Microsoft uncovers extensive Iranian AI-based cyber ops against Israel amid Gaza war
“Amid the rising potential of a widening war, we expect Iranian influence operations and cyberattacks will continue to be more targeted, more collaborative and more destructive,” warned Microsoft’s report
Since the Hamas attacks on October 7, Iran has been leading an extensive campaign of cyberattacks and influence operations against Israel and Israelis, leveraging advanced technologies, including AI capabilities, according to a special report by Microsoft on Iranian cyber activity published on Tuesday.
This included a case in early December 2023 when Iran interrupted streaming television services and replaced them with a fake news video featuring an apparent AI-generated news anchor. “This marked the first Iranian influence operation Microsoft has detected where AI played a key component in its messaging and is one example of the fast and significant expansion in the scope of Iranian operations since the start of the Israel-Hamas conflict. The disruption reached audiences in the UAE, UK, and Canada,” said Microsoft’s report.
The report states: “Since Hamas attacked Israel in October 2023, Iranian government-aligned actors have launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners. Many of Iran’s immediate operations after October 7 were hasty and chaotic – indicating it had little or no coordination with Hamas – but it nevertheless has achieved growing success.”
Compiled by the Microsoft Threat Analysis Center, an international research body comprising more than 8,000 cyber experts, researchers, and analysts who analyze 65 trillion signals a day to identify current threats, the report delineates three chronological stages characterizing the Iranian attack against Israel: reactive and misleading, all-hands-on-deck, and expanded geographic scope. Throughout these stages, a constant element persists—the combination of targeted cyberattacks with influence campaigns.
The first stage was largely characterized by deception, with Iranian media disseminating misleading information about cyberattacks. For instance, the first phase saw misleading claims from Iranian state media. “One example was IRGC-affiliated Tasnim News Agency claiming that a group called “Cyber Avengers” had conducted cyberattacks against an Israeli power plant “at the same time” as the Hamas attacks. Cyber Avengers itself (also likely run by the IRGC) claimed to have attacked an Israeli electric company the evening before the Hamas attacks. However, its evidence was only some weeks-old press reporting of power outages “in recent years” and a screenshot of an undated disruption to the company’s website,” Microsoft’s report said.
According to Microsoft, there was a 42% increase in traffic in the first week of the war to news sites run by or affiliated with the Iranian state. Even three weeks later, this traffic was still 28% above pre-war levels.
Related articles:
The "all-hands-on-deck" phase took place from mid-to-late October. "The number of Microsoft-tracked groups active in Israel rose from nine in the first days to 14 by day 15. Sometimes, multiple Iranian groups were targeting the same organization or military base in Israel with cyber or influence activity. This suggests coordination, common objectives set in Tehran, or both.
“Furthermore, the use of cyber-enabled influence operations against Israel significantly accelerated. Iran showed its preference for such attacks in 2022 when it increased the pace of such operations from roughly every other month to multiple operations a month. Iran’s 10 cyber-enabled operations against Israel in October marks a new high point. This was nearly double the previous high point of six operations per month in November 2022, though these previous attacks spanned operations targeting four countries.
“One example happened on October 18 when the IRGC’s Shahid Kaveh Group used customized ransomware to conduct cyberattacks against security cameras in Israel. It then used one of its cyber personas, “Soldiers of Solomon,” to falsely claim it had ransomed security cameras and data at Nevatim Air Force Base. Examination of the security footage Soldiers of Solomon leaked reveals it was from a town north of Tel Aviv with a Nevatim street, not the airbase of the same name.”
The second phase also incorporated the utilization of a network of social media accounts to amplify the results of cyberattacks, alongside the dissemination of information regarding the attacks via email and text messages.
The third phase, commencing at the end of November, was characterized by the expansion of activity beyond Israel, targeting countries identified by Iran as supporters of Israel. The objective was to undermine the political, economic, or military support these countries provided to Israel. This expansion coincided with the onset of attacks by the Houthis against international cargo ships in the Red Sea. For instance, “on November 20, the MOIS-aligned cyber persona “Homeland Justice” warned of forthcoming cyberattacks on Albania. They later claimed credit for attacks on a range of Albanian organizations and institutions on Christmas day.
“On November 21, the cyber persona “al-Toufan” targeted the Bahraini government and financial organizations for normalizing ties with Israel. By November 22, IRGC-affiliated groups began targeting Israeli-made programmable logic controllers (PLCs) in the United States, including taking one offline at a water authority in Pennsylvania on November 25. PLCs are industrial computers adapted for the control of manufacturing processes, such as assembly lines, machines, and robotic devices.”
According to Microsoft, the objectives of the Iranian operation included destabilizing Israel through polarization. "Iran aims to exacerbate domestic political and social rifts in its targets, often focusing on the Israeli government’s approach to the 240 hostages taken by Hamas into Gaza and masquerading as peace-seeking activist groups criticizing the Israeli government. Israeli Prime Minister Netanyahu is the primary target of such messaging, often calling for his removal,” the report read.
Another objective was retaliation, exemplified by the cyberattack against Ziv Hospital in Safed, conducted in response to reports of Israeli bombings (which did not occur) at Shifa Hospital in Gaza. Iranian attackers also sought to instill terror and fear among the Israeli population and undermine international support for Israel.
“We assess that the progression shown so far in the three phases of war will continue. Amid the rising potential of a widening war, we expect Iranian influence operations and cyberattacks will continue to be more targeted, more collaborative and more destructive as the Israel-Hamas conflict drags on. Iran will continue to test redlines, as they have done with an attack on an Israeli hospital and U.S. water systems in late November.
“The increased collaboration we have observed between different Iranian threat actors will pose greater threats in 2024 for election defenders who can no longer take solace in only tracking a few groups. Rather, a growing number of access agents, influence groups, and cyber actors makes for a more complex and intertwined threat environment,” the report concluded.