Israel and Iran: ‘Cyber winter is coming’
26 Jun 2020|

A new front has opened in the increasingly intense cyber contest between Israel and Iran. On 24 April, a water facility in central Israel was hit by a cyberattack attributed to Iran’s Islamic Revolutionary Guard.

The head of Israel’s National Cyber Directorate, Yigal Unna, declared that this development would be remembered as ‘a point of change in the history of modern cyberwars’.

Two weeks later, Israel retaliated with a cyber strike that temporarily disrupted operations at a busy Iranian port.

The tit-for-tat cyber strikes between Iran and Israel may be a taste of future warfare. Attacks against infrastructure and industrial control systems look set to become more prominent as the cyber capacity of less advanced states grows.

At the time, Israel downplayed the incident, simply describing it as an attempted attack that was dealt with by the water authority and the National Cyber Directorate. It said that no harm had been done to the water supply and that systems continued to operate without interruption. Only on 7 May was the attack first attributed to Iran.

Subsequent reporting, citing anonymous foreign intelligence officials, indicated that the attack was routed through US and European servers and ‘targeted “programmable logic controllers” that operate valves for water distribution networks’. Iran was able to seize control of or alter operating systems and wipe data from at least six sites, and potentially from dozens, although it was unable to disrupt water supplies or waste management. The level of sophistication of the attack was described by one intelligence official as ‘miserable’.

However, an official cited by the Financial Times said later that the attack was more sophisticated than Israel initially thought. It was close to successful, and it wasn’t clear why it didn’t succeed. The aim of the attack may have been to increase the amount of chlorine added to the water, which could have triggered fail-safe measures that would have left thousands of farmers and householders without water during a heat wave and pandemic.

On 9 May, a high-level security cabinet meeting was held to discuss Israel’s response to the cyberattack. A report by Israel’s Channel 13 quoted one official as saying the attack ‘goes against all the codes of war’.On the same day, a cyberattack which unnamed officials attributed to Israel took the Iranian Shahid Rajaee port offline, causing traffic disruptions and chaos for several days but no permanent damage.

The New York Times reported that Israel’s outgoing defence minister, Naftali Bennett, decided that a response was needed to send a message once the Israeli media reported that Iran was responsible for the earlier attack on Israel. Bennett tied the attack directly to the Islamic Revolutionary Guard Corps. Israeli media reports suggested that Israel may have deliberately leaked its responsibility for the retaliatory attack to warn Iran and deter it from future attempts.

Since the massive Russian cyberattack on Ukraine’s electrical grid in 2016, such action against civilian infrastructure during war has gone from a theoretical fear to an unfortunate reality.

Iran has targeted infrastructure in the Gulf states, including Saudi Arabia’s Aramco oil company, Bahrain’s BapCo and Qatar’s RasGas, and continues to try to penetrate infrastructure in the United States. It even managed to hack an unsecured computer controlling a dam in New York in 2013. Iran is unlikely to be deterred from further attempts to do this in Israel, despite the Israeli retaliation against Shahid Rajaee and, the reports say, Israel’s vastly superior cyber warfare capabilities.

In January 2019, Israeli Prime Minister Benjamin Netanyahu said, ‘Iran attacks Israel on a daily basis. We monitor these attacks, we see these attacks and we foil these attacks all the time.’

Unna stressed that the latest attacks were aimed at causing physical damage through command and control systems. ‘This is the first time we have seen something like this, compared to attacks that target databases, which are also serious’, he said.

Iran’s cyberattacks are likely to continue, even though its cyber capability is not assessed as being particularly sophisticated. It reportedly relies mostly on ‘phishing’ and ‘password-spraying’ and on repurposing the more advanced tools of its adversaries.

Hacking for harassment and espionage purposes has been common for decades, but this trend of adversaries attempting to damage one another’s civilian infrastructure is likely to become an increasingly common aspect of declared and undeclared conflict. That’s on top of the terrorism potential of such cyberattacks on civilian infrastructure.

Unna said, ‘Cyber winter is coming and coming faster than even I suspected’. He said we need to stand together against such attacks, which will probably get more sophisticated and deadlier.