At the height of the pandemic just over two years ago, Iranian hackers struck several Israeli water facilities, in an unprecedented cyber attack on the country’s civilian infrastructure. They are believed to have hacked into pump-operating software after routing through American and European servers to try to conceal their identity. If the operation had not been detected, water supplies would have been severely disrupted and chemicals, including chlorine, raised to dangerously high levels.
Yigal Unna, then head of Israel’s National Cyber Directorate (NCD), responsible for defending the country’s cyberspace, described the hacking incident as synchronized and organized. He said the outcome could have been “disastrous.” Israel quickly retaliated, crashing computer systems in the Iranian port of Shahid Rahjee, temporarily crippling the facility. Satellite images showed container ships stranded at sea and queues of vehicles stretching for miles outside the port.
The attacks marked an escalation in a long-running cyber conflict between the regional adversaries and demonstrate how cyberspace is likely to be used to sustain low-level conflict between nation states in the future.
The first shots are widely believed to have been fired by Israel over a decade ago in a joint operation with the US that damaged Iran’s Natanz nuclear facility. Tehran has long called for Israel’s destruction, its atomic energy program regarded by Israel as an existential threat.
Cyber war comes out of the shadows
With Iran’s attack on Israel’s water facilities in April 2020, the previously shadowy cyber war sprang into the open, with civilian infrastructure targeted for the first time. Israel took the view that a red line had been crossed. Speaking after the retaliatory Shahid Rahjee operation, the former head of Israeli military intelligence Amos Yadlin said the attack appeared to be a “clear Israeli message to Iran – don’t dare to touch [our] civilian systems…You, the Iranians, are more vulnerable than we are.”
The warning went unheeded. Iran and Israel began mounting a series of seemingly tit-for-tat cyber attacks on each other’s civilian sectors. While Israel has continued to target Natanz, it has broadened its actions, hitting Iranian public services, such as nationwide petrol stations. Iran has mostly breached the databases of Israeli companies and public organizations. For both sides, the apparent aim of the civilian sector operations has been to present their adversary as weak and vulnerable, and to sap national morale.
The actions have been fueled by heightened geopolitical tensions between Israel and Iran. Israel is concerned about Iranian acceleration of its uranium enrichment program and growing military entrenchment in Syria. Iran, meanwhile, has been unnerved by Israel’s targeted killing of Iranian nuclear scientists and, more recently, senior members of the Islamic Revolutionary Guards Corps (IRGC). A branch of the Iranian military, the IRGC is behind the country’s covert military activities in the region and beyond, including cyberattacks.
Cyber attacks allow for plausible deniability
While the two sides have long been implacable enemies, they share mutual concern about the risk of rapid escalation from any direct confrontation. Israel is an undeclared nuclear weapons state and Israel and Iran possess ballistic missile arsenals. As such, the digital sabotage of civilian assets seems to have become an important tactic in their clandestine warfare strategies – not least because it allows for a degree of plausible deniability. Both counties refrain from publicly claiming responsibility for their cyber actions.
Indeed, the cyber attacks appear to have intensified this year, Iran’s evidently growing effectiveness giving the Israelis pause, despite their technological superiority. Israel is considered to be among the world’s leading cyber powers – in the same league as China, Russia and the UK – attracting sizeable global private investment in its cybersecurity industry. Much of the latter’s expertise and talent is drawn from the Israeli army, a US military cyber partner.
While not as advanced as its regional rival, Tehran has been building up its capabilities in recent years. The IRGC has outsourced much of the country’s cyber operations to trusted independent groups. Israeli cyber experts believe that some of these have seized on the digital vulnerabilities of Israel’s private sector– with domestic telecoms companies regarded by Jerusalem as a weak link in its cyber defenses. Iranian-sponsored hackers have also targeted the US, striking multiple critical infrastructure sectors, including transport and healthcare.
‘Cyber Dome’ planned to buttress digital defenses
Such is the Iranian threat to Israel that the new head of the NCD, Gaby Portnoy, declared in June that Tehran along with its proxies Hamas and Hezbollah had become its “dominant rival in cyberspace.” The admission came as he unveiled plans to develop a cyber-defense umbrella, intended to perform a similar role to Israel’s Iron Dome missile system, used to intercept rockets fired by Iran’s proxies from Gaza and Lebanon.
