From kitchen labs to cyberwars: the rise of Israel's Unit 8200

Al Majalla lays out the evolution of the unit at the heart of Israel’s war machine, highlighting its notable successes as well as some of its catastrophic failures

Al Majalla

From kitchen labs to cyberwars: the rise of Israel's Unit 8200

On 6 June 1967, the second day of the 1967 war and hours after the Israeli air force had dealt a crippling blow to the Egyptian Air Force, a small Israeli unit intercepted a crucial call between then Egyptian President Gamal Abdel Nasser and Jordan’s King Hussein. In the call, Abdel Nasser claimed Egyptian aviation was striking Israel, encouraging Jordan to escalate the conflict—possibly as a way to alleviate the military pressure Israel was putting on Cairo. Abdel Nasser and the Jordanian King also agreed in the call to make another astonishing claim: British and American planes were participating in the attack against Egypt—turning a regional conflict into a global one.

The fabrication was promptly repeated by radio stations in Cairo and Amman, as well as in Syria, and even reached Moscow, as the Egyptian Ambassador to the Soviet Union repeated the claim in what was likely an attempt to drag the USSR into the war, as Egypt had signed an agreement with Moscow that the USSR would intervene in Egypt’s favour, should the US participate in a war on Israel’s side.

After much hesitation, and despite the furious opposition from the head of Israel’s Military Intelligence, the (then) Israeli Defence Minister Moshe Dayan took a bold decision. Hours after being intercepted, the conversation was released on the airwaves of Israel’s military radio.

Defence Minister Moshe Dayan's decision to broadcast this conversation publicly marked the first time Israel revealed an intercepted communication, demonstrating the unit's capabilities while potentially compromising future operations. It also marked the first public success of Unit 515—a nascent but increasingly critical unit within Israel’s Military Intelligence (AMAN). The unit, in charge of Signal Intelligence (SIGINT), would be renamed several times and expanded to include multiple key domains such as cyber warfare.

Today, the unit at the heart of Israel’s war machine is casually referred to in Hebrew as Shmone Matayim or 8200. Here, I lay out some of its most notable successes as well as some of its catastrophic failures.

Al Majalla

Humble beginnings

Unit 8200 wasn’t always the powerhouse it is today. Just years before the interception of the conversation between President Abdel Nasser and King Hussein, Unit 515, as it was known then, had also managed to crack the code protecting communications between Abdel Nasser and Egypt’s military Chief of Staff, Abdel Hakim Amer, only to be disregarded, thus missing critical intelligence that would have helped identify Egyptian manoeuvers in Sinai in the 1960s. The unit did not have the capabilities it has today, and Israel was still relying mostly on human rather than technical intelligence.

The unit itself had even humbler beginnings, starting as a small interception cell responsible for monitoring military communications during the British Mandate. After the creation of the state of Israel, the unit was formalised into Shirut Modi’in 2 or Shin Mem 2 as part of the Israeli army. Over time, it expanded its operations from a small two-floor building in Jaffa to several nearby buildings.

The ground floor of the building would later serve to host the unit’s first IBM computer, used by the “deciphering team” to crack encrypted codes. Initially, the deciphering team was using pen and paper until the arrival of the first computer. The computers would later be enhanced through an initiative by the Weizmann Institute, marking one of the first times the unit put its own twist on Western technology. In the early 1960s, when the unit’s first technical lab was created, it had to be hosted in the kitchen of the Jaffa house.

By the time of the 1973 war, the unit had been reshaped entirely, boasting more than 3,000 soldiers and multiple listening posts positioned across Israel, particularly focusing on Egyptian and Syrian communications. Yet the unit experienced its first major failure after it didn’t inform the Israeli political and military leadership of the upcoming Egyptian and Syrian surprise attack during the Jewish holiday of Yom Kippur—despite intercepting a telegram sent by the Soviet Union to its regional embassies warning of the need to evacuate Soviet expatriates due to the coming attack.

