Since Hamas attacked Israel in October 2023, Iranian government-aligned actors have launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners, a report by Microsoft showed.
Iranian focus on Israel has intensified. The outbreak of the Israel-Hamas war saw 43% of Iranian nation-state cyber activity focused on Israel.
Many of Iran’s immediate operations after October 7 were hasty and chaotic – indicating it had little or no coordination with Hamas – but it nevertheless has achieved growing success.
The report also noted collaboration between Iran and a group affiliated with Hezbollah in Lebanon.
Iran will continue to test redlines, as they have done with an attack on an Israeli hospital and US water systems in late November.
As we look forward to the 2024 US presidential election, Iranian activities could build on what happened in 2020 when they impersonated American extremists and incited violence against US government officials.
Three phases of Iran’s cyber operations
Iran’s cyber-enabled operations in the Israel-Hamas war have moved through three phases since October 7.
Phase 1: Reactive and misleading
The first phase saw misleading claims from Iranian state media. One example was IRGC-affiliated Tasnim News Agency claiming that a group called “Cyber Avengers” had conducted cyberattacks against an Israeli power plant “at the same time” as the Hamas attacks. Cyber Avengers itself (also likely run by the IRGC) claimed to have attacked an Israeli electric company the evening before the Hamas attacks. However, its evidence was only some weeks-old press reporting of power outages “in recent years” and a screenshot of an undated disruption to the company’s website.
Phase 2: All hands on deck
Sometimes, multiple Iranian groups were targeting the same organization or military base in Israel with cyber or influence activity. This suggests coordination, common objectives set in Tehran, or both.
Iran’s 10 cyber-enabled operations against Israel in October marks a new high point. This was nearly double the previous high point of six operations per month in November 2022.
One example happened on October 18 when the IRGC’s Shahid Kaveh Group used customized ransomware to conduct cyberattacks against security cameras in Israel. It then used one of its cyber personas, “Soldiers of Solomon,” to falsely claim it had ransomed security cameras and data at Nevatim Air Force Base. Examination of the security footage Soldiers of Solomon leaked reveals it was from a town north of Tel Aviv with a Nevatim street, not the airbase of the same name.
Phase 3: Expanding geographic scope
In late November 2023, Iranian groups began expanding their cyber-enabled influence beyond Israel, targeting countries Iran perceives are supporting Israel. This aligned with the Iran-backed Houthis starting their attacks on international shipping.
On November 20, the MOIS-aligned cyber persona “Homeland Justice” warned of forthcoming cyberattacks on Albania. They later claimed credit for attacks on a range of Albanian organizations and institutions.
On November 21, the cyber persona “al-Toufan” targeted Bahraini government and financial organizations for normalizing ties with Israel.
By November 22, IRGC-affiliated groups began targeting Israeli-made programmable logic controllers (PLCs) in the United States, including taking one offline at a water authority in Pennsylvania on November 25. PLCs are industrial computers adapted for the control of manufacturing processes, such as assembly lines, machines, and robotic devices.
Since the outbreak of the Israel-Hamas war on October 7, Iran has increased its influence operations and hacking efforts against Israel. These attacks were reactive and opportunistic in the early days of the war but, by late October, nearly all of its influence and major cyber actors were targeting Israel.
Cyberattacks became increasingly targeted and destructive and IO campaigns grew increasingly sophisticated and inauthentic, deploying networks of social media “sockpuppet” accounts.
Iran’s activity quickly grew from nine Microsoft-tracked groups active in Israel during the first week of the war to 14, two weeks into the war. Cyber-enabled influence operations went from roughly one operation every other month in 2021 to 11 in October 2023 alone.
A 42% increase in traffic, in the first week of the war, to news sites run by or affiliated to the Iranian state. Even three weeks later, this traffic was still 28% above pre-war levels.
Iran’s objectives
Destabilization through polarization
Iran aims to exacerbate domestic political and social rifts in its targets, often focusing on the Israeli government’s approach to the 240 hostages taken by Hamas into Gaza and masquerading as peace-seeking activist groups criticizing the Israeli government. Israeli Prime Minister Netanyahu is the primary target of such messaging, often calling for his removal.
Retaliation
Many of Iran’s messaging and targets are explicitly retaliatory. The persona Cyber Avengers claimed it had targeted Israeli electricity, water, and fuel infrastructure in retaliation for Israel stating it would cut off electricity, water and fuel to Gaza and elsewhere referenced “an eye for an eye.”
Intimidation
Iran’s operations also aim to undermine Israeli security and intimidate Israel’s citizens and international supporters and threaten the families of Israeli army soldiers. Sockpuppet accounts spread messaging on X that the army “does not have any power to protect its own soldiers.” Other messaging, as in the example below, appears aimed at attempting to convince Israeli army soldiers to give up.
Undermining international support for Israel
Iranian Influence actors often include messaging that seeks to weaken international support for Israel by highlighting the damage caused by Israel’s attacks on Gaza.
Iran AI-generated attacks
In early December 2023, Iran interrupted streaming television services and replaced them with a fake news video featuring an apparently AI-generated news anchor. This marked the first Iranian influence operation Microsoft has detected where AI played a key component in its messaging and is one example of the fast and significant expansion in the scope of Iranian operations since the start of the Israel-Hamas conflict. The disruption reached audiences in the UAE, UK, and Canada.
Microsoft’s AI for Good Lab’s Iranian Propaganda Index (IPI) monitors the proportion of traffic visiting Iranian state and state-affiliated news outlets and amplifiers compared to overall traffic on the internet.
In the first week of the conflict, we observed a 42% increase. That surge was particularly pronounced in the United States and its English-speaking allies (UK, Canada, Australia, and New Zealand), which indicates Iran’s ability to reach Western audiences with its reporting on Middle East conflicts.
While this success was strongest in the early days of the war, the reach of these Iranian sources one month into the war remained 28% above pre-war levels globally.
Trends in Iranian influence operations
Impersonation is not new, but Iranian threat actors are now not just masquerading as their enemies but also their friends. Recent operations from Iranian groups have used the name and logo of Hamas’s military wing, the al-Qassam Brigades, to spread false messaging and threaten Israeli army personnel. It is unclear whether Iran is acting with Hamas’s consent.
Iran has managed to repeatedly recruit unwitting Israelis to engage in on-the-ground activities promoting its false operations. In one recent operation, “Tears of War,” Iranian operatives convinced Israelis to hang branded Tears of War banners using AI-generated images in Israeli neighborhoods, based on Israeli press reporting. A Tears of War banner with an image of Netanyahu that is likely AI-generated. The banner’s text reads “Impeachment now.”
Iran’s use of bulk text message and email campaigns has grown in order to enhance the psychological effects of their cyber-enabled influence operations. Messages appearing on people’s phones or in their inboxes have more impact than sockpuppet accounts on social media. Iran uses overt and covert IRGC-linked media outlets to amplify alleged cyber operations and, at times, exaggerate their effects. In September, after Cyber Avengers claimed cyberattacks against Israel’s railway system, IRGC-linked media almost immediately amplified and exaggerated their claims.
