication is not necessarily the most useful means of measuring a threat.”

RELATED ARTICLES

(image: Shutterstock/Svet Foto)

Military strikes alone won’t stop the Houthis without direct pressure on Iran

Mar 20, 2025 | Featured, Fresh AIR
Image: X

Pay-for-Slay is likely still Pay-for-Slay

Mar 7, 2025 | Fresh AIR
Image: X

The missing pieces of the Thai hostages story

Feb 21, 2025 | Fresh AIR
Damaged section of Kamal Adwan Hospital (image: World Health Organisation)

The latest IDF raid on the Kamal Adwan Hospital debunks absurd UN report

Jan 9, 2025 | Featured, Fresh AIR
Iran's Supreme Leader Ali Khamenei (left), the late Hezbollah Secretary-General Hassan Nasrallah and the late commander of the IRGC's Qods Force Qassem Soleimani

The Axis of Resistance is not dead yet

Dec 19, 2024 | Featured, Fresh AIR
Iranian women being ushered into a van by "Morality police" (Image: X)

Iranian human rights have significantly worsened since the “Woman, Life, Freedom” protests

Dec 18, 2024 | Featured, Fresh AIR
D11a774c 2a47 C987 F4ce 2d642e6d9c8d

Bibi in DC, the Houthi threat and the politicised ICJ opinion

Jul 26, 2024 | Update
Image: Shutterstock

Nine months after Oct. 7: Where Israel stands now

Jul 10, 2024 | Update
Palestinian Red Crescent workers from Al-Najjar Hospital in the city of Rafah, south of the Gaza Strip (Image: Shutterstock)

Hamas’ impossible casualty figures

Mar 28, 2024 | Update
455daec3 C2a8 8752 C215 B7bd062c6bbc

After the Israel-Hamas ceasefire for hostages deal

Nov 29, 2023 | Update
Screenshot of Hamas bodycam footage as terrorists approach an Israeli vehicle during the terror organisation's October 7, 2023 attack in southern Israel, released by the IDF and GPO (Screenshot)

Horror on Video / International Law and the Hamas War

Oct 31, 2023 | Update
Sderot, Israel. 7th Oct, 2023. Bodies of dead Israelis lie on the ground following the attacks of Hamas (Image: Ilia Yefimovich/dpa/Alamy Live News)

Israel’s Sept. 11, only worse

Oct 11, 2023 | Update
Screenshot 2025 03 28 At 11.35.48 AM

The day after the end of the Gaza war – and the new opportunities it presents: Ehud Yaari at the Sydney Institute

Mar 28, 2025 | Featured, Video
Screenshot

Jonathan Conricus in conversation with Joel Burnie

Feb 24, 2025 | Featured, Video
Sydney, January 2025 (Image: X)

Reacting to the latest antisemitic attacks: Colin Rubenstein on SBS Hebrew radio

Feb 3, 2025 | Video
Screenshot

Antisemitic bomb plot “a massive escalation”: Colin Rubenstein on Sky News

Jan 30, 2025 | Featured, Video
(Image: screenshot)

Antisemitism database “first step of many more that need to be taken”: Dr Colin Rubenstein on ABC TV

Jan 22, 2025 | Featured, Video
Screenshot 2024 12 20 At 12.44.43 PM

AIJAC speaks out against hate… Will you join us?

Dec 20, 2024 | Featured, Video

RECENT POSTS

Anti-Hamas protests in Gaza (Image: Reddit)

Gaza protests: A turning point or a moment of desperation?

A “deep well of hatred” in segments of the Muslim community contributed to the recent outburst  of extremism and antisemitism in Australia (Image: Diana Zavaleta/ Shutterstock)

Essay: The Politics of Hatred

Iranian President Masoud Pezeshkian (left) may hint at agreeing to nuclear negotiations, but it is Supreme Leader Ali Khamenei (right) who will ultimately make the decision (Image: Khamenei.ir)

Iran: Moving beyond diplomatic delusions

A statue of Moses holding the Ten Commandments (Image: Shutterstock)

The Last Word: One Story

Israeli PM Netanyahu controversially announces he needs to fire Shit Bet chief Ronen Bar (Screenshot)

Marching toward controversy and division

SORT BY TOPICS