Since Hamas’ October 7 surprise attack on Israel, a flurry of cyber activity has unfolded alongside the fighting on the ground. Pro-Hamas hackers across the globe have Zoom-bombed Israeli government meetings, tampered with billboards, knocked the Jerusalem Post offline, and temporarily disrupted Israel’s Red Alert app that provides citizens with real-time data on rockets. Yet counter to many expectations, Iranian cyber operators have been noticeably quiet.
It would be a mistake to let Iran’s muted cyber involvement thus far breed a false sense of security. Yes, Microsoft’s cyber threat tracking (some of the best in the business) shows that 11 days passed before Iranian hackers even jumped into the fray. And yes, digital forensics show that Tehran’s opportunistic ransomware attacks supporting Hamas have achieved minimal strategic impact. But the longer the Israel-Hamas conflict draws out, the greater the danger that Iran strings together these disparate cyber attacks into a more coherent and sophisticated campaign against Tel Aviv.
Iran’s cyber operations on Israel have become increasingly bold over the last few years. Across 2020 and 2021, Iran persistently targeted Israeli infrastructure, causing Israel to respond in kind. Iranian operations took aim at Israel’s water infrastructure, extorted one of Israel’s most important web-hosting firms, and assaulted civilian hospitals with ransomware. In response, Tel Aviv targeted a major Iranian port facility, delayed public railway systems across Iran, and disrupted approximately 3,400 gas stations by compromising a digital payment system. With the conflict in Gaza as an accelerant, this tit-for-tat relationship has the potential to burn even hotter.
In reality, Iran’s lackluster effort in the conflict’s opening salvo is likely tied to Hamas’ operational secrecy. To maintain the element of surprise, Hamas purportedly planned its attack using old-fashioned communications methods, such as a hardwired phones running through the militant group’s network of tunnels underneath Gaza. Furthermore, Microsoft has found no evidence of coordination between Hamas and Iranian cyber forces. Any such coordination would have alerted Israel to impending action. Therefore, Iranian cyber operators were seemingly caught off guard by Hamas’ October 7 assault.
As a result, Tehran has had to rely on existing espionage operations and access to compromised systems to support Hamas. But cyber espionage can take years to set up, and operational infrastructure pivots slowly. Targeting and infiltrating processes can be lengthy, and programs are often designed to sit unnoticed on adversarial networks for months or years. Malicious payloads for intelligence collection also have limited reusability—they are highly tailored to specific networks or devices and lack applicability to broader sets of targets. Such operational infrastructure is unsuited for coordinating with events on the ground that call for reusable, disruptive payloads that can quickly be deployed against multiple targets. For instance, Russia has unleashed an unprecedented amount of data-destroying malware (“wiperware”) against Ukraine throughout their war due to the ease and speed with which cyber operators can upgrade and indiscriminately redeploy older wipers. It takes significant time to redirect cyber operations and their ecosystems—time that Hamas did not provide to Iran.
But a prolonged fight between Israel and Hamas can provide geopolitical conditions ripe for experimentation and aggression in cyberspace. A protracted conflict provides Iran with the necessary time to marshal and integrate its capabilities into disruptive cyber campaigns. Continued hacktivism also provides convenient cover for a cyber offensive against Israel. Fortunately, cyber operations are rarely escalatory: They function more as a tool for subversion, intelligence competition, and constant action below the threshold of armed conflict than as a coercive tool against adversaries’ behavior. As such, cyber operations are unlikely to directly intensify the fighting in Gaza. But through concerted cyber campaigning, Iran can strategically enable or reinforce Hamas’ non-cyber operations on the ground.
And thanks to its ever-growing digital toolkit, the revolutionary Islamic regime remains a wild card. Tehran has significantly upgraded its cyber capabilities over the last decade. For instance, the regime used simple traffic requests to overload networks in its 2011-2013 campaign against the U.S. banking sector. Even the 2012 Shamoon attack on Saudi Aramco—which caused millions of dollars in damages and lost profits for the world’s largest oil and gas exporter—was a copycat attack based on the Stuxnet worm deployed against Iranian nuclear centrifuges years earlier.
Fast forward to the 2020s and Iran’s cyber capabilities have vastly improved. As evidenced by its voter intimidation operation during the 2020 U.S. presidential election—wherein registered Democratic voters received emails threatening violence if they didn’t vote Trump, which appeared to be from the Proud Boys—the regime can now pair its cyber operations with realistic social engineering. In July 2022, Tehran conducted a series of debilitating cyber attacks against Albania that nearly drove the government to invoke NATO’s collective defense clause. More recently, Iran is allegedly building exploits to hack and control Israeli and U.S. drones.
The dangerous Iranian-Russian partnership is only accelerating Tehran’s capability development. Russia has become increasingly reliant upon Iranian drones and munitions to fight in Ukraine. In exchange, the Kremlin has delivered sophisticated digital capabilities to Tehran. This cooperation directly ties together two seemingly unrelated conflicts: Iranian arms are shaping events on the ground in Ukraine, and Russian-developed cyber tools can influence the cyber fight surrounding Gaza. The longer the conflict lasts, the more significant the influence the war in Ukraine has on Gaza’s cyber dimensions.This cooperation spells danger for Israel and those like the United States providing cyber assistance. And for the Biden administration, it shows that cyberspace is integral to how authoritarians challenge and undermine the liberal, rules-based international order. U.S. cyber defense planning and partnerships cannot ignore the interrelated nature of these two threats, as success by one is likely to embolden the other.