FRESH AIR

Iranian cyberattacks on Israel are unsophisticated, but remain a constant and serious nuisance

April 12, 2022 | Oved Lobel

(Shutterstock/Global News Art)
(Shutterstock/Global News Art)

Iran continues to demonstrate that, while it lags far behind other adversaries like Russia, China and North Korea as a cyber actor, it still has the capacity to be a major nuisance in this sphere.

In mid-March, a cyberattack briefly blocked access to several Israeli government websites. Initially described by one source as the largest cyberattack in Israeli history, it turned out to be nothing but an unsophisticated distributed denial-of-service (DDoS) attack, one which may not even have been targeting Israeli government websites specifically. Erez Tidhar, head of the Israeli cyber authority’s Computer Emergency Response Team (CERT), told Haaretz, “This was a routine attack – albeit one with serious volume – but not rare or significant.” While the attack has not been officially attributed to Iran, it is the most likely culprit given the timing, targets and lack of sophistication.

Shortly thereafter, Iranian-linked hackers published material allegedly stolen from the hacked phone, apparently old, of Mossad chief David Barnea’s wife. The group is most likely linked to “Moses Staff” which, according to cybersecurity company Cybereason, “leverages cyberespionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear.” The hacking of the old phone is not a security threat, and cybersecurity experts have been warning officials and commentators not to play up what is essentially Iranian trolling, the purpose of which is propagandistic – to make it seem like Iran is capable of effective cyberattacks against Israel. These hacks, leaks and DDoS attacks, in reality, are actually evidence that it probably is not.

The last time Iran attempted a genuine cyberattack against Israel was two years ago, when its Islamic Revolutionary Guard Corps (IRGC) launched an abortive attack against Israeli water infrastructure. There was conflicting information on the level of sophistication involved in that attack, with one official describing it as “miserable”, but nothing of that scale has been attempted since. It’s unclear whether Iran was actually deterred from further cyberattacks against Israeli civilian infrastructure by Israel’s purported response, which shut down Iran’s Shahid Rajaee port, or whether it simply doesn’t have the capability to launch serious cyberattacks.

What has been clear for quite some time is that while Israel is able to cause chaos across Iran in cyberspace, Iran is only capable of temporarily defacing websites, spreading disinformation, criminal hacks and leaks and DDoS attacks – nothing of strategic consequence, unlike Israel’s ability to shut down fuel distribution and ports.

Iran also continues to conduct large-scale cyber espionage campaigns, something AIJAC has been covering for several years. In April, Facebook parent company Meta disrupted two Iranian groups involved in such activities, one of which, while unnamed, resembled the methods of an Iranian group known as Tortoiseshell, Imperial Kitten or Threat Actor 456 (TA456) –  called among “the most determined” Iranian hacking groups by cybersecurity firm Proofpoint. According to Meta, the “previously unreported group… targeted industries like energy, telecommunications, maritime logistics, information technology, and others.” The other actor, UNC788, has been active for years. Social media companies disrupt such networks every few months, but they often pop right back up again.

These groups depend almost entirely on human error, impersonating known individuals and companies online or inventing companies and fake profiles to trick their targets into downloading malware or entering personal information via phishing, thus giving hackers access to their devices and networks. However, routine cybersecurity hygiene is enough to foil most such attempts.

Iran’s proxies, like Hamas, have also been using these methods to try and to spy on or compromise Israeli soldiers, police officers and officials. Cybereason revealed this week that a Hamas-linked cyberespionage campaign running for the past six months using the aforementioned approach – mostly involving fake “honeypot” profiles of attractive Israeli females to lure IDF soldiers and police into downloading malware – demonstrated a “new level of sophistication”.

This activity by Hamas is not new. As AIJAC wrote in May 2019:

Hamas was able to hack the phones of hundreds of IDF soldiers via malware implanted in World Cup streaming apps and dating apps, and used fake “honeypot” profiles of attractive members of the opposite sex to lure soldiers into downloading malware. It also infiltrated hundreds of Facebook groups, some closed, relating to IDF activities to monitor members and discussions, and created an online FIFA World Cup group for Israelis which caused those participating to download malware when they clicked links on the page.

However, according to one Cybereason researcher, “They set up fake accounts, but while usually such accounts are quite easy to spot, in this case they would seem very real to an untrained eye.” The company’s report added that “They were extremely active accounts, they were very well versed in Israeli politics and current events, they chatted with their victims and posted in perfect Hebrew, with none of the tell-tale signs of fake foreign accounts.” Furthermore, the malware being spread by this catfishing campaign is reportedly far more advanced than that previously utilised by Hamas.

