August 6, 2024 | Flash Brief

Iranian Cyber Warfare Targeting Israel Seeks to Exploit Fears of Military Attack

August 6, 2024 | Flash Brief

Iranian Cyber Warfare Targeting Israel Seeks to Exploit Fears of Military Attack

Latest Developments

A malicious email sent to Israeli citizens on August 4 purporting to contain “citizen safety” guidelines drawn up by the Israel Defense Forces (IDF) has highlighted attempts by Iranian cyber-attackers to exploit the Israeli public’s fears of an imminent Iranian strike. The ongoing Iranian phishing campaign sends English-language emails aimed at enticing Israelis to click on the malicious link to the alleged material covering “vital topics to ensure [the Israeli public’s] safety and well-being.” The campaign leverages infrastructure and methodology previously attributed to “Muddywater,” a shadowy group run by the Iranian Ministry of Intelligence and Security (MOIS). Israel has been on heightened alert since the assassination of Hamas political leader Ismail Haniyeh in Tehran on July 31.

 Expert Analysis

“This campaign is a leading example of the fusion of cyber, kinetic, and influence operations. Prior to the Israeli assassination of Haniyeh, cyber-attackers from the Iranian MOIS targeted a broad swathe of Israeli companies and organizations via targeted phishing emails. The speed of their pivot following Haniyeh’s killing presumably explains the unconvincing nature of this current campaign; the operation uses English phishing emails instead of Hebrew and reuses previously revealed infrastructure and distinct methods, making the operation easier to identify, attribute, and expose.” — Ari Ben Am, Adjunct Fellow, Center on Cyber and Technology Innovation

“This Iranian campaign simultaneously exploits and exacerbates public fear to facilitate cyber intrusion while attempting to create a sense of panic. Cyber-attackers commonly leverage fear, uncertainty, and doubt (FUD) to manipulate targets into clicking on malicious links. This campaign takes FUD a step further, not only using this tactic to facilitate a cyber-attack but also using it to launch a psychological operation against Israeli citizens.” —Max Lesser, Senior Analyst on Emerging Threats, Center on Cyber and Technology Innovation

MuddyWater’s Evolving Tactics

MuddyWater has been active since at least 2017, according to MITRE, a U.S. federally funded research and development center. The U.S. Cyber and Infrastructure Security Agency (CISA) has observed that MuddyWater has historically attacked global targets spanning Asia, Africa, Europe, and North America. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned Muddywater on September 9, 2022, following a significant cyberattack on Iranian dissidents in Albania, which led Albania to cut diplomatic ties with Iran.

MuddyWater has significantly increased its cyber-attacks against Israel since October 7, according to cybersecurity company Checkpoint Research. In November 2023, cybersecurity firm Deep Instinct reported that MuddyWater carried out phishing attacks against Israeli targets, presumably government employees, by sending out a malicious file impersonating a memo by the Israeli Civil Service Commission. More recently, Checkpoint observed that MuddyWater has carried out over 50 spear phishing emails since February 2024, targeting hundreds of recipients, including Israeli companies and municipalities as well as targets in Turkey, Azerbaijan, Saudi Arabia, India, and Portugal.

Following the assassination of Haniyeh in Tehran, Muddywater has added an element of psychological warfare to their cyber operations, apparently exploiting Israeli fears of a retaliatory Iranian strike. Other forms of malicious cyber activity emanating from Iran in recent weeks include a doxing campaign threatening Israeli athletes competing at the Olympics in Paris.

The Israeli government has already issued alerts warning of MuddyWater’s phishing campaigns against Israeli targets, as described in an Israeli cybersecurity advisory published in June.

Iran Orchestrating Online Campaign Against Israeli Olympic Athletes,” FDD Flash Brief

Iran Obtains Advanced Cyber Warfare Capabilities from Russia,” FDD Flash Brief

The Dangers of Iran’s Cyber Ambitions,” by Annie Fixler

Issues:

Issues:

Cyber Iran Iran Global Threat Network Israel Israel at War

Topics:

Topics:

Iran Israel Hamas Tehran Russia Europe Saudi Arabia Turkey Israel Defense Forces United States Department of the Treasury Africa India English Paris Asia Ismail Haniyeh Azerbaijan North America Hebrew Ministry of Intelligence Olympic Games Office of Foreign Assets Control Portugal Cybersecurity and Infrastructure Security Agency Albania