A Year of Meming Dangerously: Iranian Influence Operations Targeting Israel Since October 7

Introduction

An Israeli florist delivered a funeral bouquet in April 2024 to the parents of Liri Albag, a 19-year-old hostage in Gaza. Albag was very much alive, but the note with the bouquet said, “May her memory be a blessing, we all know that the country is more important.” The customer who purchased the bouquet placed his order online and was never identified. The Israeli Security Agency (ISA), Israel’s domestic intelligence arm, said it suspected the order was an Iranian ruse intended to cause anguish to the Albag family and sow division among the Israeli public.¹

The incident illustrates how the regime in Tehran, despite its setbacks on the battlefield, has escalated its efforts to influence Israelis by exploiting the internet in different ways. Sometimes, initiatives that begin online spill offline, often intentionally, such as the delivery of a funeral bouquet to the Albags. This cruel example exemplifies how the Islamic Republic of Iran, limited in its military options for harming Israel and its population, employs influence operations of all kinds in an attempt to shape Israeli perception. A deeper understanding of how Iran conducts these operations points toward multiple lessons for the United States and its own ability to succeed in nontraditional domains of conflict.

Despite the massacre of October 7 — an overwhelming success from the perspective of Tehran and its proxies, including Hamas — the clerical regime’s so-called “axis of resistance” has suffered pivotal setbacks in the war it started. With American assistance, Israel has destroyed much of Iran’s nuclear and ballistic missile programs. A combination of covert operations and airstrikes eliminated Hezbollah’s leadership and left it paralyzed. In the absence of support from Hezbollah, Syrian President Bashar al-Assad’s regime collapsed. The Iran-backed Houthi rebels in Yemen endured both U.S. and Israeli airstrikes. Hamas suffered terrible manpower losses in Gaza, although it continues to fight. What began as a catastrophe for the Jewish state increasingly seems like a strategic defeat for its adversaries.

Nevertheless, Iranian activity online merits greater attention both because its tempo has increased since the start of the war and because Israel has not proven capable of responding decisively. This analysis examines three basic categories of Iranian influence operations: cyber-enabled influence operations, online influence operations, and physical influence operations. In the first, Iran-aligned hackers attack or infiltrate a website, service, or network with the goal of extracting and leaking sensitive information, defacing the website, or employing ransomware. The second category entails inauthentic online behavior, in which hackers create fake personas or even fake news organizations, with the goal of disseminating information that seems credible to Israelis but has a demoralizing or divisive effect. Third are cases where the web serves as a communication tool to spur offline behavior, such as spraying graffiti, hanging up posters, organizing a protest, or, in the unusual case of the Albags, sending flowers.

Since October 7, the Tehran regime has stepped up its operations, increasing the range of its operational types and quality, not just their quantity. The regime’s emphasis has been on the first category of operations, which entails infiltrating Israeli networks, domains, databases, industrial control systems, and other internet-connected or online infrastructure to damage them or collect, exfiltrate, and potentially delete data.² These operations require greater skill and effort than the others since they typically must overcome the target site’s cyber defenses. Despite the lesser skill and effort required for the second category of operations, which mainly entails coordinated networks engaged in inauthentic online behavior, its tempo has remained roughly constant. The success of the third category of operations may be the most concerning, especially with Tehran’s increasing ability to recruit Israelis via social media and messaging operations, then assign them offline tasks intended to lower morale or sow division either as a goal in and of themselves — or as part of espionage or covert operations.

The American public generally associates malign influence campaigns with attempts to shape election outcomes, but the case of Israel and Iran demonstrates their relevance to warfare and conflict below the threshold of war. The United States may be able to learn from this example what to expect in a wartime environment and potentially how to adjust its defenses — or even turn these tactics against those who employ them.