While both Iran and its proxies might be improving the quality of their phishing and catfishing, overall, this remains an unsophisticated approach and indicates that, at least for now, Iran is probably not capable of meaningful cyberattacks against infrastructure. Then again, the easiest means to bypass cybersecurity protocols is through human negligence – all it takes is for one important security or government official to fall for these tricks, and all information thereby gleaned will be passed to Iran. As we wrote in 2019 about these catfishing campaigns by Hamas and Hezbollah over the past ten years, “[technical] sophistication is not necessarily the most useful means of measuring a threat.”

RELATED ARTICLES

Image: Shutterstock

China could be the key to the success of the renewed “snapback sanctions” on Iran

Oct 3, 2025 | Featured, Fresh AIR
Palestinian Authority President Mahmoud Abbas (Image: UN Photo)

Abbas said some positive sounding things in UN speech – pity they are so far-fetched

Sep 30, 2025 | Featured, Fresh AIR
Image: Shutterstock

Media Matters: The ABC’s blind spot

Aug 17, 2025 | Fresh AIR
Fighters and military vehicles belonging to Syrian government forces intervene in the city of Sweida to enforce a ceasefire between Druze factions and Bedouin tribes. Syria, July 20, 2025 (Image: Shutterstock)

Druze crisis tested Israel’s Syria strategy

Jul 31, 2025 | Featured, Fresh AIR
Image: Shutterstock

Media Matters: Smoke and Ire over IHRA

Jul 30, 2025 | Featured, Fresh AIR
President Bill Clinton walks Prime Minister Ehud Barak of Israel and Yasser Arafat of the Palestinian Authority at Camp David, Maryland, July 2000 (Image: Wikipedia)

The silver anniversary of the silver bullet

Jul 29, 2025 | Featured, Fresh AIR
D11a774c 2a47 C987 F4ce 2d642e6d9c8d

Bibi in DC, the Houthi threat and the politicised ICJ opinion

Jul 26, 2024 | Update
Image: Shutterstock

Nine months after Oct. 7: Where Israel stands now

Jul 10, 2024 | Update
Palestinian Red Crescent workers from Al-Najjar Hospital in the city of Rafah, south of the Gaza Strip (Image: Shutterstock)

Hamas’ impossible casualty figures

Mar 28, 2024 | Update
455daec3 C2a8 8752 C215 B7bd062c6bbc

After the Israel-Hamas ceasefire for hostages deal

Nov 29, 2023 | Update
Screenshot of Hamas bodycam footage as terrorists approach an Israeli vehicle during the terror organisation's October 7, 2023 attack in southern Israel, released by the IDF and GPO (Screenshot)

Horror on Video / International Law and the Hamas War

Oct 31, 2023 | Update
Sderot, Israel. 7th Oct, 2023. Bodies of dead Israelis lie on the ground following the attacks of Hamas (Image: Ilia Yefimovich/dpa/Alamy Live News)

Israel’s Sept. 11, only worse

Oct 11, 2023 | Update
Screenshot 2025 10 08 At 9.38.18 am

“It’s a very tough day for Jews worldwide”: Joel Burnie on Sky News

Oct 8, 2025 | Video
Screenshot 2025 10 08 At 9.39.06 am

Antisemitic graffiti on October 7 anniversary “deeply saddening”: Joel Burnie on Sky News

Oct 8, 2025 | Featured, Video
Screenshot 2025 10 07 At 1.16.10 pm

A terrible two years for the Australian Jewish community: Bren Carlill on Sky News

Oct 8, 2025 | Featured, Video
Screenshot

Cautious hope in Israel for Gaza conflict deal: Joel Burnie on Sky News

Oct 5, 2025 | Featured, Video
Screenshot

Protesters should support Gaza ceasefire plan: Joel Burnie on Sky News

Oct 4, 2025 | Video
Screenshot

Antisemitism “a toxin festering through the violent rhetoric on our streets”: Joel Burnie on Sky News

Oct 3, 2025 | Featured, Video

RECENT POSTS

The infamous scenes outside the Sydney opera House, October 2023 (Screenshot)

AIJAC applauds NSW Court of Appeal decision to block Oct. 7 celebration at the Opera House

Image: Shutterstock

AIJAC welcomes news of agreement on first phase of Israel-Hamas peace plan

Hamas' October 7 attack produced scenes that Israelis can never forget (Image: Hamas bodycam)

Israel may win the war, but its reputation has been tarnished beyond repair

Image: Shutterstock

Wounds will heal, but scars remain as Israel marks two years since Hamas massacre

Screenshot 2025 10 08 At 9.38.18 am

“It’s a very tough day for Jews worldwide”: Joel Burnie on Sky News

SORT BY TOPICS