The conflict between Iran and Israel over four decades has seen many twists and turns with unusual tactics, inclusive of cyber attacks of various scales. Beginning with the infamous Stuxnet malware attack in 2010, the shadow war intensified further with more powerful DDoS, defacement, cyber espionage, phishing, social engineering, and ransomware attacks to cripple opposition infrastructure, steal intelligence, and spread disinformation. This digital conflict is a powerful demonstration of how nation-state actors have weaponized cyberspace to achieve political and military objectives.
This blog will dive into how these prevalent techniques are deployed, why they are favored, and the tools and methods that have defined this ongoing conflict.
Distributed Denial-of-Service (DDoS) Attacks
DDoS attacks have become a mainstay of nation-state cyber warfare, primarily due to their simplicity and effectiveness. These attacks aim to flood targeted networks with traffic, overwhelm systems, and disrupt essential services. Iran and Israel have used DDoS attacks against critical infrastructure, including government websites, financial institutions, and utilities, to gain an upper hand in their cyber skirmishes.
Why Nation-States Favor DDoS Attacks:
DDoS attacks are relatively easy to launch, often requiring little more than a botnet of infected devices. They can temporarily paralyze vital systems, creating a ripple effect across sectors reliant on those systems.
Pervasiveness:
DDoS attacks have become more frequent, especially during heightened geopolitical tension. In 2020, Israel’s National Cyber Directorate reported a sharp rise in DDoS attempts aimed at its water systems, targeting Israeli water infrastructure and attempting to poison water supplies by altering chemical levels. Israel managed to thwart the attack but viewed it as a severe escalation. A month later, they replied with a similar DDoS attack on Iran’s Shahid Rajaee port in Bandar Abbas, disrupting shipping operations and causing significant delays.
In three days, between the 6th and 8th of October, 2023, Pro-Hamas or Anti-Israel activist groups Cyber Av3ngers, and Anonymous Sudan executed several DDoS attacks on the NOGA and DORAD power grid, Israel Electric Corporation, and The Jerusalem Post website.
Tools and Techniques:
Standard tools include botnets such as Mirai, which weaponize vulnerable IoT devices and are often used in such attacks. In some cases, attackers have used Amplification attacks, which exploit misconfigured servers to magnify traffic, leading to larger-scale disruptions.
Read More: The Growing Adoption of Wiper Malware in Cyber Warfare
Website Defacement
Website defacement is another tool in the arsenal of nation-state actors, often used for propaganda purposes. By hacking into and altering the content of a target website, attackers spread disinformation or threaten opposing governments and citizens. The attack vector is more popular as a psychological weapon, a visible reminder of an ongoing conflict.
Why Nation-States Favor Website Defacement:
Defacement attacks are low-cost but highly visible. They are ideal for spreading political messages and creating fear or uncertainty among a population.
Pervasiveness:
Defacement is frequently linked to symbolic dates or events. For instance, on March 3, 2024, the pro-Palestinian English-speaking cyber threat group Handala Hack (also known as “Hanzala Hack”) claimed remote access to Israeli radar systems. Then, on April 13, the group again asserted that they had breached the radar systems. Twenty-four minutes later, Iran launched attacks. Since December 2023, Handala Hack has predominantly carried out low-level website defacements against Israeli public and private institutions that are aligned with critical infrastructure. In June 2024, Iranian hackers successfully defaced several Israeli media outlets’ websites with anti-Israeli propaganda, while Israel retaliated by incapacitating Iranian government websites for several days.
Tools and Techniques:
SQL injection and vulnerabilities in content management systems (CMS) like WordPress are commonly exploited to execute defacement attacks. Attackers have also relied on simple brute force techniques to gain unauthorized access, among others.
Read More: Everything You Should Know About SQL Injection Attacks
Cyber Espionage
Cyber espionage is one of the critical strategies embraced by nation-state threat actors, and there is no exception in the Iran-Israel cyber war. Both nations engage in sophisticated spying campaigns to steal sensitive information. This tactic goes beyond simple disruptions; it’s about gathering intelligence for military and strategic advantages.
Why Nation-States Favor Cyber Espionage:
Cyber espionage allows nation-states to infiltrate adversaries’ networks undetected, collecting valuable intelligence on military operations, diplomatic communications, and industrial secrets.
Pervasiveness:
Espionage efforts have been relentless. The Iranian group APT34, known as “OilRig,” has launched multiple campaigns to infiltrate Israeli defense and government networks. In 2019, Iranian hackers reportedly breached Israeli missile systems to gather technical data.
In 2024, pro-Iran activists launched a cyber-espionage campaign targeting the aerospace, aviation, and defense industries of Israel and the UAE. The campaign is believed to have also affected Turkey, India, and Albania. Mandiant tracked the operation to an Iranian group called UNC1549, which was also associated with another hacking operation called Tortoiseshell. The group’s targets have included Israeli shipping companies and U.S. aerospace and defense companies, with reports linking it to Iran’s Islamic Revolutionary Guard Corps (IRGC).
Tools and Techniques:
Key tools include Remote Access Trojans (RATs) such as NJRAT, spear-phishing emails, and zero-day vulnerabilities. UNC1549 triggers numerous evasion techniques and multiple social engineering campaigns to deploy two backdoors, MINIBIKE and MINIBUS. Both custom backdoors provide a more flexible code execution interface and enhanced reconnaissance features.
Read More: Understanding Indicators of Attack (IoAs): A Personal Guide for Enterprise
Phishing and Social Engineering: The Human Element in Cyber Warfare
Phishing and social engineering have been proven to be the most hostile tactics in cyber warfare, primarily because they target human behavior, the weakest link in any security chain.