Employing a “new big data, AI, overall approach to proactive defense,” Portnoy said the Cyber Dome would synchronize “nation-level, real-time detection, analysis, and mitigation of threats” to reduce the harm caused by cyber attacks at scale. In “moving faster from resilience to proactive defence,” he said Israel aimed to pursue cyber attackers in their digital safe havens. No other details of the project were provided, nor any indication of when it would be operational.
The urgency of the project was underlined by a significant development in the latest phase of the cyber war. A day before Portnoy’s announcement, Israeli cyber attacks struck three steel plants, temporarily halting production at one of them, the Khuzestan facility. The attacks were a response to an Iranian hack that set off incoming rocket sirens in Jerusalem and Eilat. Israel’s then-outgoing prime minister Naftali Bennet came close to publicly admitting that Jerusalem was responsible for the steel plant operation, declaring that those who “mess with Israel” will “pay a price.”
The warning appeared to reflect a growing exasperation within the political and security establishment over both the boldness and disruptiveness of the recent Iranian cyber actions. Since the beginning of the year, these have included distributed denial-of-service attacks that took down the websites of the Tel Aviv light railway system and the Israel Airports Authority; spear-phishing breaches of the email accounts of senior Israeli figures; and leaks of the personal information of over 300,000 Israelis obtained in hacks of popular travel-booking websites. The Israeli military have also been targeted. This month the army said in the past year it had thwarted dozens of attempts by Iran to carry out cyber attacks.
Rapid digitization has made the Israeli economy more vulnerable to cyber attack, leaving the government keen to address this key vulnerability. In May, Communications Minister Yoaz Hendel ordered telecoms companies to bolster their cyber defenses with “the best detection-identification, containment and recovery capabilities available.” He said state and other entities had honed in on telecoms infrastructure to hit strategic targets. The intervention came amid news of a 137 percent annual increase in average weekly cyber attacks on Israeli companies in the first three months of the year; Iran is suspected of being behind many of them.
Iranian influence operations disguised as ransomware attacks
To better counter the cyber threat posed by Iran, Israeli researchers have sought to gain a clearer understanding of its methods and aims by studying Iranian attacks over the last two years. They assess that many of those targeting the Israeli private sector (resulting in the leaking personal information, control of websites and disruption to companies) have the appearance of ransomware attacks but are in fact influence – rather than money-making – operations, conducted by cyber actors disguised as ransomware groups.
The assessment, set out in a special report published by the Institute for National Security Studies, a leading Israeli research institute, suggests that Iranian hackers are exploiting the country’s “soft underbelly,” the cybersecurity systems of Israeli businesses, to exert psychological pressure, “with the aim in part of sowing fear and embarrassment in the public consciousness.”
While the attacks are not technically sophisticated, the report states, they are effective due to the “low level of security and insufficient awareness of the need to invest” in the cyber defenses of the civilian private sector in Israel “as well as the considerable attention in the Israeli media to the attacks.”
Given their apparent complexity and ambition, Israel’s Cyber Dome plans may take some time to come to fruition, but in the short term, the government appears determined to beef up the business sector’s digital defenses. The shift towards greater cyber resilience will probably be expedited by the prospect of a revived international deal to limit Tehran’s nuclear program in exchange for the easing of sanctions.
Jerusalem wants to maintain Iran’s isolation. Even if a deal is stuck, it believes Tehran will pursue nuclear weapon ambitions. Israel’s premier Yair Lapid said in August his country would prevent Iran from doing so; a former senior Israeli intelligence official suggesting this would be done clandestinely. Some observers propose that might include renewed targeting of Iran’s scientists and cyber operations against its nuclear program.
Having developed its capability and identified vulnerabilities in private sector critical national infrastructure, it is likely that Iran will seek to escalate its retaliatory attacks. Its actions are also likely to serve as a model for other cyber-capable states seeking to disrupt and derail their adversaries.
David Claridge is the CEO of the geopolitical and security intelligence service Dragonfly. A commentator on security and intelligence issues, David holds a PhD in International Relations from the University of St Andrews.