AFP
Israeli Chief of Staff David Elazar (2nd R) and later Israeli Premier Yitzhak Rabin (L) land near frontline positions on the Golan Heights during the 1973 October War on October 9, 1973.

Fifty years later, during Hamas’s October 7 attack, the unit would similarly fail to forewarn the Israeli leadership. The 1973 failure was compounded by the capture of one of the unit’s members during an initial assault by Syrian paratroopers against a military post in the Golan Heights. The capture provided Damascus with precious insights into the unit's functioning, necessitating a complete restructuring and ultimately giving the unit its current name: Unit 8200.

For decades, the name of what would become the largest unit in the Israeli army would only be whispered. However, around the beginning of the 2010s, the unit’s successes became too significant to ignore, attracting considerable attention. Under the leadership of Amos Yadlin, the head of the Israeli army military intelligence at the time, the unit would prove to be one of Israel’s weapons of choice. The Israeli intelligence community underwent a noticeable evolution, shifting from an initial reliance on human intelligence to a greater emphasis on technical means. This shift largely mirrored that of Israel’s main ally, the United States.

The post 9/11 era accelerated a shift towards mass-surveillance, reinforcing the centrality of interceptions as the central pillar upon which the US intelligence community is built. Israel made similar choices, building a massive SIGINT base dubbed "Yarkon” near Kibbutz Urmia, in the Negev Desert. The existence of the base itself was revealed by Le Monde Diplomatique, a French newspaper, in an article titled “Israel’s omniscient ears”, in which the base is described as “among the most important and powerful intelligence gathering sites in the world”.

Unit 8200 is at the forefront of a new form of modern warfare that has become as sophisticated as it is ruthless

The tip of Israel's cyber spear

At around the same time, the Unit 8200 would very much become the tip of Israel's spear. The unit expanded its operation into cyberspace. This wasn't just an extension of the unit's role to a new theatre, it also gave the unit a different role altogether as it moved from a more passive role as the Israeli army's primary interception unit, to a more proactive role as one of the most proficient cyber weapons used by the Israeli military. Most notoriously, the unit is credited with the making of Stuxnet, under an operation codenamed Olympic Games.

The virus is still regarded as one of the most potent cyberweapons ever created. Used against the Iranian nuclear programme, the virus would undermine the Islamic Republic's nuclear ambition by (literally) putting it in overdrive, with Iran's centrifuges (used to enrich uranium) suddenly exploding in a chain reaction that left Iranians puzzled as to the cause of the incident. The operation may well be one of the reasons the Israeli leadership decided against striking Iran, at a time when it was considering a more direct attack –the kind of attack Israel did end up carrying out last month.

A variant of the virus, named Duqu 2.0, also infected one of the products of the popular anti-virus brand, Kaspersky. The malware was likely used to spy on talks that preceded the 2015 Iran nuclear deal in Austria, and to discover that Russian state operatives were using Kaspersky's own products as a backdoor to carry out attacks and retrieve sensitive data. The malware used "zero-day exploits" (i.e. it did not require that a user click on a specific link to be infected), in what would become a trademark of Israeli cyber weapons.

A Kaspersky report would note that "the philosophy and way of thinking of the 'Duqu 2.0' group is a generation ahead of anything seen in the advanced persistent threats world", and that the weapon "almost didn't leave traces". In fact, it stayed dormant for months, according to the anti-virus company.

This was not the first time that Unit 8200 developed and carried out operations using cyber weapons. The first such cyber weapon was likely designed and used as early as the 1990s, but by the 2010s, it had become a weapon of choice of the Israeli army, and one of the main ways Israel stayed ahead of its adversaries. Confidence was growing, alongside investments in the cyber sector. Unit 8200's name spread, and it got to choose the crème de la crème of Israeli recruits, while building several programmes meant to train promising candidates ahead of their service.

Reflecting on Israel's newfound cyber dominance in 2018, Prime Minister Benjamin Netanyahu even claimed that it had gained more fame than its US counterpart, the National Security Agency (NSA), saying, "if you don't know what the NSA is (the US collection agency), it's the American unit 8200".

