“They [Iran] know that they can act there more freely [in cyberspace] than in the physical space,” said Gaby Portnoy, the head of the Israel National Cyber Directorate. “We are prepared for that as much as we can.”
Portnoy said there would be a “cost” to any Iranian escalation in cyberspace, implying that Israeli hackers could retaliate against Iran with their own operations. But Portnoy, who is in charge of cyber defense and not offense, said his goal is to keep cyberspace from becoming “another front” in the war between Israel and Hamas.
Iranian hacking groups have proven adept at crippling computer systems at companies in Israel, Saudi Arabia and elsewhere in the Middle East. Israel has its own elite cyber operatives that are, alongside the US, widely suspected to have conducted a cyberattack on an Iranian nuclear facility in 2009. And Israeli covert cyber operations against Iran have continued in recent years.
In the four weeks since the Hamas terrorist attacks on Israel, suspected Iranian hackers have claimed hacks of a slew of security cameras in Israel and posted an instructional video on how to make Molotov cocktails to “attack the Israeli and American embassies,” according to interviews with private cybersecurity experts who track the hackers and CNN’s review of the social media posts.
Analysts say the digital saber-rattling is another way for Iran to project power during the war, aside from rocket and drone attacks on Israeli forces conducted by Lebanese militia Hezbollah, and similar strikes by other Iranian proxies against US troops in Syria and Iraq.
Portnoy also alleged that hackers affiliated with Hezbollah have hacked private security cameras in Israel to try to track the movement of Israeli soldiers in recent weeks.
So far, suspected Iranian hackers appear to have had minimal impact on their publicly claimed targets in Israel in the last month. Their goal seems to be to spread narratives in the media of Israeli and US vulnerabilities to cyberattacks.
But the string of recent Iranian cyber activity has raised concerns among US and Israeli officials that Tehran could use its substantial hacking capabilities to hit Israeli and US interests while avoiding a direct kinetic confrontation with the Israelis. The US intelligence community believes – for now – that Iran and its proxies are calibrating their response to the Israel-Hamas war to avoid direct conflict with Israel or the US while still exacting costs on its adversaries, CNN has reported.
Data-wiping attacks blocked
A fresh reminder of the potential for escalation in cyberspace came Monday last week when US cybersecurity firm Palo Alto Networks said it had blocked more attempts by Iranian hackers to launch data-wiping attacks on more than a dozen Israeli academic organizations and technology providers.
Hamas has its own cyber capabilities that in years past have been used to spy on Israel and Arab governments, according to security experts. But Portnoy said those hackers have been relatively quiet in the latest Israel-Hamas war (Israeli airstrikes have decimated internet infrastructure in Gaza.)
US officials say they have tightened an already close relationship with Israel in cyberspace since the Hamas assault by sharing intelligence on any cyber threats as soon as they emerge. FBI Director Christopher Wray is concerned about potential escalation in cyberspace.
“The cyber targeting of American interests and critical infrastructure that we already see conducted by Iran and non-state actors alike we can expect to get worse if the conflict expands, as will the threat of kinetic attacks,” Wray told a Senate panel Tuesday.
US officials “have not identified a change in the threat environment facing American organizations,” Eric Goldstein, a senior official at the US Cybersecurity and Infrastructure Security Agency, said in a statement to CNN, but “we remain on heightened alert.”
US officials’ concern is in part due to what they see as the reckless and unpredictable nature of Iranian cyber operations compared with other digital adversaries. The FBI has accused Iranian government-backed hackers of an attempted hack of Boston Children’s Hospital in 2021, which did not endanger patients but nonetheless alarmed US officials. Tehran denied the allegation.
In recent weeks, US officials have been preparing for a similar scenario in which Iranian hackers conduct a disruptive attack on US critical infrastructure, a senior US official told CNN, speaking on the condition of anonymity because they were not authorized to speak to the press.
“There is a gap between their [cyber] capabilities and their rhetoric,” the official told CNN, referring to Iran-backed hackers. “But we know they are rather reckless and not savvy to do things in a tailored way.”
CNN made multiple attempts to reach the Iranian Permanent Mission to the United Nations for this article but did not receive a response.
The maturation of Iran’s cyber program
Many of the recent hacking attempts against Israeli and US organizations in support of Hamas were claimed by self-described “hacktivist” groups that in reality appear to be Iranian fronts, experts at US cybersecurity firms Mandiant and CrowdStrike told CNN.
“Even the successful, real cyberattacks are probably not going to be about the actual attack,” John Hultquist, Mandiant’s chief analyst, told CNN. “It’s not about the practical effects. It’s about the psychological effects.”
Someone claiming affiliation with one such group, dubbed Soldiers of Solomon, emailed this CNN reporter on October 20 to promote their alleged hack of security cameras in a city in southern Israel.
The alleged hacker also asked for the contact information of other reporters because “it’s an emergency to let them know we are becoming viral.”
Portnoy told CNN that Israel believes that Soldiers of Solomon is backed by Iran’s Islamic Revolutionary Guard Corps, an assertion that multiple cybersecurity researchers said they agreed with but would not comment publicly on out of fear of retribution.
In the information war accompanying Israel’s invasion of Gaza, the online personas allow Iran to blend in with a slew of other pro-Palestine hackers, said Adam Meyers, CrowdStrike’s senior vice president of intelligence.
The Iranians can “just spin up a new persona, with new” tactics, techniques and procedures and “that way they don’t burn any of the [other cyber operations] that they were already doing,” Meyers told CNN.
While China and Russia often get more attention in US cyber policy circles, Iran has over the last decade steadily built a stable of hackers who often work as contractors for the Islamic Revolutionary Guard Corps and Iran’s intelligence ministry, according to US officials and outside experts.
Israeli cybersecurity firm Check Point last week exposed an alleged long-running Iranian cyber-espionage campaign that compromised governments, IT and financial firms across the Middle East, including in Israel.
While the hacking effort predated the latest war in Gaza, it could potentially provide Tehran with intelligence on how regional governments are responding to the war.
This campaign is “maybe the most sophisticated we have seen from Iran on a technological level,” Sergey Shykevich, threat intelligence group manager at Check Point, told CNN.