On 14 March Israel came under a cyberattack that hit several government websites on the domain “.gov.il” that is being used by government entities except the Ministry of Defense. The attack took down several websites, primarily those of the ministries of Interior, Health, Justice, Welfare and Social Affairs, and the Prime Minister’s Office.
The Nature of the Attack
A Denial-of-Service (DoS) attack flooded the government domain with traffic and access requests causing several Israeli government websites to go down. The attack was carried out through hacking servers of two internet suppliers, namely Cellcom and Bezeq that provide their services to the Israeli government. A few days after the attack, the affected websites became accessible not only from inside Israel but also from outside, as has been confirmed by internet watchdog NetBlocks.
Amid the wide-ranging debate within the Israeli security institutions geared towards analyzing the attack to identify its possible ramifications, determine how likely other public utilities are subject to such attacks, and ascertain the capacity of electricity and water companies, among others, to provide their services to the public if similar attacks occur, analyses of Israeli newspapers and the defense institutions varied significantly in their characterization of the attack. On the one hand, the defense ministry described it as extraordinarily dramatic, the “biggest in Israel’s history”, and the most comprehensive, intimating that a state or a major organization may be behind it and warning of its repercussions. On the other hand, the Israeli Ministry of Communications led by Yoaz Hendel downplayed the attack and denied any possible leak of critical information or any targeting of sensitive security government sites, describing it as being non-advanced that didn’t affect the day-to-day business.
Official and unofficial Israeli media pointed the finger at Iran. Haaretz, for instance, warned against underestimating the Iranian threats that would leave Israel facing a possible violent confrontation. Jerusalem Post attributed the attack to the Iranian hacking group Black Shadow which already claimed responsibility for the attack that targeted dozens of Israeli government websites which the Mossad and other concerned institutions failed to secure, causing the Israeli cyberspace to collapse and satellite communications to cease operating. Israel Hayom accused Iran of carrying out the attack against the backdrop of Iranian allegations of an Israeli attempt to target one of its nuclear facilities. According to Israel Hayom, Iran’s Islamic Revolutionary Guard Corps (IRGC) sharing an ominous message with the word “surprise” in Hebrew on its Instagram account hours before the cyberattack supports this argument.
Simultaneously with the cyberattack on Israel, the Iranian Students News Agency (ISNA) announced that websites of the Iranian Ministry of Culture and Islamic Guidance have been attacked, where hackers posted the phrase “Death to Khamenei” and pictures of Maryam Rajavi, leader of the People’s Mujahedin of Iran (MEK) and her husband Massoud Rajavi.
While several Iranian media outlets indicated the involvement of Mujahedeen-e-Khalq in this attack, the Iranian government didn’t confirm or deny this. Hours later, the IRGC claimed responsibility for the cyberattack on Israel, leading analysts to suggest that the Iranian government had another suspect.
In fact, the cyber-attack on Israel can be linked to Iran’s desire for revenge after thwarting a sabotage attempt by the Mossad against the Fordow Fuel Enrichment Plant (FFEP) northeast of the city of Qom, south of Tehran. In a statement following the attack on FFEP, the IRGC Intelligence Unit announced the arrest of all elements involved in the act of vandalism. According to the IRGC report, the sabotage act was planned by a Mossad officer who recruited a neighbor of a staff member of the FFEP and provided him with cash and a laptop to send him information through secure communications. Notably, the employee in question used to work at FFEP on advanced IR6 centrifuges before the plot was revealed. Noteworthy, the FFEP is the second Iranian uranium enrichment facility, after the Natanz facility. Under the 2015 nuclear agreement, FFEP turned into a research center. However, with the US withdrawal from the agreement in 2018, Iran reneged on its commitment and boosted uranium enrichment to 20 percent last December
Additionally, in the past period, Iran claimed to have arrested several Mossad agents, which perhaps explains its targeting of the Mossad’s secret sites in Erbil on 13 March 2022 with ballistic missiles. In Syria, a week before the attack, two IRGC leaders were killed in an Israeli airstrike on Iranian arms and ammunition depots near Damascus International Airport, which Iran vowed to respond to stating, “Israel will pay the price for this crime.”
Relatedly, some analyzes associated the cyberattack on Israel with Israel’s “war-between-wars” campaign that has been going on between the Israel and Iran for at least three years (at least in Syria) in what could be called a cold war between the two countries that militate against a comprehensive military confrontation yet gives rise to several cyberattacks by both sides, particularly given their lower cost and ability to target sensitive intelligence and impact critical IT systems and infrastructure facilities.
Vicious Cycles of Attack and Retaliation
In 2021, Iran and its proxies hacked dozens of Israeli public and private institutions to achieve different goals, including espionage and theft of sensitive information, among others. Towards achieving that, Iran has recruited some of the popular hacking groups, including the Musa Stick Group, which first came to be known in October 2021 and aims at inflicting major damage on Israeli companies by leaking their stolen sensitive data. In effect, Musa Stick has previously hacked databases of Rafael Dynamic Defense Company, Israel Aerospace Industries, and three Israeli engineering firms. The attack on the engineering companies took place in November 2021 and resulted in theft of their data, engineering schemes, customer data, and business agreements.
