Israel and Iran’s Cyberwar Is Increasingly Targeting Civilians
The past two years show that it is becoming more acceptable to target civilians with cyberattacks.
In 2010, the world was introduced to Stuxnet, a sophisticated malware developed by Israel and the United States that successfully targeted and damaged the Iranian uranium enrichment plant in Natanz. Named “the world's first digital weapon,” Stuxnet changed the way the global security and cybersecurity communities—in government, academia, and industry—perceived the range of cyber threats and types of damage that offensive cyber capabilities can deliver.
While the offensive cyber capabilities of both Iran and Israel have evolved significantly over the past decade, one thing about the Iran-Israel cyber conflict remained consistent: its covert characteristics. For the past two years, however, we have been witnessing a change, with the dynamic moving from the shadows to a more public and open cyber conflict. The turning point can be marked as April 2020, when Iran attempted to damage Israel’s national water and sewage treatment facilities. Israel’s national water authority initially stated that it was a technical malfunction, but it later acknowledged it as a cyberattack that had been identified and thwarted. Several weeks later, it was reported that foreign intelligence officials believed Iran was behind the attack, which could have harmed the civilian population if it had succeeded.
A month later, in May 2020, a cyberattack targeted the computer systems of Iran’s Shahid Rajaee Port in Bandar Abbas near the Strait of Hormuz. According to Iran’s Ports and Maritime Organization, the attack disrupted private companies’ operational systems for several hours but did not affect the port’s security and information systems. More than a week later, the Washington Post cited unnamed officials who identified Israel as the perpetrator of what appeared to be a retaliatory attack. This cluster of intrusions reflects two notable developments in the Iran-Israel cyber conflict. Cyberattacks and intrusions are becoming more public as they also begin to target the civilian populations of Israel and Iran.
As the recent Russian invasion of Ukraine demonstrates, cyber capabilities are not enough to win on the battlefield and can achieve limited goals. Still, offensive cyber capabilities are an important component of warfare. Today, countries appear to be using offensive cyber capabilities in ongoing conflicts that have not escalated to hot wars. This is because in many conflicts, such as the conflict between Israel and Iran, using offensive cyber capabilities allows states to act beneath the threshold of armed conflict.
However, staying below the threshold of armed conflict does not mean that there is no damage. In the past two years, we have seen the tension between the two countries in the cyber arena increase, with harassment of civilians and attacks against critical infrastructures becoming more common. While critical infrastructures remain the main target, civilians in both countries are becoming targets themselves, leading to their daily lives being disrupted and damaged by leaks of sensitive information, among other challenges.
There are several attacks, intrusions, and hack-and-leak operations that highlight this notable change. Iranian cyberattacks on Israeli targets since late 2020 have primarily been ransomware attacks carried out by “Black Shadow” and “Pay2Key,” two known Iranian-related hacking groups. In October 2021, Black Shadow breached the servers of the hosting company Cyberserve. The group leaked the personal information of users of various sites hosted by Cyberserve, including an LGBTQ+ dating app. The results of this intrusion caused great stress in the Israeli LGTBQ+ community. In December 2020, Black Shadow stole a considerable amount of information from the Israeli insurance firm Shirbit, claiming to have sold the data and threatening to release it. While the company claimed that its defense systems were able to block the attack, Black Shadow leaked thousands of private documents proving otherwise. This attack has been called “the worst cyberattack in Israeli history.” That same month, Pay2Key stated that it hacked Israel Aerospace Industries and Portnox, an Israeli cybersecurity company.
This year, Israeli news outlets were hacked on the anniversary of Qassem Soleimani’s assassination. The Jerusalem Post’s main page featured an illustration that apparently resembled Soleimani. CNN reported that the image showed a “bullet-shaped object shooting out of a red ring worn on a finger, an apparent reference to a distinctive ring Soleimani used to wear.” The homepage was replaced with a rendered image of Israel’s Dimona nuclear facility being blown up and the ominous text: “We are close to you where you do not think about it.”
Civilian life in Iran was also disrupted during this period. In October 2021, Iran suffered a cyberattack that caused widespread disruption to gas stations across the country. As a result, citizens could not buy government-subsidized fuel, and only expensive fuel was available in the stations that were still running. When drivers tried to pay with their electronic cards, an error message that said “cyberattack 64411”—an apparent reference to Iranian supreme leader Ali Khamenei’s office hotline—appeared on the screens. It took more than three days for the stations to begin working again; Iran later attributed the attack to Israel and the United States.
As cyber conflict becomes more established and moves into the public sphere, it sometimes still appears to be a “wild west” of sorts, in which states can do as they want without facing punishment. And while targeting critical infrastructures remains the main threat for both countries, the past two years show that it is becoming more acceptable to harm and harass civilians through hack-and-leak operations and ransomware attacks. This will continue to escalate tensions between Iran and Israel, and civilians on both sides will be the ones to suffer the most.
Dr. Gil Baram is a cyber strategy and policy expert. Currently, she is a Fulbright cybersecurity post-doctoral fellow at the Center for International Security and Cooperation (CISAC), Stanford University. Her postdoctoral research focuses on national decision-making during cyber conflict. Dr. Baram is an adjunct fellow at the Centre of Excellence for National Security at Nanyang Technological University in Singapore and a senior research fellow at the Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University. Previously, Dr. Baram served as the Head of cyber and space research team at the Israeli think tank Yuval Ne'eman workshop for Science, Technology and Security.