Beyond the ceasefire, the Iran-Israel cyber war still rages on

The gloves are off in cyberspace, with Israeli and Iranian actors increasingly targeting their adversaries’ vulnerabilities since the 12-Day War last month. It is forcing a rethink of digital defence.

Nash

While the bombs may have stopped flying, the cyberwar between Israel and Iran continues apace.

Beyond the ceasefire, the Iran-Israel cyber war still rages on

Alice Gower

last update on 14 Jul 2025

On 1 July 2025, an Iran-linked hacking group threatened to release 100 gigabytes of emails allegedly stolen from associates of US President Donald Trump, including White House Chief-of-Staff Susie Wiles and longtime advisor Roger Stone. US officials condemned the breach as a politically-motivated smear campaign, but its timing and targets point to a calculated escalation.

The operation appears to be part of Tehran’s response to American support for Israel during the 12-day war last month, in which Iranian commanders, nuclear scientists, and nuclear facilities were all targeted by airstrikes, while Iranian digital infrastructure was targeted by cyberattacks.

On 17 June, Israeli-linked hacktivist group ‘Predatory Sparrow’ disrupted Iran’s state-owned Bank Sepah, which is widely associated with the IRGC. It then hit Nobitex, the country’s largest cryptocurrency exchange, causing a loss of $90mn in assets, in a bid to expose the platform’s alleged role in sanctions evasion and illicit financing.

Digital bombs

While the bombs and missiles have stopped for now, digital offensives remain ongoing, as they have done for years. Both Israel and Iran now treat the digital domain as central to their security strategies, integrating cyber campaigns with military operations and diplomatic positioning.

Israel has developed a sophisticated cyber deterrence strategy, combining precision cyber strikes with robust national defences, coordinated by the Israel National Cyber Directorate (INCD) and Unit 8200, the elite signals intelligence division of the Israel Defence Forces. Known for its role in the Stuxnet virus that damaged Iranian nuclear centrifuges in 2010, Unit 8200 is Israel’s most potent cyber force.

Both Israel and Iran now treat the digital domain as central to their security strategies, integrating cyber campaigns with military operations

They are complemented by loosely-affiliated pro-Israel hacktivist groups, Intelligence firm Cyfirma identifying more than 20 such collectives, including UCC Team, Anonymous Israel, and Red Evils. They typically engage in Distributed Denial of Service (DDoS) attacks and website defacements designed to reinforce Israeli messaging and target Iranian interests in the digital sphere.

Iran, too, has scaled up its cyber capabilities. Following the 12-Day War in June, cybersecurity firm Radware reported a 700% surge in Iranian cyber activity targeting Israel. These include DDoS attacks, attempted intrusions into infrastructure systems, and even the hijacking of Israeli smart cameras to aid real-time targeting during missile strikes. This represents a clear evolution from passive cyber surveillance to active disruption and psychological warfare.

Digital spillover

Tehran's cyber capabilities are spearheaded by the Ministry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC), supported by a suite of advanced persistent threat (APT) groups, including APT34 (OilRig), APT35 (Charming Kitten), and APT33 (Elfin) that are well-known for their malware operations, phishing campaigns, and infrastructure sabotage. Disinformation actors, such as Void Manticore, expand Iran's influence capabilities, amplifying Tehran's narratives.

Compounding this threat is Iran's growing digital alignment with Russia, China, and North Korea. These partnerships have equipped Iran with surveillance technologies, ransomware tactics, and AI-driven influencing tools, enabling more complex and globally distributed campaigns. The digital spillover is now acutely visible in the United States. Following the US strikes on Iranian targets on 22 June, pro-Iranian groups have stepped up cyberattacks on American infrastructure and political targets.

Shutterstock — Iranian state and non-state actors are targeting Israeli and American infrastructure in the aftermath of the 12-Day War.

In addition to the Trump email breach by a group calling itself 'Robert', pro-Iran hacktivists claimed responsibility for a 1 July ransomware attack on US-based KVE Metals and a service outage at Truth Social (Trump's social media platform) in late June. Financial institutions, utilities, and defence contractors are high-priority targets, and the use of Israeli-origin technologies in some US critical infrastructure could attract or enable retaliatory Iranian cyber activity.

Of particular concern is Iran's focus on upstream software vendors and operational technology (OT) systems, vulnerabilities that can provide long-term undetected access across multiple sectors. The vulnerabilities facing US entities are exacerbated by recent setbacks in cyber governance, including the dismissal of General Timothy Haugh and cuts to federal cybersecurity budgets.

Digital defence

While agencies such as the Department of Homeland Security and Cybersecurity and Infrastructure Security Agency (CISA) have called for heightened vigilance across sectors such as water, energy, and transportation, the private sector remains vulnerable. With US defences under strain, critical systems could be left exposed to increasingly sophisticated, well-funded, and ideologically motivated attacks.

Iran's focus is on upstream software vendors and operational technology systems, vulnerabilities that can provide long-term undetected access

The broader strategic implications of this cyber escalation are sobering, not least because of the blurring boundary between military and civilian targets. Hospitals, banks, and utilities are now considered 'fair game' in asymmetric warfare. The proliferation of semi-autonomous cyber units on both sides increases the likelihood of accidental escalation or miscalculation in a conflict that is increasingly international, drawing in actors far beyond the Middle East.

Al Majalla/Getty/AFP/Reuters — The Israeli and Iranian militaries both have divisions dedicated to digital weapons, yet there are also Iranian and Israeli hacking groups that do their nations' bidding.

Managing this new era of cyber conflict requires not only improved technical defences but international coordination and a fundamental rethinking of deterrence. For Israel, cyber operations offer a way to exert pressure without full-scale ground war. For Iran, they provide a cost-effective tool to retaliate and test adversary thresholds. But for both, the risk of strategic miscalculation is growing.

The digital front is no longer a secondary theatre of conflict. Cyber tools have become central to how states conduct pressure campaigns, disrupt adversaries, and defend strategic assets. As the digital and physical domains become more tightly linked, cyber resilience must be treated as a critical component of national defence, not only in Tel Aviv and Tehran, but also in Washington, Riyadh, Brussels, and beyond.

+ / -