Israeli Companies Under Attack by Hacktivists With Likely Ties to Iran

A new anti-Israel hacktivist group called Cyber Isnaad Front (الجبهة الإسناد السيبرانية) claims to have compromised Israeli government, military, and private sector targets. While the group posts in Arabic and presents itself as independent, its behaviors align with known Iranian hacktivist fronts, suggesting the group has ties to the Iranian regime.

Hacktivist Front Has Already Found Success

Cyber Isnaad Front opened a Telegram Channel on June 17 and, the next day, claimed to have successfully compromised Israeli defense contractors and critical infrastructure providers, exfiltrating data and destroying systems. The group’s Telegram channel has fewer than 1,000 subscribers. Regardless of its small following, the group backed up its claims of success by posting employee data, documents, blueprints, and CCTV footage of offices and factories. While the Foundation for Defense of Democracies cannot authenticate this evidence, at least some of it appears to be genuine. The posted documents have no language issues or formatting problems. Other elements, such as CCTV footage, show no obvious signs of forgery.

When posting about its alleged victims, the group uses a modified version of the inverted red triangle that Hamas’s al-Qassam Brigades places on military targets in propaganda videos. The Telegram channel also links to an associated dark web site, where it salutes the Palestinian nation and the children of Gaza.

Hacktivist Group or Front for Iran?

While draping itself in the imagery of Palestinian terrorist groups, Cyber Isnaad Front’s behavior aligns with Iranian hackers, specifically, the Iranian group Emennet Pasargad, which now operates under the name Aria Sepehr Ayandehsazan (ASA). ASA is one of the most skilled and prolific Iranian cyber threat actors, known for attacking Israeli, U.S., and European targets. Like ASA, Cyber Isnaad Front targets Israeli critical infrastructure, government agencies, and military suppliers. Both groups post high-quality videos and stylized images and documents showcasing hacked data. Both groups also use dark web sites and similar rhetoric alleging Israeli war crimes.

Iranian state media appears to have worked in lockstep with Cyber Isnaad Front as it has done with ASA in the past. Iranian press outlets published multiple articles, including in Hebrew, to broadcast Cyber Isnaad Front’s successes. Given the group’s small Telegram following and recent creation, it is unlikely that Iranian news outlets would have picked up its claims had there not been backchannel coordination. The Iranian influence operation “Attack Alarm” also shared content from Cyber Isnaad Front.

Unlike other Iranian and pro-regime threat actors, however, Cyber Isnaad Front uses human actors in its videos instead of screen recordings or other imagery. This may be a sign of Iranian hacktivists mimicking Russia’s use of actors in its influence operations.

Know Your Customer Requirements Make Hacking Harder

The United States has already sanctioned members of ASA but with little success. Effective financial sanctions are needed to protect the integrity of the global financial system from illicit activity. The United States and its partners should therefore improve the integrity of global internet infrastructure to impose costs on Cyber Isnaad Front and other threat actors. Malicious actors often rent servers and purchase domains without revealing their identities or, if they are under U.S. sanctions, their designation. These groups prefer to rent from Western companies or hosting companies with infrastructure located in America or Europe since cyber defense tools are less likely to identify Western-hosted operations as malicious. Washington must work with Europe — where many network providers are domiciled — to create stricter know your customer requirements for hosting providers, including integrating biometrics. Forcing hackers to use less reliable and less trusted network infrastructure — perhaps even illicit providers — will make each operation more expensive and more cumbersome. Pressuring threat actors to use lower-quality providers also makes it easier for the United States and its allies to take action against those providers as illustrated by the July 1 sanctioning of the Russian bulletproof hosting firm Aeza.

Ari Ben Am is an adjunct fellow at FDD’s Center on Cyber and Technology Innovation (CCTI), focusing on emerging threats, influence and information operations, cyber operations, and hybrid warfare. Max Lesser is a senior analyst on emerging threats at CCTI. For more analysis from the authors and FDD, please subscribe HERE. Follow FDD on X @FDD, @FDD_CCTI, and @FDD_Iran. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.