The Next Israel-Iran Fight Could Be in Cyberspace

Iran’s attack on Israel over the weekend—with more than 300 munitions, including ballistic missiles and drones, launched directly from Iranian soil—was unprecedented in many ways. What was not unprecedented was the threat of cyberattacks that accompanied it. 

A hacking group linked to Iran claimed to have compromised Israeli radar systems in the weeks leading up to the attack, though Israel’s top cyber agency said it had not witnessed any “abnormal online activity” during Saturday’s missile assault. Iran’s targeting of Israel in the cyber realm has spiked dramatically since the wider regional conflict sparked by Hamas’s attack on Oct. 7, 2023, with the head of the Israel National Cyber Directorate (INCD), Gaby Portnoy, saying last week that the intensity of cyberattacks that Israel faces has tripled in that period. 

The online tit for tat between the two countries predates the current conflict by more than a decade, however. As early as 2006—and possibly even earlier—the United States and Israel reportedly began developing and then deploying a cyberweapon, which came to be known as Stuxnet, to infiltrate and sabotage the computer system at Iran’s Natanz nuclear facility, an underground plant used to enrich uranium. (Israel and the United States both deny that they created Stuxnet, although independent news organizations widely agree that the two nations are behind the malicious software.) That weapon, discovered in 2010, is widely considered to be the starting point of a sophisticated Iranian cyber program that Washington now counts among its top threats, alongside those posed by other adversaries—including Russia, China, and North Korea. 

Iran’s prime target, however, has always been Israel. 

It’s “literally one of the oldest cyber rivalries that we have,” said Mohammed Soliman, the director of the strategic technologies and cybersecurity program at the Middle East Institute in Washington, D.C. “The Iranians reengineered Stuxnet to build their own malware that they attacked the Gulf Arabic states with.” 

Israel has always been the more sophisticated of the two adversaries, aided by close cooperation with the United States and other Western allies. In addition to the national cyber agency, the largest division of the Israel Defense Forces (IDF) is an intelligence-gathering unit known as Unit 8200, which is responsible for the country’s main offensive cyber operations and is believed to have collaborated with the United States to engineer the Stuxnet attack. 

“I would call Israel a cyber superpower and Iran a rising cyber power,” Soliman said. “Iran is not really equivalent to Israel in cyberspace, but they are a very agile nation in terms of building their own capabilities, and they have been also learning from the Israelis all these years.”

Israel has vowed retaliation for Saturday’s drone and missile assault by Iran, but U.S. President Joe Biden and others are urging Israeli leaders to exercise restraint in order to avoid significantly escalating the conflict. Cyber operations could be one way to thread that needle.

“Whether they’re right or not, [Iran and Israel] appear to believe that cyber is less escalatory than kinetic, and so they can do it with an expectation of a lesser response from the other side,” said Charles Freilich, Israel’s former deputy national security advisor and a co-author of the book Israel and the Cyber Threat: How the Startup Nation Became a Global Cyber Power.

Despite that notion, Israel is likely to treat a cyberattack against Iran as on par with any other military operation. “The IDF has an operational doctrine—in other words, they know how they want to use it or how to use it. They haven’t formulated an overall cyber strategy,” said Freilich, who is currently a senior fellow at the Institute for National Security Studies in Tel Aviv. “Offensive cyber operations require pretty much a very similar approval process to kinetic operations; with anything significant, it’s going to go up the chain and reach the prime minister himself.”

The forms that such Israeli operations against Iran could take range widely, from attacks aimed at compromising nuclear facilities to damaging military or even civilian infrastructure.

“There are a number of potential centers of gravity inside Iran that Israel might choose to disrupt or mitigate without kinetic strikes or conventional military action,” said Andrew Borene, a former U.S. intelligence official who is now the executive director for global security at the risk intelligence firm Flashpoint.

The most prominent examples in the recent past have been from an Israel-linked group calling itself Predatory Sparrow, which attacked everything from Iran’s train networks to steel mills and gas stations in a series of incidents between 2021 and 2023. While Israel never formally took responsibility for the group’s actions, they align perfectly with the country’s objectives, said Ben Read, the director of cyber espionage analysis at the Google-owned cybersecurity firm Mandiant. “It’s a highly capable actor that does not appear to have a financial motivation, is not making any money, and has impacted Iran multiple times over a few years,” he said of the group behind the attacks. “So that kind of narrows it down.”

The group’s modus operandi also fits with what Israel might want to do going forward, in the sense of being able to bring about a major public disruption without a significant escalation or loss of life—not unlike Iran’s highly telegraphed missile launches, which were very prominent but ultimately ineffective.

“This is designed to be noticed,” he said. “They’re flashing billboards.”

The Biden administration has repeatedly said that its support for Israel remains “ironclad” but noted that the United States does not support an Israeli counterattack against Iran and will not participate in such an attack. It did not specify whether that extended to all forms of attack, including cyber operations, or just to kinetic military operations. (The White House did not immediately respond to a request for comment, and the U.S. Defense and State departments declined to comment.) But the Israelis aren’t likely to need help from the United States to carry out a cyberattack against Iran, at least from a technical capabilities standpoint. 

“Israel has extremely strong advanced military forces, and they don’t ask for American bodies or American troops to engage in their fights … it’s actually quite similar in the cyber domain,” Borene said. “Israel has some of the most sophisticated state-level defense and offensive operational capabilities in cyberspace,” he added. “They are allies, but I think Israel’s cyber operational activity is undertaken by Israelis, with Israeli technology and coding, and therefore I think in many ways, Israel is likely to sustain whatever the next phase of the fight is.”