Cyber-Enabled Influence Operations: Iran’s Hacktivist Fronts

According to Microsoft, Iranian threat actors carried out one cyber-enabled influence operation against Israel every two months on average prior to the war, whereas at least 11 occurred in October 2023 alone.³ Those who conduct the operations often present themselves as independent “hacktivists,”⁴ claims that mainly serve to mask their affiliation with the regime. Most have ties to Iran’s Islamic Revolutionary Guard Corps (IRGC), but several are linked to the Ministry of Intelligence and Security (MOIS).⁵ The IRGC and MOIS have created multiple new front groups targeting Israel. The fronts’ methods did not change significantly after October 7 but shifted from targeting commercial and civilian entities to government, military, and industrial defense base targets.⁶

The fronts’ operations have become more technically and operationally sophisticated following October 7, showing increasing coordination capabilities and investments in digital infrastructure. Still, they have not been able to penetrate high-value government and military targets. Several months prior to the massacre, Microsoft Threat Intelligence reported that Iranian operators were turning to “cyber-enabled influence operations … to compensate for shortcomings in their network access or cyberattack capabilities.”⁷ In some instances, the threat actors falsely claim that their attacks succeeded. To support such claims, they sometimes release information they claim to have exfiltrated but is in fact publicly available data.⁸ For instance, the hacktivist front Cyb3rAv3ngers repurposed previously leaked data to level false claims that they successfully compromised the Israel Electric Company.⁹ Iranian state media outlets often participate in these efforts to exaggerate or invent the impact, with hacktivist fronts amplifying the message.¹⁰ Still, Iranian threat actors have had some genuine success in hacking government, military, and private sector targets, albeit those of lesser value.

Microsoft Threat Intelligence overview of Iranian threat actor groups affiliated with the Iranian MOIS and IRGC. Source: Microsoft Threat Intelligence.

In November 2024, one Iran/Hezbollah-aligned group, Radwan Cyber Pal, compromised an Israeli Ministry of National Security server that Israeli citizens used to upload identification to receive firearm licenses.¹¹ In addition, a front named NetHunt3r compromised an Israeli Ministry of Defense server used for purchasing and acquisitions, exposing sensitive but not classified data.¹² A third front targeted the Israeli Ministry of Justice and published what it said were confidential documents it had extracted.¹³ According to Microsoft, on October 18, 2023, an Iranian threat actor falsely claimed to have compromised cameras on an Israeli military base. In reality, the group merely posted images on Telegram taken from cameras on a residential street with the same name as the base.¹⁴ The effort made headlines in and out of Israel.¹⁵ Iranian threat actors posing as hacktivists have also impersonated anti-Zionist Israelis on at least one occasion to carry out hack-and-leak and wiper attacks (attacks that delete the data of the victim organization) utilizing the “BiBi” wiper malware, named after Prime Minister of Israel Benjamin Netanyahu’s nickname, according to the cybersecurity firm Checkpoint.¹⁶

One of the most active front groups is Handala Hack, founded in December 2023, which has carried out more than 50 cyber operations against Israeli and Israel-related international targets.¹⁷ Handala repeatedly claimed to have targeted the Israeli Iron Dome anti-missile systems and Israeli defense contractors, although it has provided no evidence of such actions.¹⁸ The group also sent mass text messages with malicious links to Israelis and successfully accessed personal photographs and other information belonging to senior Israeli defense officials.¹⁹ Iranian state media has amplified Handala’s claims,²⁰ and Israeli and international media have given significant attention to their operations, even those that have been debunked or exaggerated.²¹

The ISA published information in December 2024 about more than 200 phishing attacks carried out by Iranian actors against Israeli political and military figures meant to compromise their personal devices for later doxxing and potential physical attacks.²² Google’s Threat Analysis Group exposed Iranian threat actor APT 42, affiliated with the IRGC’s Intelligence Organization, as being behind most of these operations.²³

Timeline of Iranian hacktivist fronts and cyber-enabled influence operations targeting Israel, 2021-2023. Source: Microsoft Threat Intelligence.