At the same conference, Netanyahu said Israel was punching "200 times above its weight" in cyberspace—an accomplishment he took credit for, as he had ordered the Israeli army to develop programmes that would turn Israel into one of the "top 3" cyber powers in the world. He later claimed that the objective had been achieved, if not surpassed.

The unit even became a societal phenomenon, as more and more of its former members went on to found successful start-ups in both Israel and Silicon Valley. Shmone Matayim would become one of the pillars of Israel's thriving high-tech ecosystem. Entering the elite unit would become a prize for Israel's whiz kids, looking to make a splash in the military but also beyond, to the point where the unit was the target of criticism by some Israeli media over its lack of social diversity, with kids from rich families making up most of its recruits.

Unit 8200 is said to track down possible recruits as early as graduate school, with specific programmes for gifted computer students being monitored to ensure the unit doesn't overlook top performers. The unit is now very far from its humble beginning, when most of its recruits were poor Jewish immigrants from neighbouring Arab countries, such as Egypt and Iraq.

Failures and successes

For all of its swagger, the unit hasn't been immune to failures, the most significant of which was its failure to alert the Israeli leadership regarding the coming October 7 attacks. The failure was made even worse when investigations showed the Hamas plan had in fact been detected a year ahead of time and even given a Hebrew name ("Walls of Jericho").

The plan was dismissed as a Hamas daydream, despite warnings from some operatives within unit 8200 highlighting that Hamas had been carrying out military exercises that were very similar to the plan the Israeli army had discovered. An interception system that helped spy on the Hamas leadership in Gaza was sidelined over claims that it failed to provide high-value intelligence that couldn't be secured elsewhere. A senior officer dubbed "V" kept following up on those signs and emailing her superior, but was dismissed again and again.

The failure has shaken the unit. Quietly, the new Israeli Chief of Staff, Eyal Zamir, has replaced around a dozen high-ranking members of the unit, amidst quiet criticism of the way senior leaders of the unit had been appointed (namely, being parachuted from other units, rather than rising through the ranks of the Israeli military intelligence). The unit, built on fusing human ingenuity and technological prowess, may have come to put too much emphasis on the latter, at the expense of the former.

Technology didn't fail on October 7 so much as the more traditional cycle of intelligence, as evidence of the upcoming attacks failed to reach the top, most likely because the leadership of the unit and the broader military intelligence believed Hamas was deterred.

This failure is paradoxical, considering the unit prides itself on fostering a "think outside the box" attitude and "always question authorities" mentality, which should have prevented the kind of misconceptions that led to this massive mistake. But historically, the unit managed to emerge stronger from its own failures, including that of the 1973 war—a catastrophe quite similar to that of October 7.

Since then, the unit has also participated in Israel's successes. It is likely that part of the "beeper" operation that killed and maimed Hezbollah members, as well as anyone standing in proximity, ahead of a ground offensive by the Israeli army, was partly incubated within the 8200 weapons laboratory.

A wave of cyber-attacks—the full scope of which remains unclear so far—and the ability to build an accurate map of Iran's air defences, chain of command, as well as to pinpoint the location of Iranian commanders, was likely behind Israel's stunning opening move in Operation Rising Lion (the attack against Iran that began on 13 June). Iran must have taken note, as it sought to strike the headquarters of Unit 8200 in northern Tel Aviv.

The unit is entering another "golden age", one that may feel like a "black mirror" episode, as it fuses military capabilities with developments in AI. Using several new programmes, such as Gospel, an AI-assisted programme that provides possible targets for strike by using different types of collection tools, the Israeli army has increased its firing power.

However, critics say the pressure to do so mechanically increases the risk of causing collateral damage and civilian casualties. The unit, which began almost literally in the kitchen of a nondescript house, is now on the forefront of a new form of modern warfare that has become as sophisticated as it is ruthless.

font change