No increased Iranian cyberthreat to Israel
May 3, 2023 | Oved Lobel
Despite worries of increased cooperation between Russia and Iran in cyberspace, to date there is no clear evidence that such cooperation has occurred. Moreover, there does not appear to be any clear indication that Iran’s ability to conduct sophisticated cyberattacks has improved recently, despite a series of cyber-attacks on Israel making headlines over the past two months.
The Wall Street Journal in March cited “people familiar with the matter” claiming that “Moscow has likely already shared with Iran more advanced software that would allow it to hack the phones and systems of dissidents and adversaries.” Similar reports emerged in March 2019, when Israel’s Channel 12 claimed that Russia had given Iran ‘zero-click exploits’ that Iran had allegedly used to hack the phone of Benny Gantz, then a candidate for prime minister. If those reports were even correct, there is no indication such exploits have been used since.
The idea of increased Russian involvement alongside Iran in attacks against Israel has been related to unsophisticated Distributed Denial-of-Service (DDoS) attacks on Israeli websites by “Anonymous Sudan”, which is reported to be a cover for the Russia-linked “Killnet” group. Whatever the case, the group seems to be very focused on annoying countries and organisations deemed hostile to either the Kremlin or Islam, and Israel is far from the only country targeted in its global DDoS campaigns.
However, these particular attacks by Anonymous Sudan were part of OpIsrael, a yearly campaign that has existed since 2013 for anti-Israel hackers across the world to launch occasionally mildly disruptive but nonetheless unsophisticated attacks against Israeli websites and organisations.
During the escalation between Israel and Gaza-based terrorist groups overnight, Anonymous Sudan claimed it had taken down so many Iron Dome missile defence alert systems that the group stopped it from intercepting all rockets fired. While Iron Dome’s intercept success rate was lower than usual, there is no evidence Anonymous Sudan had anything to do with it. Should it transpire that hackers can intervene during conflict to disrupt Iron Dome, that would indeed be worrisome – but there is no reason as yet to believe the group’s claims.
The group further claimed it was behind power outages across Israel and that it had “gained access to very sensitive data from the Israeli government,” which it “will leak in due time.” It also claimed it was targeting Israel’s internet. These claims are also entirely unsubstantiated.
A slightly more serious ransomware attack on Israel’s Technion Institute was conducted by Iran’s “MuddyWater” group in March, but did not severely impact operations and was also part of a global campaign. MuddyWater has previously conducted such ransomware attacks, including against Israeli institutions, such as its global “Operation Quicksand” campaign in 2020.
The only serious attempted cyberattack targeting Israeli infrastructure by Iran remains the April 2020 attempt against its water distribution network, although even there the sophistication and odds of success were contested, with one intelligence official describing the attack’s sophistication as “miserable”.
Another cyberattack targeting Israeli water infrastructure in early April this year damaged some water controllers and control systems of the Galil Sewage Corporation, though the attack has not been publicly attributed to Iran and coincided with OpIsrael and a general period of anti-Israel cyberattacks during the Muslim holy month of Ramadan. Israel had already warned of planned cyberattacks on those dates, so many farmers in the area had already turned off remote control for their irrigation systems.
Similar cyberattacks against water infrastructure occurred in July 2020, also not publicly attributed to Iran.
By and large, Iranian activity in cyberspace is focused primarily on propaganda and disinformation, and its hackers mostly rely on “social engineering” techniques, including fake profiles and websites and “typosquatting” links, to gather information. While some Iranian cyber actors have reportedly improved their hacking tools recently, the baseline is extremely low.
Despite the alleged doubling in cyberattacks against Israel in 2022 – to 200 a month from approximately 88 on average the year before – Iran for the time being remains, as AIJAC assessed in April 2022, more of a cybernuisance and is still incapable of posing a serious threat.