One of the most successful doxxing efforts dubbed itself IDFLeaks and published collated case files on thousands of Israeli servicemembers.²⁴ Branded with Hamas logos, these files consisted of personal information taken from past data breaches as well as open-source information, such as social media profiles. Aside from the potential to instill fear, doxxing may enable additional cyber or physical harassment. Microsoft attributed IDFLeaks to the MOIS,²⁵ and an FDD investigation into the operation found multiple technical and behavioral indicators tying the operation to Iran.²⁶ (See Appendix for IDFLeaks threat indicators.)

Israeli critical infrastructure has long been a target of Iranian cyber operations, and this has continued during the war. IRGC-affiliated hacktivist front Cyb3rAv3ngers targeted Israeli water plants in October 2023 and since then has continued to target other critical infrastructure in Israel, the United States, and around the world. Cyb3rAv3ngers gained notoriety in the United States for targeting water utilities that utilized Israeli-manufactured programmable logic controllers (PLCs), a piece of equipment used for managing industrial systems, defacing screens with anti-Israel messaging.²⁷ The U.S. Department of the Treasury sanctioned six IRGC-affiliated cyber operators in February 2024, accusing them of operating the Cyb3rAv3ngers persona.²⁸

Defacement of a Unitronics PLC in a U.S.-based water facility. (Source: Municipal Water Authority of Aliquippa via AP)

Aria Sepehr Ayandehsazan (ASA)

One Iranian threat actor stands out for increasingly potent capabilities. Emennet Pasargad, an IRGC-affiliated front company now operating as Aria Sepehr Ayandehsazan (ASA), is Iran’s most prolific cyber-enabled influence operation threat actor. In 2022, Microsoft attributed the majority of Iran’s cyber-enabled influence operations to ASA alone.²⁹ ASA has also carried out influence operations targeting U.S. elections.³⁰ The company also runs multiple hacktivist front groups.³¹ ASA’s operations were so pervasive that the FBI, Treasury, and the Israel National Cyber Directorate (INCD) published a joint advisory on ASA’s activity in October 2024, detailing how ASA operates.³²

Microsoft overview of ASA’s operations, August-December 2023. Microsoft tracks ASA activity as “Cotton Sandstorm.” Source: Microsoft Threat Intelligence.

ASA has carried out at least four complex, high-profile operations targeting Israel following October 7.³³ It launched the first, CyberCourt, on April 4, 2024. CyberCourt’s behaviors and network infrastructure align with previous Iranian activity despite its attempts to disguise its infrastructure. Last year, the U.S. government seized CyberCourt’s primary domain, but it remains active on a new website.³⁴ Previously, to bypass other sanctions, ASA created two front companies, Server Speed and VPS Agent. ASA used these fronts to purchase server space from European providers, including Stark Industries, a Moldovan-based hosting service known for servicing Russian influence operations.³⁵ (See Appendix for CyberCourt threat indicators.)

The CyberCourt network presents itself as a “tribunal” that issues “verdicts against Zionist criminals.”³⁶ The network claims to represent a broad swathe of hacktivist groups, including Iranian fronts such as Cyb3rAv3ngers and Cyber Toufan al-Aqsa, as well as non-Iranian groups, such as Anonymous Sudan. ASA also created new hacktivist fronts for the CyberCourt operation, including NetHunt3r, Anonymous South Africa, the Emirates Student Movement, and later Zeusistalking.³⁷ Once the CyberCourt issues a verdict, it calls upon these hacktivist member groups to exact justice.

In addition to issuing “indictments,” the CyberCourt carried out two cyber operations of its own against the Israeli National Insurance Institute and the Israeli Ministry of Defense via the NetHunt3r and Makhlab al-Nasr fronts. The operations compromised web-facing portals. ASA then amplified the operations by posting exfiltrated files and data, including personal information of Israeli citizens, to hacking forums, Reddit, YouTube, and Telegram. Iranian state media also immediately amplified the attacks.³⁸

Screenshot from the Makhlab al-Nasr hacktivist front group amplifying a cyber operation targeting the Israeli National Insurance Institute. Source: Memetic Warfare.

