Behind the bombs: the Israel-Iran cyberwar

These groups frequently target sectors such as telecoms, energy, and aviation. They also monitor dissidents, academics, and journalists, both within Iran and beyond. Tehran's investment is not just for defensive purposes, but also for offensive ones. Highly trained teams infiltrate enemy networks and operate undetected, often for extended periods, and often deep within their adversaries' digital infrastructure.

Among the most prominent is APT33, which targets aviation and energy, and has launched attacks on companies across the US and Europe. APT34 (also known as OilRig) infiltrates the banking, energy and telecoms companies. APT39 is for surveillance, particularly in telecoms, and monitors Iranians abroad, while APT42 monitors Iranian journalists, activists and academics, as well as Western research institutions concerned with Iranian affairs.

Israel's Unit 8200

Israel is no cyber slouch, either. It has developed formidable capabilities, spearheaded by Unit 8200, a division of its Military Intelligence, which ranks among the world's leading electronic warfare units. It has infiltrated Iranian systems, planted malware, and leaked sensitive data to cause disruption, embarrassment, or uncertainty within Iran's security and political institutions.

Israel's elite technical intelligence division, Unit 8200, integrates AI into intelligence analysis and strategic military planning to help track the whereabouts of adversaries such as Hamas leaders by using technology such as voice analysis, facial recognition, Arabic-language monitoring, and chatbot-based applications.

Unit 8200 collaborates with big US tech firms such as Microsoft, Google, and Meta on tools like 'Lavender' (used for military target identification) and linguistic monitoring software designed to gauge public sentiment in the Arab world, but both Israel and Iran are increasingly using electronic capabilities as core elements of their defensive and offensive strategies. 

Read more: A look at Israel's AI-generated 'mass assassination factory' in Gaza

Targets and strategy

Cyberattacks are no longer mere preludes to physical conflict; they are a fundamental component of modern warfare used to deliver remote strikes, sever communications, obstruct coordinated responses, and sow chaos. Key individuals are targeted (perhaps with a spear-phishing campaign), vulnerabilities in server infrastructure are exploited, and sophisticated malware is deployed.

Iran's cyber objectives appear to prioritise intelligence-gathering on high-value targets over direct, destructive assaults on Israeli digital infrastructure. Following Israel's military offensive from 13 June, Iran orchestrated a series of coordinated cyberattacks via groups linked to the IRGC, chief among them the 'Cyber Avengers.'

Alongside other cyber units, it targeted Israel's digital infrastructure, including broadcasting platforms and government servers, temporarily disrupting Israeli radio stations. Other groups issued warnings transmitted via encrypted channels to Jordan and Saudi Arabia, urging them against supporting Israel, and threatening to attack their digital infrastructure if they did.

The new battlefield

Iran's strategy is to employ non-state cyber groups as digital proxies. It knows that the confrontation is no longer confined to land, sea, and air, but is also being waged online, with fibre-optic cables the new battlefield and viruses the new tanks.

Disinformation campaigns, including the distribution of fabricated 'news', are increasingly a feature of this space. False warnings of imminent emergencies, such as fuel shortages or explosions, have been pushed by various Iranian actors mimicking the official communications from Israel's Home Front Command, in a bid to incite panic, rather than disrupt systems or steal data.

Washington believes that Iran's cyber warriors may pose a problem. The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) recently warned of the growing threat posed by cyber groups believed to be linked to Iran, with American water and energy sectors among the primary targets.

Intelligence reports note a sharp increase in cyber operations carried out by 'hacktivist' groups since 2022 (when Russia invaded Iran) and 2023 (when Hamas attacked Israel). The Cyber Avengers first appeared in September 2023, claiming to have disrupted Israel's railway network systems—a claim later shown to be false. It reappeared a month later, alleging successful cyberattacks against an Israeli power grid and a small municipality (Yavne)—a claim that, again, was later shown to be false.

Systems breach

Finally, on 25 November 2023, it was 'third time lucky,' as a municipal water authority in the US disclosed that the Cyber Avengers group had breached its industrial control systems by seizing control of a Unitronics device. Unitronics is an Israeli company specialising in industrial automation systems.

Cyber Avengers modified the device's interface to display anti-Israel messages. Investigators believe that it did so by scanning the internet to find Unitronics devices connected to networks that were not adequately protected, and then accessing them using default passwords that were publicly available in operational manuals.

Although the impact of the breach was limited, it highlighted a global threat, particularly since the devices are used in critical sectors such as water, energy, and agriculture. In response, CISA issued a warning to change default passwords for Unitronics devices (known as '1111'), enable two-factor authentication, isolate the devices from the open internet with firewalls, create backups of settings and programmes to accelerate recovery from attacks, and regularly update industrial control systems.

Given the growing global dependence on smart systems for public utility management, urgent action is sometimes needed. On 18 June, five days after Israel began its bombing, Iran enacted an unprecedented measure: it severed its connection to the global internet to defend against a wave of alleged Israeli cyberattacks.

In the hours that followed, internet speeds across Iran plummeted, culminating in a near-total blackout of access to the global web. This prevented the use of messaging platforms, navigation services, and essential digital utilities. Authorities urged Iranians to delete WhatsApp (a US-owned messaging application) and banned Telegram, another messaging app. Both were accused of facilitating espionage (allegations strongly denied by Meta and Telegram).

Targeting the money

A hacking group known as 'Predatory Sparrow' claimed responsibility for disabling the services of Bank Sepah, Iran's state-owned bank, which is believed to support the IRGC. The attack severely disrupting the bank's digital operations and corrupted vast amounts of data, crippling its ability to deliver essential services. Local media reported that numerous ATMs across Tehran were rendered inoperative the following day.

Nobitex, Iran's largest cryptocurrency exchange, was also targeted. Reports confirmed a major electronic breach resulted in the theft of assets valued at $90mn. It led Nobitex to suspend its operations. In a statement released in Farsi on X, the group claimed it targeted Nobitex because the company allegedly helped Iran evade international sanctions.

In the wake of these developments, Iran's cybersecurity command barred government officials and security personnel from using devices connected to public networks or communication systems. According to the Iranian news agency Mehr, this is part of broader efforts to bolster cyber defences and safeguard sensitive state information.

There was a 700% increase in cyberattacks targeting Israeli entities, from denial-of-service operations to server intrusions, but there was a notable physical attack on Israeli technological infrastructure that seemed designed to have an effect in cyberspace: the Iranian missile strike on the Gav Yam Negev technology complex in Beersheba, a hub for military and cyber activities. Footage showed smoke and flames billowing from a building thought to house a Microsoft facility. Microsoft is known to provide advanced cloud computing and AI services to the Israeli military.

Growing vulnerability

Israel's cyberattacks targeting critical Iranian infrastructure have included disruptions at nuclear facilities and major financial institutions, showing that the ability to inflict such damage internally—without direct military engagement—reflects a growing reliance on cyber tools to achieve strategic outcomes with minimal physical footprint.

In the same way, Iran is now believed to be working closely with sophisticated hacking collectives, enabling it to conduct espionage missions and disrupt electronic systems, gather intelligence, and launch large-scale assaults on banking and commercial systems aimed at destabilising economic frameworks.

Both countries are investing heavily in fortifying their cyber defences while expanding their offensive capabilities, as Israel seeks to leverage cutting-edge technologies for precision digital strikes, whereas Iran focuses on strengthening its cyber resilience and expanding the range and reach of its electronic warfare. The result is a highly volatile digital battlefield, one that is becoming increasingly central to the Middle East's geopolitical dynamics.