Iran Accelerates Cyber Operations Against Israel

Since Hamas attacked Israel in October 2023, Iranian government-aligned actors have launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners, a report by Microsoft showed.

Iranian focus on Israel has intensified. The outbreak of the Israel-Hamas war saw 43% of Iranian nation-state cyber activity focused on Israel.

Many of Iran’s immediate operations after October 7 were hasty and chaotic – indicating it had little or no coordination with Hamas – but it nevertheless has achieved growing success.

The report also noted collaboration between Iran and a group affiliated with Hezbollah in Lebanon.

Iran will continue to test redlines, as they have done with an attack on an Israeli hospital and US water systems in late November.

As we look forward to the 2024 US presidential election, Iranian activities could build on what happened in 2020 when they impersonated American extremists and incited violence against US government officials.

Three phases of Iran’s cyber operations

Iran’s cyber-enabled operations in the Israel-Hamas war have moved through three phases since October 7.

Phase 1: Reactive and misleading

The first phase saw misleading claims from Iranian state media. One example was IRGC-affiliated Tasnim News Agency claiming that a group called “Cyber Avengers” had conducted cyberattacks against an Israeli power plant “at the same time” as the Hamas attacks. Cyber Avengers itself (also likely run by the IRGC) claimed to have attacked an Israeli electric company the evening before the Hamas attacks. However, its evidence was only some weeks-old press reporting of power outages “in recent years” and a screenshot of an undated disruption to the company’s website.

Phase 2: All hands on deck

Sometimes, multiple Iranian groups were targeting the same organization or military base in Israel with cyber or influence activity. This suggests coordination, common objectives set in Tehran, or both.

Iran’s 10 cyber-enabled operations against Israel in October marks a new high point. This was nearly double the previous high point of six operations per month in November 2022.

One example happened on October 18 when the IRGC’s Shahid Kaveh Group used customized ransomware to conduct cyberattacks against security cameras in Israel. It then used one of its cyber personas, “Soldiers of Solomon,” to falsely claim it had ransomed security cameras and data at Nevatim Air Force Base. Examination of the security footage Soldiers of Solomon leaked reveals it was from a town north of Tel Aviv with a Nevatim street, not the airbase of the same name.

Phase 3: Expanding geographic scope

In late November 2023, Iranian groups began expanding their cyber-enabled influence beyond Israel, targeting countries Iran perceives are supporting Israel. This aligned with the Iran-backed Houthis starting their attacks on international shipping.

On November 20, the MOIS-aligned cyber persona “Homeland Justice” warned of forthcoming cyberattacks on Albania. They later claimed credit for attacks on a range of Albanian organizations and institutions.

On November 21, the cyber persona “al-Toufan” targeted Bahraini government and financial organizations for normalizing ties with Israel.

By November 22, IRGC-affiliated groups began targeting Israeli-made programmable logic controllers (PLCs) in the United States, including taking one offline at a water authority in Pennsylvania on November 25. PLCs are industrial computers adapted for the control of manufacturing processes, such as assembly lines, machines, and robotic devices.

Since the outbreak of the Israel-Hamas war on October 7, Iran has increased its influence operations and hacking efforts against Israel. These attacks were reactive and opportunistic in the early days of the war but, by late October, nearly all of its influence and major cyber actors were targeting Israel.

Cyberattacks became increasingly targeted and destructive and IO campaigns grew increasingly sophisticated and inauthentic, deploying networks of social media “sockpuppet” accounts.

Iran’s activity quickly grew from nine Microsoft-tracked groups active in Israel during the first week of the war to 14, two weeks into the war. Cyber-enabled influence operations went from roughly one operation every other month in 2021 to 11 in October 2023 alone.

A 42% increase in traffic, in the first week of the war, to news sites run by or affiliated to the Iranian state. Even three weeks later, this traffic was still 28% above pre-war levels.

Iran’s objectives

Destabilization through polarization

Iran aims to exacerbate domestic political and social rifts in its targets, often focusing on the Israeli government’s approach to the 240 hostages taken by Hamas into Gaza and masquerading as peace-seeking activist groups criticizing the Israeli government. Israeli Prime Minister Netanyahu is the primary target of such messaging, often calling for his removal.

Retaliation

Many of Iran’s messaging and targets are explicitly retaliatory. The persona Cyber Avengers claimed it had targeted Israeli electricity, water, and fuel infrastructure in retaliation for Israel stating it would cut off electricity, water and fuel to Gaza and elsewhere referenced “an eye for an eye.”

Intimidation

Iran’s operations also aim to undermine Israeli security and intimidate Israel’s citizens and international supporters and threaten the families of Israeli army soldiers. Sockpuppet accounts spread messaging on X that the army “does not have any power to protect its own soldiers.” Other messaging, as in the example below, appears aimed at attempting to convince Israeli army soldiers to give up.

Undermining international support for Israel

Iranian Influence actors often include messaging that seeks to weaken international support for Israel by highlighting the damage caused by Israel’s attacks on Gaza.

Iran AI-generated attacks

In early December 2023, Iran interrupted streaming television services and replaced them with a fake news video featuring an apparently AI-generated news anchor. This marked the first Iranian influence operation Microsoft has detected where AI played a key component in its messaging and is one example of the fast and significant expansion in the scope of Iranian operations since the start of the Israel-Hamas conflict. The disruption reached audiences in the UAE, UK, and Canada.