Next, ASA targeted the Israeli delegation to the Paris Olympics in July 2024 with two distinct yet concurrent operations. First, ASA set up a new hacktivist group, Zeusistalking, and equipped it with the requisite Telegram channel, clear and Onion domains,³⁹ and X and Facebook accounts. As in other ASA operations, the Zeusistalking domains employed tracking pixels, which are small image files that gather information on visitors, to monitor web traffic. ASA also set up prepositioned backup domains and a large number of backup Telegram channels in case their initial domain, channels, or accounts were taken down.⁴⁰ ASA operators then compromised the Israeli Olympic Commission and used the Zeusistalking network to post the personal information and travel accommodations of the Israeli Olympic delegation. CyberCourt announced retroactively that this operation resulted from a CyberCourt “indictment.”⁴¹ Just 12 hours after the operation launched, Iranian state media outlet HispanTV began to cover it, showing probable coordination between ASA and Iranian state media outlets.

Personal information chart of an Israeli Olympic athlete, posted by Zeusistalking (left). Screenshots of travel documents, accommodation reservations, and personal information of Israeli Olympic athletes from the Israeli Olympic Commission (right). Source: Memetic Warfare.

For the second operation targeting the Israeli Olympic delegation, ASA set up “RGUD,” whose name is a reference to the now defunct French far-right group Groupe Union Défense (GUD). RGUD then sent text messages and emails with death threats to Israeli athletes. RGUD also sent texts to multiple Israelis in Hebrew, inviting recipients to the funerals of specific Israeli athletes.⁴²

ASA continues to target Israel. During Israel’s Operation Rising Lion, ASA appears to have created a new hacktivist front, the “Cyber Isnaad Front.” The Cyber Isnaad Front is an Arabic-language group active on Telegram and an Onion domain and has targeted Israeli defense contractors and other military and government targets in the short time that it has been operational, leaking data online and doxxing employees.⁴³ Multiple technical and behavioral elements of the Cyber Isnaad Front align with past ASA operations. In a notable development, the Cyber Isnaad Front uses a human actor in multiple-minute-long videos to showcase their intrusions into Israeli companies.

Screenshot of a Cyber Isnaad Front video uploaded to its Telegram channel showing an alleged intrusion into the CCTV network of Israeli firm CR Casting.

One significant constraint on ASA was its difficulty acquiring hosting services from U.S. and European providers. This meant that Iranian operators likely had to invest considerable time and resources in setting up backups and finding willing hosting services. ASA’s creation of front companies to procure hosting services emphasizes how critical hosting infrastructure is to these operations. Israeli government agencies are also increasingly adept at publicly identifying and reporting influence operations to social media platforms and messaging applications, forcing ASA to preposition backup infrastructure prior to a given operation.

Online Influence Operations

Before October 7, Iran employed botnets and inauthentic accounts, but their efforts rarely amounted to complex, coordinated operations.⁴⁴ These were small-scale efforts to sow discord by exploiting fault lines in Israeli domestic politics.⁴⁵ Since the war began, the pace and scale of Iranian operations have escalated. Iranian threat actors have experimented with generative AI, although they seem reliant on commercially available tools. These actors have also made innovative use of nontraditional platforms for influence operations, such as messaging applications and Google tools. In some instances, the inauthentic nature of the Iranian operations is readily apparent.

Iran-promoted content now emphasizes divisions about the conduct of the war, perhaps with an eye toward weakening the Israeli resolve to fight. Key themes include Netanyahu’s alleged prolonging of the war to maintain his grip on power, the reliance of Netanyahu’s coalition on far-right parties, the exemption of ultra-Orthodox Jews from the draft, and tensions in U.S.-Israel relations.⁴⁶

Content sample from the Dofek TV Facebook page, showing content meant to sow strife between secular and religious Israelis. Source: Memetic Warfare.