Additionally, the Black Shadow group managed to leak the medical records of 290,000 patients, which necessitated convening emergency meetings of the security and medical agencies to prevent the hacking of databases of 9 Israeli hospitals. In a related development, Hillel Yaffe Medical Center in Hadera came under an Iranian ransomware attack in October 2021 where a ransom of $10 million was demanded. The attack paralyzed the hospital for a quite some time, inflicting damage on all the hospital systems, causing the Israeli Ministry of Health to admit its incapacity to confront the attacks, following secret investigations by the security services, which in turn confirmed that Israel isn’t not ready for cyber warfare.
Relatedly, the Iranian APT35 group, otherwise known as Charming Kitten, exploited vulnerability in the open source Log4J logging service –integrated with a variety of popular frameworks used by millions of service and web applications, including Apple, Google, Amazon, Microsoft products– against targets in Israel. Further, seven Israeli government and commercial websites were hit by a cyber-attack in December 2021; however, it was thwarted by CheckPoint cybersecurity provider.
In vicious cycles of attacks and counter-attacks, Israel, too, carried out several cyberattacks on Iran, the most serious of which targeted Iran’s nuclear facilities. Over the past decade, the Natanz nuclear facility suffered several cyberattacks. The beginning was in 2010 with the Stuxnet worm disabling centrifuges in the facility. Then, in 2020, the facility witnessed a massive explosion that was described by Iranian authorities as being an act of sabotage. In 2021, upon the start of mechanical tests on the top-of-the-line IR9 centrifuge, a blackout hit the electrical distribution grid of the Natanz, causing fingers to be pointed at Israel for a potential cyberattack.
Remarkably, the Israeli cyberattacks on Iran went beyond nuclear facilities to include various industrial, commercial, and energy facilities as well. In November 2021, Israel launched a cyberattack on Iran’s gas stations, paralyzing 4,300 gas stations and causing them to cease functioning for 10 days. This attack, which hit civilian targets, marked a major shift in the shadow war that Israel and Iran have been engaged in for years on land, sea, air, and cyberspace.
The timing of the cyberattack on Israel was no accident. It came at a time the world’s attention was directed towards the Russo-Ukrainian war which made it seem as if it was a Russian act against Israel as a punishment for its opposition to Russia or its efforts to mediate between Russia and Ukraine. However, given the relentless conflict that has been intensifying between the two countries for years, it can be argued that the Iranian cyberattack on Israel wasn’t abrupt or unexpected.
Overall, DoS attacks do not pose a major risk as they do not usually result in leakage of sensitive data. So, they are generally considered less dangerous and less complex. Further, there is no evidence that these attacks result in major sensitive data breaches. Nevertheless, this doesn’t mean they are less effective or non-significant. In effect, cyberattacks of different types have proven effective in achieving salient goals, including sparing direct confrontation between the two parties, particularly given the high cost of direct war and the international condemnations it may give rise to.
The Iran-Israel cyber conflict revealed Israel’s incapacity to go to a direct war with Iran, which pushes it to engage in cyberwar or a “shadow war” through the assassination of nuclear scientists with the aim of undermining the Iranian nuclear program, demonstrating the threats Iran’s nuclear program poses to the region in view of capabilities of neighboring countries, and legitimizing the Israeli position opposing the Iranian nuclear program by demonizing Iran’s security threats and exaggerating their potential threats not only to Israel but to the West as well.
Iran, in return, managed to evince the Israeli vulnerability and failure of the Israeli security institutions to protect their cyberspace at a time Tel Aviv has been promoting its security and military industries and boasting its technological superiority to boost its exports of technology and spyware. Coming under such attacks undermines Israel’s technological image worldwide and raises doubts about the solidity of its cyber security, failing several times to respond to DoS attacks despite their prevalence and uncomplicated nature. Attack after another, Iran managed to achieve this gradually through cyber-attacks that resulted in the leakage of personal information about the Israeli Defense Minister and hundreds of soldiers as well as hacking of Mossad’s chief phone, among other prominent security figures.
In short, the growing cyber conflict between Israel and Iran, described as being a cyberwar, will likely remain a major arena of confrontation at the present time. Given the scale of attacks that Israel has been facing since 2020 the cyberwar will perhaps prove to be more critical in the short term amid a massive global rise in cyberattacks since the outbreak of the Covid-19 pandemic and in the aftermath of the Russo-Ukrainian war that led to an increase in cyberattacks against Israel by 21 percent. Arguably, this shadow cyberwar may escalate into an open warfare driven by the move of Iran’s security agencies in this direction.