Prolonged Conflict Between Israel and Hamas Increases the Threat of Iranian Cyber Attacks

Also, the longer the war goes on, the more opportunity for Russia to help the Islamic Republic.

By
6
(Photo illustration by Jakub Porzycki/NurPhoto/Getty Images)

Since Hamas’ October 7 surprise attack on Israel, a flurry of cyber activity has unfolded alongside the fighting on the ground. Pro-Hamas hackers across the globe have Zoom-bombed Israeli government meetings, tampered with billboards, knocked the Jerusalem Post offline, and temporarily disrupted Israel’s Red Alert app that provides citizens with real-time data on rockets. Yet counter to many expectations, Iranian cyber operators have been noticeably quiet.

It would be a mistake to let Iran’s muted cyber involvement thus far breed a false sense of security. Yes, Microsoft’s cyber threat tracking (some of the best in the business) shows that 11 days passed before Iranian hackers even jumped into the fray. And yes, digital forensics show that Tehran’s opportunistic ransomware attacks supporting Hamas have achieved minimal strategic impact. But the longer the Israel-Hamas conflict draws out, the greater the danger that Iran strings together these disparate cyber attacks into a more coherent and sophisticated campaign against Tel Aviv.

Iran’s cyber operations on Israel have become increasingly bold over the last few years. Across 2020 and 2021, Iran persistently targeted Israeli infrastructure, causing Israel to respond in kind. Iranian operations took aim at Israel’s water infrastructure, extorted one of Israel’s most important web-hosting firms, and assaulted civilian hospitals with ransomware. In response, Tel Aviv targeted a major Iranian port facility, delayed public railway systems across Iran, and disrupted approximately 3,400 gas stations by compromising a digital payment system. With the conflict in Gaza as an accelerant, this tit-for-tat relationship has the potential to burn even hotter.

In reality, Iran’s lackluster effort in the conflict’s opening salvo is likely tied to Hamas’ operational secrecy. To maintain the element of surprise, Hamas purportedly planned its attack using old-fashioned communications methods, such as a hardwired phones running through the militant group’s network of tunnels underneath Gaza. Furthermore, Microsoft has found no evidence of coordination between Hamas and Iranian cyber forces. Any such coordination would have alerted Israel to impending action. Therefore, Iranian cyber operators were seemingly caught off guard by Hamas’ October 7 assault.

As a result, Tehran has had to rely on existing espionage operations and access to compromised systems to support Hamas. But cyber espionage can take years to set up, and operational infrastructure pivots slowly. Targeting and infiltrating processes can be lengthy, and programs are often designed to sit unnoticed on adversarial networks for months or years. Malicious payloads for intelligence collection also have limited reusability—they are highly tailored to specific networks or devices and lack applicability to broader sets of targets. Such operational infrastructure is unsuited for coordinating with events on the ground that call for reusable, disruptive payloads that can quickly be deployed against multiple targets. For instance, Russia has unleashed an unprecedented amount of data-destroying malware (“wiperware”) against Ukraine throughout their war due to the ease and speed with which cyber operators can upgrade and indiscriminately redeploy older wipers. It takes significant time to redirect cyber operations and their ecosystems—time that Hamas did not provide to Iran.

But a prolonged fight between Israel and Hamas can provide geopolitical conditions ripe for experimentation and aggression in cyberspace. A protracted conflict provides Iran with the necessary time to marshal and integrate its capabilities into disruptive cyber campaigns. Continued hacktivism also provides convenient cover for a cyber offensive against Israel. Fortunately, cyber operations are rarely escalatory: They function more as a tool for subversion, intelligence competition, and constant action below the threshold of armed conflict than as a coercive tool against adversaries’ behavior. As such, cyber operations are unlikely to directly intensify the fighting in Gaza. But through concerted cyber campaigning, Iran can strategically enable or reinforce Hamas’ non-cyber operations on the ground.

