How Iranian cyber ops pivoted to target Israel after 7 October attacks

Microsoft has shared new intelligence on how Iranian government-aligned threat actors have turned their fire on Israel over the past four months

Alex Scroxton,
Security Editor

Published: 07 Feb 2024 15:00

Four months to the day after a Hamas incursion across the Israeli border in Gaza sparked a war that has resulted in the deaths of thousands of Israelis and tens of thousands of Palestinians, Microsoft has shared new intelligence on how threat actors linked to or backed by the government of Iran have ramped up offensive cyber operations against Israel.

Iran, which is an ally of Hamas, has launched a series of cyber attacks and influence operations intended to support its proxy and weaken Israel, its allies and business partners, much of them conducted in a hasty and chaotic fashion.

“Contrary to some claims of Iranian state media, Iranian cyber and IO [influence operations] actors were reactive in the initial phase of the Israel-Hamas war,” wrote Clint Watts, general manager of the Microsoft Threat Analysis Centre (MTAC).

“MTAC observed Iranian state media issuing misleading details of claimed attacks and Iranian groups reusing dated material from historical operations and exaggerating the overall scope and impact of claimed cyber attacks. Three months on, the preponderance of data suggests Iranian cyber actors were reactive, quickly surging their cyber and influence operations after the Hamas attacks to counter Israel.

“Since the outbreak of the Israel-Hamas war on 7 October, Iran has increased its influence operations and hacking efforts against Israel, creating an ‘all-hands-on-deck’ threat environment,” he said.

“These attacks were reactive and opportunistic in the early days of the war, but by late October, nearly all of its influence and major cyber actors were targeting Israel. Cyber attacks became increasingly targeted and destructive, and IO campaigns grew increasingly sophisticated and inauthentic, deploying networks of social media ‘sock puppet’ accounts.”

However, Watts said that Iran’s work on Hamas’s behalf seemed to be as much about giving the appearance of having global influence as it is about having a concrete, damaging impact, noting that it was likely Iranian advanced persistent threat (APT) groups may use similar tactics against the upcoming US presidential elections.

Iranian cyber tactics in the Gaza war

According to MTAC, Iran’s cyber-enabled influence operations have moved through three key stages since 7 October. Its report dubs these phases thus:

Reactive and Misleading;
All-Hands-on-Deck;
Expanded Geographic Scope.

In the first phase, Iran leveraged pre-existing access, such as the reach of state-affiliated broadcasters such as the Press TV network – banned in the UK since 2012 – but tended to rely on older material for leaks, made minimal use of sock puppets, and held back from bulk SMS or email campaigns.

Some standouts from this first phase include claims from an Iranian Revolutionary Guard Corps (IGRC)-linked news agency, Tasnim, alleging a group called Cyber Avengers (which does exist) had attacked Israeli power infrastructure during the 7 October incursion. The evidence presented was weeks-old reporting of power outages and a screenshot of an undated outage on the supposed victim’s website.

Another operator, known as Malek Team, likely run by Tehran’s Ministry of Intelligence and Security (MOIS), leaked data stolen from an Israeli University on 8 October, but this data had no real relevance to what was happening in Gaza at that point, suggesting the targeting was opportunistic and based on pre-existing access.

By the middle of October, Iran was moving on to the second phase, during which MTAC observed a near-doubling in the number of groups targeting Israel, and a shift to destructive and occasionally coordinated attacks against the same targets that incorporated pro-Hamas messaging.

Custom malware

One particularly notable incident on 18 October saw the IRGC-backed Shahid Kaveh operator deploy custom malware against security cameras in Israel. It then used a persona called Soldiers of Solomon to falsely claim it had ransomed security cameras and data at the Nevatim Air Force Base, a large facility near Beersheba in the southern Negev Desert. However, closer examination of the leaked footage showed it was taken from a Nevatim Street located in a town north of Tel Aviv, not the airbase at all.

On the IO side, the use of sock puppets soared – many of them repurposed – as did bulk SMS and email campaigns, and the Iranians began to ramp up impersonation of Israeli and Palestinian activists.

The third phase of activity began in late November, when the Iranians started to extend their cyber-enabled influence beyond Israel to target countries friendly to Israel and/or hostile to Iran. This aligned with the Yemen-based, Iran-backed Houthis ramping up their attacks on shipping in the Red Sea.

Two particularly notable incidents stand out here, one targeting a number of institutions in Albania on Christmas Day – which may seem a strange choice of target at first, but remember that Albania actually cut diplomatic ties with Iran in 2022 over a cyber attack.

Other attacks targeted Bahraini government and financial institutions, Bahrain being a signatory to the 2020 Abraham Accords that normalised relations between Israel and some Arab states, and critical national infrastructure (CNI) in the US, including the late-November incident targeting Israeli-made programmable logic controllers at the Municipal Water Authority of Aliquippa, Pennsylvania.

What does Iran want?

Iran has four key objectives in its ongoing campaign to undermine Israel and its supporters, cause confusion and damage trust, said Watts.

The first of these objectives is to open and exacerbate domestic political and social rifts, for example, focusing on divisions that have arisen over how the Israeli government has approached trying to recover the hostages held by Hamas.
The second is to retaliate against Israel, the Cyber Avengers group has specifically targeted Israeli CNI in response to Israel’s attacks on such facilities in Gaza, citing the old biblical adage of “an eye for an eye”.
The third is to intimidate Israeli citizens and threaten the families of soldiers serving in the Israeli Defence Force.
The fourth is to undermine global support for Israel, often by highlighting the undeniable devastation Israel has wrought in its response.

“We assess that the progression shown so far in the three phases of war will continue,” he wrote. “Amid the rising potential of a widening war, we expect Iranian influence operations and cyber attacks will continue to be more targeted, more collaborative and more destructive as the Israel-Hamas conflict drags on. Iran will continue to test redlines, as they have done with an attack on an Israeli hospital and US water systems in late November.

“The increased collaboration we have observed between different Iranian threat actors will pose greater threats in 2024 for election defenders who can no longer take solace in only tracking a few groups. Rather, a growing number of access agents, influence groups and cyber actors makes for a more complex and intertwined threat environment.”

Read more on Hackers and cybercrime prevention

US sanctions Iranians behind CNI cyber attacks