Iran’s electronic confrontation with Israel

ZIV HOSPITAL is nestled at the bottom of Safed, the highest city in Israel, not far from the border with Syria and Lebanon. In November the hospital acknowledged that hackers had penetrated its computer systems. An Iran-backed hacking group would later claim to have gained access to 500 gigabytes of patient data, including 100,000 medical records linked to Israeli soldiers. That is hardly unusual. Hackers regularly target and breach hospitals, usually to extort ransoms.

The digital assault on Ziv, however, embodied the cyberwar raging between Israel and its enemies in the aftermath of Hamas’s massacre of Israelis on October 7th. The attack was novel in several respects, says Gaby Portnoy, the head of the Israel National Cyber Directorate (INCD), the country’s defensive cyber-agency, in an interview with The Economist. For one thing, it was a joint operation conducted by Iran and its ally Hizbullah, the militia and political party that dominates Lebanon. “They didn’t work so well together until October 7th,” he says. “We now see them…exchanging targets, exchanging capabilities. They are almost the same.”
Read all our coverage of the war between Israel and Hamas
The choice of target also broke with the past. Iran and Hizbullah had not previously attacked Israeli hospitals, says Mr Portnoy, a retired brigadier-general. After October 7th Ali Khamenei, Iran’s supreme leader, ordered cyber-operations against Israel to be expanded, he says, citing Israeli intelligence. The result has been a barrage both more intense and more refined.
The rate of cyberattacks against Israel rose three-fold after October 7th. Iranian ones have grown more sophisticated, with less spillover beyond the intended target. “They are more accurate, they collect better intel and they go to the right places,” says Mr Portnoy. “They know more about Israel, sometimes, than we do.” Previously it would take Iran weeks to exploit software vulnerabilities that had become public, he adds. That has fallen to days.
None has succeeded in disrupting Israel’s critical infrastructure, such as power or water systems, in part thanks to digital sensors placed inside the networks of crucial facilities after October 7th. Most of the intrusions are, in essence, a form of harassment rather than anything resembling an armed attack. Some are meant for espionage rather than subversion. But many are also a form of information warfare.
Some Iran-linked hackers have masqueraded as the families of hostages captured by Hamas, with the aim of widening divisions in Israeli society. Iranian hackers have developed a sophisticated understanding of Israel’s social and political fractures, notes a recent study by the Institute for National Security Studies in Tel Aviv, with separate messages aimed at proponents and opponents of the war.
In some cases, hackers intending to frighten Israelis need not even hack anything, notes James Shires of the European Cyber Conflict Research Institute. For example, an Iranian group leaked footage purporting to be from outside Israel’s Nevatim air base. It was, in fact, from an unrelated site on a road of the same name in northern Israel. “You get the effect by getting attention on it,” he says.
Hamas itself, apart from some early hacking of surveillance cameras in Israel, has been almost irrelevant as a cyber force since December, says Mr Portnoy. He chalks that up to Israel’s war in Gaza, which has disrupted the group’s hackers as well as its fighters. More broadly, Mr Portnoy, a veteran of Unit 8200, an elite intelligence unit that conducts offensive cyber-operations, acknowledges that protecting Israel’s computer networks requires penetrating enemy ones: “You cannot do defence without offensive acts.”
That is partly to identify the sources of attacks. But it is also to punch back. Consider Predatory Sparrow, a hacking group suspected to be a front for the Israeli government. In 2021 it disrupted the rail network and petrol stations across Iran, and hacked into digital billboards to display messages mocking Mr Khamenei. A follow-up in 2022 damaged three Iranian steel factories, spewing molten steel across the floor of one plant. In December it struck again, bringing down 70% of the petrol stations in Iran, declaring: “This cyberattack comes in response to the aggression of the Islamic Republic and its proxies.”
Israeli officials do not publicly acknowledge their role in these attacks. But Mr Portnoy insists that Israel shares the same “norms and values” as Western offensive cyber-agencies. “We will not do things that our enemies are doing to us,” he says. “We are very concerned not to harm people, not to influence civilian life too much.” Predatory Sparrow attacks—unlike Russian or North Korean attacks on critical infrastructure in the past—show signs of restraint and careful design, notes J.D. Work of the National Defence University in Washington. He cites features that prevent the malware from spreading to unrelated networks and the decision to use “well-known, extensively documented” tools rather than novel ones, which could result in the proliferation of advanced cyber capabilities.
The result is a lopsided cyberwar of “very unequal actors”, says Mr Shires. Israel has repeatedly shown it can do spectacular harm to the computer networks controlling some of Iran’s key infrastructure. Despite its progress, Iran’s capabilities are “not much better than mid-level organised crime gangs”, says a source. Israeli officials fear that could change suddenly. Iran has provided drones, shells and other arms to Russia for use in Ukraine; a concern is that Russia might reciprocate with cyber tools or know-how.
That would be a surprise. Russia has long used those tools to snoop on Iran itself, sometimes cannily pocketing intelligence that has been collected by Iranian spies. Even so, the lack of precedent does not reassure Israeli officials. “Iran,” says Mr Portnoy, “in a click of a button could have superpower capabilities”.
Sign up to the Middle East Dispatch, a weekly newsletter that keeps you in the loop on a fascinating, complex and consequential part of the world.