Cyber war: Understanding the digital conflict between 2 Middle Eastern powers

Cyber activity peaked during the crisis, with both sides engaging in cyber espionage and warfare, backed by hacktivist groups and other alleged allies. However, while it’s obvious that kinetic operations have ceased, cyber operations are harder to judge.

“It’s very difficult to assess what cyber capabilities remain intact on both sides after the end of hostilities – it’s possible that many assets were either exhausted or compromised and are now off the table,” Dr Avi Davidi, Senior Research Fellow at the Jerusalem Institute for Strategy and Security, told Cyber Daily as the conflict was winding down.

“In addition, the understandings that led to the ceasefire may include an informal or explicit prohibition on significant cyber attacks. That said, both sides might still choose to carry out cyber operations as a way to signal that hostility is far from over. In other words, we may see cyber influence operations but not ones intended to cause real damage.”

Hacktivists and other ideologues

In fact, a raft of apparently pro-Palestinian hacktivist groups have continued to go after targets in Israel, particularly the Handala group. However, not all hacktivist groups are what they seem, and Handala is a perfect case in point.

“We often see groups that present themselves as, for example, Arab hacktivist collectives, but in reality are Iranian-run entities masquerading as something else. One such example is the ‘Handala’ group, which claims to be a pro-Palestinian ideological outfit, but has been linked in open-source reporting to Iranian cyber units. In these cases, hacktivist groups are essentially just fronts for state operations,” Davidi said.

VIEW ALL

As is often the case, however, war can make for strange bedfellows. The leftist hacking group Mujahedin-e-Khalq has no connection to Israel, but the two share similar degrees of animosity towards Iran. MEK, as the group is also known, is therefore taking cyber potshots at the Iranian regime at the same time Israel is, though the two are far from partners – quite the opposite, in fact.

“In other cases, states may recruit or coordinate with civilian hackers to execute simple attacks, like large-scale DDoS operations. The pro-Russian group NoName057(16), for example, recruited volunteers and even developed tools for them – likely serving as a front for Russian intelligence. It’s not far-fetched to assume Iran would employ similar methods,” Davidi said.

“The line between state-sponsored and independent activity is very blurry, and often we can’t distinguish between them based solely on public reporting.”

State-based activity

While hacktivists continue to muddy the waters between state-based cyber activity and criminal hacking, both sides of the conflict rely upon broad cadres of military cyber units and other “in-house” operators as well as politically motivated hacking collectives. All of these assets were in play during the brief conflict between the two nations.

“The tactics of pro-Israeli and Iranian actors are quite different, though their end goals often overlap. Both sides have been involved in cyber attacks that largely avoid targeting strictly military infrastructure or assets that directly support military capabilities. Instead, we see attempts to hit civilian infrastructure – civilian companies, banks, crypto exchanges, telecom firms, and more,” Davidi said.

“The aim of these attacks, which are essentially cyber influence operations as they currently appear, is to spread fear and push the civilian population to oppose the war effort. Both in Israel and Iran, there’s a recognition that public opinion can be a strategic factor in shaping the adversary’s decisions, thus the focus on civilian targets. These are generally non-lethal attacks and don’t result in casualties, which makes them relatively ‘legitimate’ in the context of actions against civilians.”

However, while the goals may be similar, the resources available to each side have the inevitable effect of shaping the tactics, techniques, and procedures of the operators.

“One key difference is in the timing and organisation. The Iranian system was caught off guard by the Israeli offensive and is now responding with ‘off-the-shelf’ capabilities – essentially, using whatever tools are readily available. This is true for both missile and drone operations as well as in cyber space,” Davidi said.

“Pro-Iranian cyber groups are striking whatever they can, often without any coherent strategic logic. In contrast, pro-Israeli cyber operations seem more targeted, with publicised attacks on financial institutions in Iran that are likely to inflict more severe damage. These attacks align with other strategic objectives – undermining the regime’s stability by targeting fuel depots, regime symbols like state media, Evin Prison, government ministries, and the cyber police headquarters.

As Davidi notes, these are hardly high-profile military targets, and certainly have little to do with Israel’s stated war aims of neutering Iran’s nuclear capabilities, but they are “critical pillars of the Iranian regime’s internal control and stability”.

The US wild card

The Trump administration played its hand close to its chest, right up until the moment US missiles and bombers targeted three of Iran’s key nuclear facilities. While this effort may have convinced Iran to back off and given Israel reason to cease its own offensive operations, the US decision to wade into the conflict undoubtedly draws a target on its back.

“In this case, cyber could serve as a tool for Iran to exact a price from the United States. Iran lacks meaningful capabilities to strike American territory directly, and attacking US assets in the Middle East could prove extremely risky for Tehran,” Davidi said.

Of course, that is exactly what Iran did; however, it did so in a more considered manner, giving the US advance warning to minimise casualties, while allowing Iran to at least appear to have responded in kind. Given CISA’s recent warning of an uptick in Iranian cyber activity, though, it’s likely operations will continue on this front – if not immediately, then certainly in the long term.

“Cyber offers Iran a way to hit the US directly (as it has done in the past) without necessarily triggering a harsh American response. Iran could also launch cyber influence operations against the US – for example, similar to its actions during the US presidential elections when it targeted then-candidate Donald Trump,” Davidi said.

“This doesn’t fundamentally change the overall role cyber has played in the conflict so far, but it does provide Iran with an additional means of confronting the United States.”

This article was originally published on Defence Connect, Cyber Daily’s sister brand.