And thanks to its ever-growing digital toolkit, the revolutionary Islamic regime remains a wild card. Tehran has significantly upgraded its cyber capabilities over the last decade. For instance, the regime used simple traffic requests to overload networks in its 2011-2013 campaign against the U.S. banking sector. Even the 2012 Shamoon attack on Saudi Aramco—which caused millions of dollars in damages and lost profits for the world’s largest oil and gas exporter—was a copycat attack based on the Stuxnet worm deployed against Iranian nuclear centrifuges years earlier.

Fast forward to the 2020s and Iran’s cyber capabilities have vastly improved. As evidenced by its voter intimidation operation during the 2020 U.S. presidential election—wherein registered Democratic voters received emails threatening violence if they didn’t vote Trump, which appeared to be from the Proud Boys—the regime can now pair its cyber operations with realistic social engineering. In July 2022, Tehran conducted a series of debilitating cyber attacks against Albania that nearly drove the government to invoke NATO’s collective defense clause. More recently, Iran is allegedly building exploits to hack and control Israeli and U.S. drones.

The dangerous Iranian-Russian partnership is only accelerating Tehran’s capability development. Russia has become increasingly reliant upon Iranian drones and munitions to fight in Ukraine. In exchange, the Kremlin has delivered sophisticated digital capabilities to Tehran. This cooperation directly ties together two seemingly unrelated conflicts: Iranian arms are shaping events on the ground in Ukraine, and Russian-developed cyber tools can influence the cyber fight surrounding Gaza. The longer the conflict lasts, the more significant the influence the war in Ukraine has on Gaza’s cyber dimensions.This cooperation spells danger for Israel and those like the United States providing cyber assistance. And for the Biden administration, it shows that cyberspace is integral to how authoritarians challenge and undermine the liberal, rules-based international order. U.S. cyber defense planning and partnerships cannot ignore the interrelated nature of these two threats, as success by one is likely to embolden the other.

6
By
Comments (6)
Join The Dispatch to participate in the comments.
 
  1. Avatar photo
    Retired Prosecutor

    Iran's provocations, both on its own and through its proxies, grows apace. This of course includes both cyber and kinetic actions. Iran clearly continues to press through previous boundaries, because of the utter lack of any deterrence to do so. Sooner or later they will exceed the tipping point of even this Administration's misplaced, but obsessive, risk avoidance.

    Does the USA and its Israeli ally do anything beyond defensive measures this coming year to stop Iran? The reality is that Iran is at war with us; being forced to join them seems unavoidable.

    Collapse
  2. Pastrken

    The Iranian cyber threat does not go away if Israel stops defending itself, even if it accedes to a cease-fire in Gaza and lets the Hamas rapists and baby-killers live to do it again. Similarly, if the Ukrainians surrender to Russia. Iran's mullahs and the cyber-terrorists they control will continue to seek more and more capacity and opportunities to inflict disaster and destruction...until someone stops them.

    Collapse
    1. Avatar photo
      Jeff Younger

      The current administration has proven beyond a shadow of a doubt that weakness - in this case a feeble minded, elderly buffoon who was not particularly bright to begin with - encourages bad actors to test the limits of American/allied patience. I don’t want to see Trump back in the White House, but for Pete’s sake can someone in this administration take charge? Iran is NOT a friend or partner. The Mullahs are clearly an enemy, same as Putin and Xi. Time to start treating them all as such.

      Collapse
  3. Gideon Reich

    This article appears to suffer from some confusion. Although it understands that Iran's capital is Tehran, it seems to be under the impression that Israel's capital is Tel Aviv, with which Tehran is contrasted with in the article. But it is Jerusalem that has always been Israel's capital. I'm quite surprised to find this kind of mistake in the Dispatch and I hope someone will quickly correct it.

    Collapse
    1. Avatar photo
      Matthew Thirteen

      I think much of the cyber security education, government reception and private cyber security firms may be based in Tel-Aviv.

      Collapse
      1. Avatar photo
        Michael Berkowitz

        That's true. Still.

        Collapse