One indicator of the growing ambition of Iranian efforts to deceive Israeli audiences is the creation of websites posing as authentic Israeli news organizations. In February 2024, Iran created Dofek TV, a centralized network comprised of a domain, Facebook page, and accounts on Instagram and other platforms, yet poor operational security ensured its exposure as a fraud. An investigation showed that Dofek TV’s Facebook page operators were based in Lebanon, and Arabic file names were visible in its source code. Dofek used Facebook and Instagram ads to improve its reach, but most of the network’s content still received only dozens or hundreds of views.⁴⁷ Memetic Warfare first exposed Dofek as an inauthentic network, and Israeli media outlet Walla covered the operation in April 2024.⁴⁸ Meta dismantled Dofek’s accounts later that year.⁴⁹

Arabic-language file name on the Dofek TV domain (left). Dofek TV’s Facebook page’s transparency section, exposing two managers in Lebanon (right). Source: Memetic Warfare.

Several months later, Iran launched a similar effort, this time called “Israel in a Minute.”⁵⁰ Its operators used commercially available AI tools to generate two inauthentic news anchors.⁵¹ Much of the operation’s video content was AI-generated as well, and many of its accounts utilized generative adversarial networks (GAN)⁵² to create images for profile pictures.⁵³ Its content, however, garnered fewer than a few hundred views.

Meta linked Dofek, Israel in a Minute, and a third effort, “Halalom Israel,” to Lebanese operators with ties to the pro-Hezbollah,⁵⁴ Bahraini outlet LuaLua TV, whose web domain the U.S. Department of Justice (DOJ) seized in 2021 due to violations of sanctions on Iran.⁵⁵ Accordingly, Meta dismantled the accounts of all three.⁵⁶ While Meta did not directly attribute the operation to Iran, the direct involvement of pro-Hezbollah and sanctions-violating media outlets point to regime control or guidance.

Decentralized influence operations, such as X botnets or masses of inauthentic accounts, are also a recurring feature of Iranian influence operations targeting Israel. Israeli NGO FakeReporter and news outlet Ynet exposed one cluster of suspicious accounts on X, Facebook, and Instagram with significant reach among Israelis.⁵⁷ Posting in a coordinated fashion across multiple platforms, the cluster generated inauthentic images of Israeli politicians and soldiers and posted incendiary content. One image showed Netanyahu holding a gun to an Israeli hostage’s head, with the caption “I’m sorry, but I have to stay in power.” The network uploaded content in Hebrew (likely AI-generated), English, Russian, Spanish, and Amharic, all languages commonly spoken in Israel. In contrast to the networks that Meta identified, this cluster achieved greater exposure among Israelis. According to FakeReporter and Ynet, the network was active in over 1,200 Israeli Facebook groups.

Emerald Divide

One of the most prolific online influence campaigns, dubbed Emerald Divide,⁵⁸ created different personas, groups, and channels on WhatsApp, YouTube, Instagram, TikTok, and especially Telegram to target a broad spectrum of Israelis. Emerald Divide created fronts like “Jewish Fist” to masquerade as far-right Kahanist groups, while “The Secular Israelis” and other fronts pretended to be groups opposed to ultra-Orthodox Jews. The operation exploited the religious-LGBTQ divide, left/right partisanship, and discontent with the elected coalition following October 7.

Emerald Divide also created operations focused on Israeli casualties of war and hostage families. Its “Tears of War” Telegram channel, for instance, posted information on Israeli soldiers killed in action. The channel also shared pictures of Israeli hostages to promote protests against the government. Narratives and campaigns exploiting topics such as volunteering for hostage families gained some limited traction in Israel, although the overall impact is hard to measure. Recorded Future sampled the followers of one of Emerald Divide’s Instagram accounts and found that the majority were likely inauthentic bots.⁵⁹

Emerald Divide also distinguished itself through its use of Google Forms and online petitions. At least two Emerald Divide entities urged viewers to register on Google Forms for fictional volunteering opportunities or protests. Those who signed up provided the Iranian operators with their personal information.