Microsoft’s AI for Good Lab’s Iranian Propaganda Index (IPI) monitors the proportion of traffic visiting Iranian state and state-affiliated news outlets and amplifiers compared to overall traffic on the internet.

In the first week of the conflict, we observed a 42% increase. That surge was particularly pronounced in the United States and its English-speaking allies (UK, Canada, Australia, and New Zealand), which indicates Iran’s ability to reach Western audiences with its reporting on Middle East conflicts.

While this success was strongest in the early days of the war, the reach of these Iranian sources one month into the war remained 28% above pre-war levels globally.

Trends in Iranian influence operations

Impersonation is not new, but Iranian threat actors are now not just masquerading as their enemies but also their friends. Recent operations from Iranian groups have used the name and logo of Hamas’s military wing, the al-Qassam Brigades, to spread false messaging and threaten Israeli army personnel. It is unclear whether Iran is acting with Hamas’s consent.

Iran has managed to repeatedly recruit unwitting Israelis to engage in on-the-ground activities promoting its false operations. In one recent operation, “Tears of War,” Iranian operatives convinced Israelis to hang branded Tears of War banners using AI-generated images in Israeli neighborhoods, based on Israeli press reporting. A Tears of War banner with an image of Netanyahu that is likely AI-generated. The banner’s text reads “Impeachment now.”

Iran’s use of bulk text message and email campaigns has grown in order to enhance the psychological effects of their cyber-enabled influence operations. Messages appearing on people’s phones or in their inboxes have more impact than sockpuppet accounts on social media. Iran uses overt and covert IRGC-linked media outlets to amplify alleged cyber operations and, at times, exaggerate their effects. In September, after Cyber Avengers claimed cyberattacks against Israel’s railway system, IRGC-linked media almost immediately amplified and exaggerated their claims.

Bangladeshi police detectives on Friday forced the discharge from hospital of three student protest leaders blamed for deadly unrest, taking them to an unknown location, staff told AFP.

Nahid Islam, Asif Mahmud and Abu Baker Majumder are all members of Students Against Discrimination, the group responsible for organizing this month's street rallies against civil service hiring rules.

At least 195 people were killed in the ensuing police crackdown and clashes, according to an AFP count of victims reported by police and hospitals, in some of the worst unrest of Prime Minister Sheikh Hasina's tenure.

All three were patients at a hospital in the capital Dhaka, and at least two of them said their injuries were caused by torture in earlier police custody.

"They took them from us," Gonoshasthaya hospital supervisor Anwara Begum Lucky told AFP. "The men were from the Detective Branch."

She added that she had not wanted to discharge the student leaders but police had pressured the hospital chief to do so.

Islam's elder sister Fatema Tasnim told AFP from the hospital that six plainclothes detectives had taken all three men.

The trio's student group had suspended fresh protests at the start of this week, saying they had wanted the reform of government job quotas but not "at the expense of so much blood".

The pause was due to expire earlier on Friday but the group had given no indication of its future course of action.

Islam, 26, the chief coordinator of Students Against Discrimination, told AFP from his hospital bed on Monday that he feared for his life.

He said that two days beforehand, a group of people identifying themselves as police detectives blindfolded and handcuffed him and took him to an unknown location.

Islam added that he had come to his senses the following morning on a roadside in Dhaka.

Mahmud earlier told AFP that he had also been detained by police and beaten at the height of last week's unrest.

Three senior police officers in Dhaka all denied that the trio had been taken from the hospital and into custody on Friday.

- Garment tycoon arrested -

Police told AFP on Thursday that they had arrested at least 4,000 people since the unrest began last week, including 2,500 in Dhaka.

On Friday police said they had arrested David Hasanat, the founder and chief executive of one of Bangladesh's biggest garment factory enterprises.

His Viyellatex Group employs more than 15,000 people according to its website, and its annual turnover was estimated at $400 million by the Daily Star newspaper last year.

Dhaka Metropolitan Police inspector Abu Sayed Miah said Hasanat and several others were suspected of financing the "anarchy, arson and vandalism" of last week.

Bangladesh makes around $50 billion in annual export earnings from the textile trade, which services leading global brands including H&M, Gap and others.

Student protests began this month after the reintroduction in June of a scheme reserving more than half of government jobs for certain candidates.

With around 18 million young people in Bangladesh out of work, according to government figures, the move deeply upset graduates facing an acute jobs crisis.

Critics say the quota is used to stack public jobs with loyalists to Hasina's Awami League.

- 'Call to the nation' -

The Supreme Court cut the number of reserved jobs on Sunday but fell short of protesters' demands to scrap the quotas entirely.

Hasina has ruled Bangladesh since 2009 and won her fourth consecutive election in January after a vote without genuine opposition.

Her government is also accused by rights groups of misusing state institutions to entrench its hold on power and stamp out dissent, including the extrajudicial killing of opposition activists.

Hasina continued a tour of government buildings that had been ransacked by protesters, on Friday visiting state broadcaster Bangladesh Television, which was partly set ablaze last week.

"Find those who were involved in this," she said, according to state news agency BSS.

"Cooperate with us to ensure their punishment. I am making this call to the nation."

Iran Accelerates Cyber Operations Against Israel