As the skies over Iran and Israel light up with missiles and drones on Friday, Iran-aligned hacktivists wasted no time launching attacks of their own.  

No sooner had the Israeli military targeted Iranian nuclear and military sites in a bid to neuter Iran’s nuclear capabilities than the researchers at Radware observed an uptick in activity on Telegram channels by actors sympathetic to Iran, according to an alert issued by the security firm. The cyber assaults are expected to intensify as the two countries exchange volleys. 

In the wake of the Netanyahu government’s Operation Rising Lion, not surprisingly, Radware says “the Israeli cyberthreat landscape has escalated significantly.” 

As John Bambenek, president at Bambenek Consulting, says, the details in the alert “should be expected behavior for almost any armed conflict in the Middle East.”  

Sophisticated threat actors in Iran “likely have already been preparing for this eventuality and they are perfectly able to act independently of the government and thus unimpeded by the high-level killings of Iranian leadership,” he says.  

Israel’s kinetic attacks, which have taken out key Iranian military leaders and decimated critical infrastructure, have already prompted an in-kind military response from Iran, with all security eyes on cyberspace. That’s where the two countries have waged war since 2010, when the Stuxnet worm was deployed to hobble centrifuges critical to Iran’s nuclear program. 

In the years since, Iran sharpened its own cyber acumen with bad actors in one campaign striking targets in the West and Mideast via high-profile DDoS attacks on U.S. financial institutions by the Iranian Cyber Army a decade ago. Radware researchers believe that Iran, stinging from recent Israeli actions that have chipped away at Iran’s military operations, is even “more likely than ever to retaliate through cyberattacks.” 

Bambenek expects the attacks will predominantly take the form of website defacements, as we have already seen, and denial of service attacks.” 

Among the activities researchers have observed as Friday’s attacks unfolded were claims by the Arabian Ghost that Israeli radio stations had been shut down, with other groups boasting they had shuttered the Mossad website. Jordan and Saudi Arabia were warned by Team Bangladesh to support Israel at its own peril and be prepared for cyberattacks aimed at their national infrastructure. And, an actor called #OpIsrael took to the Cyber Bulletin channel to report attacks on Tzofar, the Israeli public address system tasked with alerting civilians to potential missile attacks. 

We can expect more of the same (or worse), whether or not the military strikes continue. Radware expects operational priorities to include nicking sensitive state and military information, the compromise of Israel’s government and defense networks and the launch of phishing and social engineering efforts as well as zero-day exploits. 

“In line with previous escalatory patterns, Iran may also engage in disruptive attacks intended to degrade or interrupt essential services,” Radware said, noting those attacks could be accompanied by massive disinformation campaigns.  

In the U.S., Bambenek warns that “Israeli or Jewish-aligned organizations are the most likely targets, followed by critical infrastructure generally.” And, he advises that organizations should ensure their disaster recovery plans are current.  

That latter point often goes overlooked, with disaster recovery plans often languishing without undergoing needed updates. As Ray Seid, senior director of education at the Disaster Recovery Institute International, pointed out at the recent Making Vinyl conference in Memphis, disaster recovery is not a “one and done.” He suggests organizations revisit their plans and do tabletop exercises annually to address emerging risks. 

To address the immediate threats stemming from the ongoing conflict between Israel and Iran, Radware recommends organizations enhance monitoring, harden systems, pump up employee awareness, put incident response teams on high alert and “prepare counter-disinformation strategies and coordinate with trusted media outlets to mitigate the impact of fake news” before it takes root and damages their reputation. We’ve all seen how quickly that can happen and be perpetuated. 

Recommended Preventive Actions 

• Enhance Monitoring: Increase vigilance across all networks and endpoints, and monitor for indicators of compromise (IOCs) linked to known Iranian APTs. 

• Harden Systems: Ensure all internet-facing systems are patched and all services are protected by MFA. 

• Employee Awareness: Remind employees of potential phishing scenarios. 

• Incident Response Readiness: Ensure IR teams are on high alert and that playbooks are up to date and include responses for nation-state-level threats. 

• Public Communication: Prepare counter-disinformation strategies and coordinate with trusted media outlets to mitigate the impact of fake news before it spreads or harms the reputation of the organization. 

Conclusion 

The cyber domain is a primary theater in the Israel-Iran conflict. Organizations across Israel must be aware and brace for a wave of sophisticated and ideologically driven cyberattacks. Proactive defense, intelligence sharing and public resilience will be critical in the days ahead.