Employing the same tactic, the Emerald Divide Telegram channel “Traitor Trial” created a petition on Drove, an Israeli public petition site, to garner signatures calling for trials of right-wing Israelis supportive of highly controversial judicial reform legislation. Traitor Trial used generative AI to write the petition, and the overwhelming majority of its more than 10,000 signatures appear to be inauthentic.⁶⁰ Another Emerald Divide entity circulated a Drove petition calling for the return of Israeli hostages. Real Israelis appear to have signed the petition, in the process turning over their email address and basic personal information to the Iranian operators. The utilization of a domestic Israeli platform like Drove demonstrates a level of awareness of Israeli society on the part of the operators.

Emerald Divide (and other Iranian operations) also tricked Israeli influencers on Telegram into spreading Iran’s propaganda. Tears of War, for example, paid Israeli influencer Daniel Amram to unwittingly promote its channel to his then 378,000 followers.⁶¹ This tactic was affordable, with a single post on Amram’s channel costing only 800 NIS, or approximately $220. The ability of the Iranian operators to pay for the ads suggests there may be vulnerabilities in Israeli financial enforcement mechanisms.

Iranian online influence operations ramped up significantly in June due to Israel’s Operation Rising Lion. Multiple new Iranian influence networks began to operate in the early stages of the 12-day war with Israel. Many of these networks’ operations openly branded themselves as pro-Iranian, rather than engaging in inauthentic behavior. One operation, “Attack Alarm,” which unnamed Israeli sources attributed to the IRGC Intelligence Organization, posted information about Iranian missile attacks against Israel to spread fear.⁶²

FDD identified one multiplatform influence operation, “Iran Hayom,” run by a former employee of an Iranian state media outlet. The operation overtly targets Israelis with content meant to instill fear and intimidate the Israeli population.⁶³ Some Iranian operations also utilized crowdsourcing. For example, the “Car Online” network publicly called on and guided Iranians to create X accounts masquerading as Israelis and post demoralizing content. It provided them with instructions, lists of Hebrew names to use, and even guides on how to use ChatGPT to create content in Hebrew. Iranian media outlets have also joined the fray, with one pro-regime outlet named “Farhiktegan” creating a forged list of Israeli pilots and publishing it in an attempt to intimidate actual Israeli pilots.⁶⁴

Physical Influence Operations

Physical influence operations leverage espionage, infiltration, and even sabotage and attempted assassinations to influence a population. In recent years, Iran has increasingly turned to physical influence operations. This may be because they tend to have a greater impact: the intended target is more susceptible to the influence because a fellow citizen undertakes the activities. A target who realizes a foreign country is behind the intrusion is likely to feel a greater sense of vulnerability to future attacks. Some of these operations make national or even international headlines, achieving greater reach than the operator could otherwise.

The prevalence of Iranian physical influence operations following October 7 stems from Iran’s successes in recruiting human intelligence assets in Israel. While the operations themselves have enjoyed only minor success, this remains a potent vector of influence because of the perception (rather than reality) of the operation’s efficacy. Physical influence operations can also further Iran’s ability to conduct online influence operations. Photographs from protests and military sites can be used to create new fake content for online influence campaigns.

Iran has achieved unusual success in recruiting human intelligence assets in Israel since October 7. The ISA saw a meteoric 400 percent jump in counter-espionage-related arrests in 2024 compared with 2023. The Shin Bet reportedly busted 13 Iranian cells and issued 27 indictments against Israelis spying for Iran.⁶⁵ Iranian intelligence officers first contacted many of the individuals in these cells over Telegram and other platforms. Tehran paid recruits with cryptocurrency to conduct espionage, sabotage, physical influence operations, and assassination attempts.⁶⁶

Despite the Shin Bet’s efforts, Iranian human asset recruitment continues unabated. Iran set up one overt recruitment operation appealing to Israelis via TikTok and Telegram in August 2024.⁶⁷ Authorities blocked it, but this type of overt recruitment may stoke fears of Iranian infiltration of Israel. In January 2025, the Israel Police published a video in Hebrew, Arabic, and Russian encouraging those contacted by Iranian intelligence officers to contact the police immediately.⁶⁸ While the operation was exposed, this type of overt asset recruitment is in itself a form of influence operation, triggering concerns of Iranian infiltration of Israeli society.