Pervasiveness
In 2022, APT42, also known as IRGC, Storm-2035, Charming Kitten, Damselfly, Mint Sandstorm, TA453, and Yellow Garudaan, launched a spear-phishing campaign against Israeli military personnel, diplomats, and researchers through malicious links loaded phishing emails to steal credentials. The campaign intensified further in 2024, targeting Israeli defense officials, academic researchers, and NGO workers.
In another campaign this year, the same group targeted WhatsApp users in Israel, Palestine, the U.K., and the U.S. This phishing campaign involved posing as technical support for companies like Google and Microsoft through spear-phishing tactics to gain sensitive information from high-profile targets, including political and diplomatic figures.
Tools and Techniques
Spear phishing plays a significant role in nation-state cyber campaigns. In the above-mentioned campaign, APT42 implemented spear phishing by sending highly targeted emails to specific individuals such as government officials, diplomats, and military personnel. The emails often contained dangerous links or attachments intended to deceive recipients into sharing sensitive information or exploiting trusted services such as Google, Dropbox, and Microsoft.
APT42 also used custom phishing kits mimicking well-known platforms like Yahoo and Microsoft’s Single Sign-On (SSO) login pages. These kits included complex redirection flows and were tailored for specific victims. In some cases, they even bypassed two-factor authentication (2FA) to steal credentials by mimicking legitimate verification pages.
The campaigns exploited a document validation service to deceive targets into uploading their identity documents for further impersonation and identity theft.
Ransomware: Crippling Economic and Industrial Operations
Ransomware has evolved from a criminal tactic to a powerful weapon in cyber warfare. By encrypting critical files and demanding payment for their release, nation-state actors can cripple entire industries or disrupt government functions. The use of ransomware in the Iran-Israel conflict is a clear indication of how cyber-attacks can be used to exert economic pressure without direct military confrontation.
In many cases, ransomware attacks in this conflict have targeted large corporations and infrastructure. Ransomware-as-a-Service (RaaS) platforms, where nation-state actors or their affiliates can purchase ready-made ransomware kits, have made these attacks easier to deploy and more widespread. Double extortion techniques—where attackers also threaten to leak sensitive data if ransom demands are not met—have further increased the pressure on victims.
Pervasiveness
One of the most notable examples was the Pay2Key ransomware attack in 2020, which targeted Israeli companies. The attack caused widespread disruption across several industries, and the attackers, believed to be linked to Iranian cyber units, demanded cryptocurrency payments to restore access to the encrypted files. Pay2Key not only caused significant financial losses but also highlighted the growing capability of nation-state actors in conducting large-scale ransomware attacks.
In another campaign, DarkBit, an Iranian-linked group, executed a ransomware attack on Israel’s Technion University in 2023, disrupting exams and shutting down IT systems. The attackers demanded 80 bitcoins (roughly $1.7 million) and made ideological claims against Israel. This attack was attributed to the MuddyWater hacking group associated with Iran’s Ministry of Intelligence.
Read More: Unmasking Ransomware Groups: Their Targets, Infamous Instances, and Devastating Financial Impact
Tools and Techniques
These campaigns typically employed well-known cyber tactics such as:
- Vulnerability Exploitation: Exploiting known vulnerabilities in VPNs and firewalls to gain initial access.
- Phishing and Social Engineering: Phishing emails deceive targets into providing credentials.
- Double Extortion: Encrypting data while threatening to release stolen information publicly.
- Advanced Persistent Threat (APT) techniques, such as Tickler malware, were used to establish footholds for espionage and subsequent ransomware deployment.
How Nation-State Actors Leverage Social Media Platforms
In addition to launching direct cyber-attacks, nation-state actors from both Iran and Israel have leveraged social media platforms like Telegram and Twitter to amplify their strategies. These platforms are used to distribute malicious tools, organize campaigns, and spread disinformation. By utilizing the reach and anonymity offered by social media, cyber actors can communicate with large audiences, recruit hackers, and even sell or share malicious software.
The Pervasiveness of Telegram Groups
Telegram, in particular, has become a hotbed for cybercriminal activity, with channels dedicated to sharing hacking tools, techniques, and updates on ongoing cyber operations. Some nation-state actors use these platforms to communicate with their affiliates, sharing intelligence on vulnerabilities and attack vectors. Meanwhile, Twitter is often used to amplify the psychological effects of cyber-attacks by broadcasting their success, undermining confidence in the target nation’s cybersecurity capabilities.
A prominent example of this occurred in 2021 when Iranian hackers used Telegram channels to distribute tools that allowed users to contribute to DDoS campaigns or defacement attacks against Israeli targets.
Conclusion
The ongoing cyber war between Iran and Israel showcases how nation-state actors are increasingly relying on cyber-attacks as strategic weapons. Using tactics such as DDoS attacks, website defacement, cyber espionage, phishing, and ransomware, both sides have demonstrated the effectiveness of cyber warfare in disrupting critical infrastructure, spreading disinformation, and stealing sensitive data. These attacks are not isolated incidents but coordinated efforts to gain political, military, and economic advantages without resorting to traditional military confrontation.
As the conflict continues to escalate, it is clear that cyber warfare will play an even more significant role in shaping the future of geopolitical conflicts and the global threat landscape. Nation-state actors are increasingly turning to social media platforms like Telegram and Twitter to enhance the scale of their operations, distribute malicious tools, and amplify the psychological effects of their attacks. The Iran-Israel cyber war serves as a critical example of how cyber capabilities can be leveraged as weapons of mass disruption in the modern era.
For other nations and global industries, this cyber war between Iran and Israel provides critical lessons in the importance of cybersecurity. Governments and corporations must remain vigilant in protecting their digital infrastructure from sophisticated attacks, as the consequences of a successful cyber operation could have far-reaching impacts on national security and economic stability.
