Iran's hackers are on the offensive against the US and Israel - Ars Technica

Overview

Iran’s hackers are on the offensive against the US and Israel

Tehran hopes to stoke fear and extract intel in a series of cyber attacks.

Details

As missile sirens wailed over Israel earlier this month, thousands of Israelis received texts claiming to be from their military, encouraging them to download a fake shelter app, which could have stolen reams of personal data.

Others received a mass text saying: “Netanyahu is dead. Death is approaching you and soon the gates of hell will open before you. Before the fire of Iranian missiles destroys you, leave Palestine.”

The messages, cyber security experts say, are the most visible end of a vast war being waged in the far reaches of the Internet between Iran, Israel and the US, and their online sympathisers.

They may use keyboards instead of rifles but Iran’s hackers, who have fought Israel in the digital shadows for years, are among the most battle-hardened soldiers Tehran can call on.

“The Iranians are throwing everything they have at this,” said Chris Krebs, who as a former director of the Cybersecurity and Information Security Agency (CISA) was one of the most senior civilian US cyber security officials.

“It is all hands on deck,” Krebs said. “If their cyber operators are breathing, then they will be on their keyboards.”

Their aims vary wildly, from sowing fear to causing chaos, hoovering up intelligence and isolating missile targets. In the murky world of cyber warfare it is hard to tell who even has the upper hand.

But winning in cyber space has become so critical to shaping perceptions and damaging enemy morale that Iran has invested heavily in efforts to pierce American and Israeli firewalls.

Iran has three different levels of cyber operators, whose boundaries are often blurry, analysts and former officials said.

The most experienced are run directly by the Islamic Revolutionary Guard Corps and Iran’s Ministry of Intelligence. They maintain a dizzying array of front organisations, used to introduce plausible deniability for attacks and issue public threats.

Iran also hires semi-autonomous hacking proxies, cybercriminals and contractors. Finally, volunteer hacktivists have also regularly mobilised behind Tehran.

Its operatives are believed by various governments and cyber experts to have doxxed Israel-based employees of a large US defense contractor, hacked the emails of politicians in Albania—which hosts an Iranian opposition group—and infiltrated a Polish nuclear research centre. Much of its most sensitive espionage is likely to have gone unreported.

Their most destructive attack attributed to them has been against Stryker, a multibillion-dollar American medical technology company whose clients include the UK’s NHS. Thousands of employees were sent home after being locked out of their computers earlier this month, disrupting supplies of critical equipment and delaying surgeries.

Handala, a hacking front believed by cyber security researchers and the US government to be tied to Iranian intelligence, claimed to have wiped some 200,000 devices, in what Krebs called the most consequential wartime cyber attack against the US ever seen.

Handala also claimed to have broken into a personal email account belonging to FBI director Kash Patel, publishing personal photographs. The FBI confirmed his emails had been targeted by “malicious actors,” but said the information was “historical in nature.”

The current military campaign has escalated a back-and-forth cyber battle that has raged for years between the three countries. The US and Israel have formidable offensive capabilities, and have tended to land larger strategic blows than Iran—dealing, for example, significant damage to the Iranian nuclear programme with malware known as Stuxnet that was discovered in 2009.

The US launched cyber attacks just before last month’s initial air strikes on Iran, “disrupting and degrading and blinding Iran’s ability to see, communicate and respond,” according to General Dan Caine, chairman of the joint chiefs of staff.

And Israel wielded its cyber intelligence when dealing one of the biggest blows of the war: years ago, it hacked nearly all the traffic cameras in Tehran, part of an extensive intelligence-gathering operation ahead of its assassination of supreme leader Ayatollah Ali Khamenei.

Israel also used a popular Iranian prayer app to send notifications to millions, encouraging regime defections, according to media reports. “Only this way can you save your life for Iran,” one message read.

Iran, meanwhile, is regarded as less technically competent than Russia or China, often relying on phishing and crude “wiper” malware, which deletes targets’ data.

