Cyber has increasingly become a space for strategic confrontation between Israel and Iran—two rather advanced, cyber-capable states—over the past decade. In fact, Iran and Israel have engaged in a long-running cyber conflict throughout the last decade.
The conflict started with the “Stuxnet” worm, which was aimed at Iranian nuclear facilities, and was attributed to the West, including Israel. This worm, which was exposed in 2011, disrupted the centrifuge site at Natanz. This attack is considered a watershed in cyber-attacks history and an example of a computer network attack-type (CNA) surgical attack which required cyber capabilities at the highest level.
The conflict’s continuation has also been attributed to Israel. In 2012, the activities of the Iranian shipping company “Irisl” were disrupted due to the destruction of data in the company’s computers. It is not clear what Israel allegedly wanted to achieve, but it seems that the damage to the Iranian shipping company was not significant.
Iranian cyber activity has entailed significant computer network influence (CNI) operations, including the establishment of a disinformation array that included false news sites. The array named “Endless Mayfly” was unveiled in 2019 and operated for a number of years. As part of this, the Iranians set up fake news sites in order to influence the Israeli public’s perception of key security issues, such as the fighting in Syria. It can be seen that the Iranians relate to the cyber dimension in a holistic way, which also includes social networks and online media.
In 2020, the nature of Israeli-Iranian cyber confrontation evidently began to change after Iran initiated an attack against a civilian water facility in Israel. The attack’s purpose was to raise the level of chlorine in the water flowing into the homes of Israeli citizens. At the time, the head of the Israel National Cyber Directorate claimed that “This is a new kind of war, all the lines have been crossed and that a catastrophe could have been caused.” Israel’s response included an attack on seaport computers in southern Iran, causing disruptions to port operations for at least a few days.
From 2020 onward, there has been an increase in the extent and diversity of Iran and Israel’s cyberwar. The context for this increase is probably the growing tension regarding the Iranian nuclear program and the confrontation between Israel and Iran in the Syrian theater and at sea, in which cyber has become part of the arena of confrontation. From the Israeli side, it included cyber-attacks (CNA) combined with the cognitive warfare (CNI) of civilian organizations whose purpose is to create public opinion pressure on the regime. For example, Iranian train traffic and fuel supply were disrupted. From the Iranian side, it included seemingly random attacks on the private cyber business sector, in which the Iranians attack private companies, encrypt their information—such as the Shirbit insurance company where many security personnel are insured or the Atraf dating site—and then publish personal information to create public embarrassment and pressure on decisionmakers in Israel. Another example of an Iranian influence operation is interfering in political demonstrations through fake figures on social media in order to increase internal polarization. Recently, Iran also initiated a denial of service attack against Israeli government ministry websites and managed to disable them for a short time.
In recent years, Israel and Iran’s cyber warfare campaign has evolved from clandestine CNA attacks like Stuxnet to more public attacks via cognitive warfare and influence in the social networks. However, we have also recently seen a return to the CNA, including against civilian targets, in combination with CNI.
This mutual warfare allows both sides to convey strategic messages but it also has a price for Israel—a demonstration of CNA capabilities leads to the other side “vaccinating” itself against those cyberweapons and generally improving its cyber defenses. Furthermore, attacking civilian cyber targets could legitimize attacking similar targets in response and lead to escalation in less protected cyber sectors. Such attacks also have implications on computer network exploitation (CNE) capabilities since the opponent increases his defensive capabilities.
However, dealing with cyberspace also has strategic advantages. It enables the transmission of messages between the two states in the context of their strategic confrontation, it enables the development of the conflict without taking violent measures, and is part of shaping the rules of cyber warfare in the next decade.
The cyberwar between Israel and Iran, as it has developed mainly in the last two years, is an example of a strategic and technological learning competition, where both sides have something to gain but they may pay prices too.
Lt. Col. (res.) David Siman-Tov is a Senior Research Fellow at the Institute for National Security Studies (INSS) and deputy head of the Institute for the Research of the Methodology of Intelligence (IRMI) at the Israeli Intelligence Community Commemoration and Heritage Center.
Image: Wikimedia Commons.