Google: Iranian, regional hacking operations that target Israel remain opportunistic but focused

Objectives from the hacking groups include espionage, information operations or destructive activities, researchers say.
This picture taken from Rafah shows smoke billowing following Israeli bombardments over Khan Yunis in the southern Gaza Strip on February 13, 2024, amid the ongoing conflict between Israel and the Palestinian Hamas militant group. (Photo by SAID KHATIB / AFP)

There’s little evidence that Hamas’s Oct. 7 attack on Israel included a planned cyber component, but in the months since, a flurry of regional hacking units with ties to the terrorist group, as well as Hezbollah and Iran, adjusted their operations to participate in the ongoing conflict, a Google analysis concluded Tuesday.

The analysis — conducted by Google’s Threat Analysis Group and Mandiant, part of Google Cloud — documented operations tied to a half-dozen regional cyber threat groups with objectives including espionage, information operations or destructive activities.

While cyber operations play a supporting and symbiotic role to kinetic and physical attacks in some conflicts, the Israel-Hamas war shows how cyber operations stand on their own and provide governments with lower-cost, lower-risk ways to engage rivals without direct military confrontation, the researchers said.

The contrast between the role of cyber in this conflict and how it’s been used during Russia’s ongoing war on Ukraine is clear, said Sandra Joyce, vice president of Mandiant Intelligence.


“In the Israel-Gaza region, we didn’t observe that spike in cyber operations,” Joyce said in a call with reporters ahead of the report’s release. “We saw that in Russia, but we didn’t see that here.”

Iran has targeted Israel and the U.S. for years, the analysis noted, and operations continue apace. In the six months leading up to Hamas’s attack, Iran accounted for roughly 80% of all government-backed phishing activity that targeted users based in Israel, the researchers said.

“After October 7, we’ve seen a focused effort to undercut support for the war among both the Israeli public and the broader global populace, including hack-and-leak and information operations to demoralize Israeli citizens, erode their trust in national organizations, and cast Israel’s actions in a negative light,” the report stated.

This kind of information operation made headlines in the U.S. in November, when a group linked to the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) targeted Israeli-manufactured devices used in water utilities with defacing messages. A water utility in Aliquippa, Pa., was hit in the attack, and the U.S. government on Feb. 2 sanctioned a half-dozen Iranian officials over the affair.

The groups highlighted in the report — most with ties to Iran — have targeted Israel, other entities in the Middle East, the United States or Europe.


Hamas-linked groups — which have traditionally targeted Israel and Palestine as part of intra-Palestinian operations — were active through September 2023 and showed no observable increase in activity leading up to or after Oct. 7, the researchers said.

One of the groups, tracked by Google as “Great Rift” and as “UNC4453” or “Plaid Rain” by others, is likely linked to Hezbollah in Lebanon, according to the analysis. That group, researchers say, took advantage of the surge of interest in emergency services after Oct. 7 attacks, impersonating legitimate Israeli services in phishing lures.

The group also created a fake missing persons website that prompted visitors to download a small malicious program, purportedly to receive notifications about abducted Israelis, and created a website to impersonate a legitimate Israeli hospital to distribute malware using a blood donation theme, the researchers said.

The incidents are examples of established regional hacking campaigns that demonstrate the “agility to rapidly tailor activity to current events,” the report read.

Another incident with “likely” connections to Iran, which surfaced Feb. 12, targeted Israeli civilians whose emails were obtained in compromises of Israeli organizations in November, with destructive malware disguised as notices from the Israel National Cyber Directorate, John Hultquist, Mandiant Intelligence’s chief analyst, said in an email Tuesday.


If executed, the malware overwrote files and played a video that included a message to hostage families “meant to demoralize Israelis,” Hultquist said.

“Increasingly, Iran is directly targeting civilians with information operations and attacks,” he added.

Nicole Fishbein, a security researcher with Intezer, flagged the campaign in a series of posts to the X social media platform Feb. 12, noting that it included anti-war propaganda and an attack ad against Israeli Prime Minister Benjamin Netanyahu.

Latest Podcasts