But Tehran has historically used cyber attacks as a low-cost way to do asymmetric battle with its stronger rivals, spreading confusion and jamming the gears. In 2022, some Israeli media outlets accused Iranian hackers of infiltrating an old phone of Mossad chief David Barnea’s wife, leaking what appeared to be his personal information on Telegram.

It has fought the current campaign on two fronts, said Alexander Leslie of US-based cyber security firm Recorded Future.

To hit softer targets and wage psychological warfare, it has leant on its louder hacktivist fronts and proxies.

But Iran’s more threatening groups have been quieter. Top operatives have been methodically searching for vulnerabilities, analysts say, scouting for entry points and positioning themselves in target networks.

“The loudest activity is not always the most important,” said Leslie.

Seedworm, a group that the US and UK say is linked to Iranian intelligence, has been spotted trying to enter US networks since early February, according to cyber security firm Symantec. The group has been booted out of a US bank, an airport and a software company that supplies the defense industry.

But Iran appears to have been trying hardest to break through Israel’s hardened cyber defenses, which are sturdier than those of the US.

Israeli authorities say it has launched thousands of wiper attacks on Israeli companies, successfully hitting about 50. Its operatives’ hacking of security cameras across Israel and the Gulf has helped target drone and missile strikes, said Gil Messing, at Israeli cyber security company Check Point Software.

Tehran is also aligning its cyber capabilities with its regular war effort. Its hackers showed a “new level” of “scale, effect and sophistication” by coordinating strikes with the mass text messages sent to Israeli citizens, Messing said.

But for all the noise, some analysts are surprised that Tehran has not struck more decisive strategic targets. In the past, it has attacked American and Israeli critical infrastructure, including water treatment plants, but has not struck similar blows during the current conflict.

There are a handful of possible explanations: early Israeli strikes may have weakened Iran’s capabilities; Tehran might have hobbled its own hackers by throttling its Internet for domestic censorship; and it can just take time to design the complex malware needed for big attacks.

They may also have found their way undetected into sensitive economic or military targets, squatting inside to suck up information. “They could have long-term access that they are not ready to burn,” said Andy Piazza at cyber security firm Palo Alto Networks.

But if it can get its hackers firing, US defenses are uneven, some experts say.

“If they’re given time and space to regroup, [Iran] could very well develop the capabilities to deliver something more decisive,” said Matthew Ferren at the Council on Foreign Relations.

In Israel, critical-structure cyber security is handled by the state, where in the US and Europe the private sector has to protect itself but can seek government help post-hack. And the US has structural weaknesses caused by the early Internet’s decentralised adoption and the sheer size of the country and its dispersed infrastructure.

US defensive capabilities recently began further atrophying owing to the Trump administration’s clashes with CISA, the agency tasked with protecting critical infrastructure, analysts said. CISA has not had a permanent director since January 2025 and is operating at around a third of its normal staffing.

“I am concerned,” said Emily Harding of the Center for Strategic and International Studies. “The cat is out of the bag at how weak we are defensively.”

1.          After 16 years and $8 billion, the military's new GPS software still doesn't work
   

2.          Trump convenes "God Squad" to override Endangered Species Act, up oil production
   

3.          Water utility announces it's ditching fluoride—then reveals it did so years ago
   

4.          F1 in Japan: Oh no, what have they done to all the fast corners?
   

5.          Judge halts Nexstar/Tegna merger after FCC let firms exceed TV ownership limit
   

Ars Technica has been separating the signal from the noise for over 25 years. With our unique combination of technical savvy and wide-ranging interest in the technological arts and sciences, Ars is the trusted source in a sea of information. After all, you don’t need to know everything, only what’s important.

Key Takeaways

• Iran’s hackers are on the offensive against the US and Israel

• Tehran hopes to stoke fear and extract intel in a series of cyber attacks

• As missile sirens wailed over Israel earlier this month, thousands of Israelis received texts claiming to be from their military, encouraging them to download a fake shelter app, which could have stolen reams of personal data

• Others received a mass text saying: “Netanyahu is dead

• The messages, cyber security experts say, are the most visible end of a vast war being waged in the far reaches of the Internet between Iran, Israel and the US, and their online sympathisers