Suspected Iranian human asset recruitment operation targeting Israel, posted in November 2024. Source: Memetic Warfare.

Despite Iran’s success in recruiting some Israelis, these recruits have so far had limited impact. Tehran has often employed them to conduct low-level influence operations rather than espionage targeting sensitive sites. This lack of success may be at least partially attributed to the fact that Iran often recruits from marginalized groups whose members do not have access to sensitive military information.⁶⁹ Instead, recruits put up posters, set fires, deface ATMs, spray graffiti, and photograph political activists.⁷⁰ Disconcertingly, however, Iran has also used these human assets to track the movement of an Israeli nuclear scientist and even attempted to arrange the scientist’s assassination in exchange for $60,000.⁷¹ In another high-profile case, an Israeli man, who Iranian intelligence officers contacted over Telegram, was arrested after placing explosives near the residence of the Israeli defense minister in a failed attempt to assassinate him.

Accepting assignments to conduct influence operations may prepare Israeli recruits for higher-value work. At first, individuals may balk at requests to photograph a sensitive installation or carry out an assassination but agree to put up posters in exchange for a few hundred dollars. Once comfortable with working for Iranian intelligence and proven willing to carry out basic tasks, the recruit may accept more challenging work. For example, an Israeli soldier (and later reservist) accepted a request to conduct an influence operation because he believed the work was easy money. The Iranian operator at first asked the soldier to spray pro-Iran graffiti, and only later tasked him with filming a classified Iron Dome system. The individual has since been arrested and is awaiting trial.⁷²

Israel’s Response

Israel has only begun to adjust to the threat posed by online influence operations. The ISA, which is the body responsible for countering all forms of foreign interference, mainly operates covertly. The public nature of foreign interference clashes with covert collection methods, leaving the public unaware and uninformed of the threat. In addition, the ISA, like the Israeli defense apparatus overall, relies mainly on closed or classified sources, such as human, imagery, and signals intelligence. These are often unsuitable for sharing with the Israeli public, lest the information jeopardize sources and methods. By contrast, monitoring online influence activity at scale both effectively and legally requires open-source intelligence methodology and tools.

In a sign of progress, the ISA has begun publishing advisories on Iranian interference activity, but the information provided is often published without context or the technical details, known as threat indicators, which enable other organizations working to counter online interference to identify the same or similar threats.⁷³

The Israel National Cyber Directorate (INCD) has attempted to remediate the situation by exposing Iranian threat actors. At Israel’s Cyber Tech conference in April 2024, for example, the INCD’s director-general exposed the “Black Shadow” threat actor as being run by an MOIS-affiliated front company.⁷⁴ The INCD also published reports and advisories on Iranian fronts, such as Zeusistalking,⁷⁵ and collaborated with U.S. counterparts on a joint advisory about ASA.⁷⁶ However, INCD’s response time is often slow and irregular — for example, at the time of this writing, the INCD has yet to publish any alerts on foreign influence operations that took place during Operation Rising Lion.

Nevertheless, the INCD is the logical body to complement the ISA with more public-facing counter-influence work. To do so, however, it needs to mature its public communications and a settled legal framework for countering online influence operations. The government’s response to Iranian hackers’ penetration of the Ministry of Justice illustrates the need for updated thinking on the legal front. After the hack, the ministry issued a gag order (which remains in effect) on the details and content of the hack.⁷⁷ While the gag order prevents publishing about the hack in Israel, foreign news outlets have published on the leaks, making the impact of the gag order minimal. Indefinite gag orders also prevent researchers from publishing analysis and threat indicators, reducing the preparedness of other potential targets and limiting free speech.

