Following the initial invasion of Israel by the Hamas militant organisation on 7th October 2023, which was also known as ‘Operation Al-Aqsa Flood’, Iranian state-aligned threat actors launched a series of cyber operations to support their “Shadow War” against Israel. This has primarily involved targeting Israeli government entities and critical national infrastructure (CNI), as well as its geopolitical allies and business affiliates.

In short, Israel became the primary target of a suite of cyberwarfare tactics involving a combination of destructive cyber-attacks and influence operations (IO) which Iran implemented in a multi-phased approach, impacting both public and private sector entities.

Iran’s cyber operation trends

Since the Hamas incursion, the Quorum Cyber Threat Intelligence team has detected the following trends relating to Tehran-aligned cyberattacks and IO.

Cyber-attacks

• A shift towards a more proactive operational approach against Israeli entities as opposed to the reactive posture that was adopted following the initial Hamas invasion.
• A surge in coordinated Iranian advanced persistent threat (APT) unit activity within Israel throughout Q4 2023 – Q1 2024.
• An expanded scope and enhanced sophistication of offensive cyber operations targeting regions perceived to be supportive of Israel, such as Albania, Bahrain, the UAE and the US.
• Iranian state-sponsored ransomware deployment against Israeli CNI and military assets.
• Iranian APT unit targeting Middle Eastern affairs experts in the Western education sector.

Influence operations

• A surge in cyber-enabled IO with misleading claims regarding overall impact on target entities.
• Iranian state-aligned IO, launched by Cotton Sandstorm, masquerading as Tehran’s allies, including the Izz ad-Din al-Qassam Brigades (IQB) Hamas military division
• The leverage of artificial intelligence (AI) through social media to manipulate Israeli citizens to engage in on-the-ground activities.
• Psychological warfare via the utilisation of standard message service (SMS) and email delivery to exaggerate the claims of Tehran-aligned cyber operations.

Iran’s campaign of cyber-attacks and operations began on 18th October 2023 and continues today.

Targeting Timeline 

The following timelines outlines significant cyber operations that have been launched in alignment with the ongoing Middle East conflict.