Recommendations

U.S. policymakers and Western hosting services and social media platforms can learn four lessons from Iranian influence operations and Israel’s responses. The high tempo and volume of the operations can make it hard to respond in a timely manner to hostile narratives. However, the United States and its partners can and should degrade Iran’s and other adversaries’ abilities to conduct influence operations.

1. Strengthen know-your-customer (KYC) processes for hosting services in America and Europe: The need to secure domain hosting continues to limit the scale of Iranian influence operations. Without hosting services, threat actors cannot create and maintain websites and other digital infrastructure. Western hosting services tend to be more reliable and less likely to attract scrutiny from governments or users. To access these services, Iranian operators often rely on front companies to evade sanctions and other regulations. If America and its allies require hosting servers to strengthen their KYC processes, Iran and other adversaries will have a harder time accessing the infrastructure they need for influence campaigns (and other malicious activity in cyberspace).
2. Remove and prevent the creation of fake accounts on social media: Most influence operations rely on easily acquired fake accounts to promote their content online. Social media companies already take down numerous fake accounts while relying on various screening measures to prevent the creation of new ones, yet their efforts do not match the scale of the problem. More can be done.⁷⁸ Platforms should redouble their investment in information security, counterintelligence, and trust and safety teams to holistically understand and preempt the exploitation of their platforms not only for influence operations but also for recruitment efforts and cyber operations.
3. Empower agencies to utilize open-source intelligence to counter foreign malign influence: Leveraging open sources for intelligence collection enables defenders to operate at a pace closer to that of the adversary. The U.S. intelligence community and government as a whole should adopt open-source intelligence methodologies and tooling to support efforts to counter malign foreign influence. Government agencies should not only leverage information available on social media but should also increasingly look at messaging applications and newer forms of online social media as part of open-source collection.In parallel, these agencies should publish detailed technical reports and advisories on a regular basis. The U.S. government’s response to foreign interference in the 2024 presidential election illustrates how proactive investigation and response to foreign influence operations, even without open-source evidence to substantiate claims, can take the edge off of adversarial operations.⁷⁹ France’s VIGINUM and its detailed technical reporting on Russian influence operations is another useful example, empowering governments and companies worldwide to identify and act against exposed infrastructure and assets. High-quality and technical open-source intelligence reporting can also be a useful vector for laundering data gleaned from closed-source or technical collection methods, enabling the U.S. government to bring to bear its full apparatus of collection sources and methods.
4. Develop a strategy for covert influence operations that seek to actively degrade adversarial capabilities: In addition to strengthening its defenses against influence operations, the United States needs to go on the offensive to degrade the capabilities of its adversaries in cyberspace. The government should consider how and when to adapt adversarial influence operation tactics and employ them at ethical and effective opportunities. The cognitive domain should extend not only to winning the hearts and minds of a given state’s populace but also to degrade the capabilities and subvert the fortitude of an adversarial authoritarian regime. This strategy should include the full spectrum of influence operations, including cyber-enabled and physical, and should include consideration of when and how such operations are permitted against adversaries and how those operations should be combined with cyber or military operations.

Conclusion

Iran and Israel are no longer openly at war, but their multi-decade conflict in the shadows has resumed. Iranian cyber-enabled influence operations targeting Israel continue unabated and have a high probability of continuing even after the Israel-Hamas war officially ends. As Israel continues to adapt to the threat, the United States should closely monitor the lessons Jerusalem learns and share those of its own hard-won experience. All democratic nations should consider changing their strategic posture by complementing stronger defensive measures with an aggressive stance toward their adversaries in the cyber domain. With the right changes, democracies can not only compete but also thrive in the gray zone.

Appendix: Threat Indicators

The following indicators are those identified in investigations performed by the author and published by FDD or in a personal capacity and do not represent a comprehensive or exhaustive list of all indicators.