Israeli Cyberwarfare History and Capabilities

State of (CyberWar) Episode 6.1

Join Hugo Tarrida and John Salomon for the latest part of our Middle East cyberwarfare mini-series.

We decided to split a more in-depth discussion about the two most capable actors in the region, Israel and Iran, into two half-episodes. Join us as we look at the organizations that make up Israeli cyberwarfare and -defense capabilities, the history of Israeli state-sponsored and state-aligned cyber campaigns,

We also take a brief tour of Israeli media and social media operations, including information, propaganda, disinformation, and manipulation.

If you haven’t watched it yet, please consider checking out our first overview of the overall Middle East situation: https://youtu.be/X3wkTszRlck

Notes and links:

Because of the highly emotionally and politically charged nature of current events, we can’t tell how impartial many of the websites describing Israeli capabilities are or aren’t. We will thus stick to Wikipedia unless there’s either an original Israeli government webpage available, or a source we feel is somewhat authoritative, even if it’s biased – in any case, do your own homework and draw your own conclusions, we’re not here to push a narrative.

We have our own views and opinions of current events. This discussion is not intended to endorse or condemn any particular viewpoint.

Neither of us speaks even a bit of Hebrew. We are thus at the mercy of translation engines and webpages in languages we understand. Your mileage may vary.

02:03 CFR overview of cyberwarfare capabilities: https://www.cfr.org/cyber-operations/
02:50 Unit 8200: https://en.wikipedia.org/wiki/Unit_8200
03:05 Military Intelligence Directorate, aka Aman: https://www.idf.il/en/mini-sites/directorates/military-intelligence-directorate/military-intelligence-directorate/
03:57 Unit 81: https://en.wikipedia.org/wiki/Unit_81
05:01 Havatzalot: https://en.wikipedia.org/wiki/Havatzalot_Program – Google’s horrible translation of the Hebrew wikipedia page indicates it’s some kind of lily. Flowers are nice.
05:16 Talpiot: https://en.wikipedia.org/wiki/Talpiot_program – the name’s apparently some biblical reference from Song of Songs 4:4 according to their LinkedIn page, that we can’t figure out
06:55 Technion / Israel Institute of technology: https://www.technion.ac.il/
06:56 Hebrew University of Jerusalem: https://en.huji.ac.il/
07:30 IDF Information Security Department: https://en.wikipedia.org/wiki/Information_Security_Department – it’s unclear whether it’s the same as these guys: https://www.mitgaisim.idf.il/%D7%AA%D7%A4%D7%A7%D7%99%D7%93%D7%99%D7%9D/cyber-protection-unit/
07:40 Mamram: https://en.wikipedia.org/wiki/Mamram – apparently an abbreviation of the Hebrew for “Center of Computing and Information Systems”
09:15 This may be the Israel Innovation Authority – https://innovationisrael.org.il/en/ – we’re not 100% sure though
11:14 Stuxnet: https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
11:22 Specifically, Siemens PCS7, WinCC, and STEP7 control software, and various Siemens S7 programmable logic controllers (PLCs).
22:59 TAO: https://en.wikipedia.org/wiki/Tailored_Access_Operations
12:16 We’re going to assume you’re capable of looking up Snowden and his revelations on your own
12:30 Stuxnet 2.0: https://cyware.com/news/stuxnet-20-iran-hit-by-new-more-aggressive-variant-of-powerful-industrial-control-malware-9d9c9a73
15:37 Duqu: https://www.enisa.europa.eu/media/news-items/duqu-analysis
15:38 Flame: https://www.bbc.com/news/technology-18238326
15:39 Duqu 2.0: https://www.theguardian.com/technology/2015/jun/11/duqu-20-computer-virus-with-traces-of-israeli-code-was-used-to-hack-iran-talks – the Guardian is one of the outlets that linked Duqu 2.0 to Israel
16:21 Kaspersky’s Equation Group overview: https://www.kaspersky.com/about/press-releases/2015_equation-group-the-crown-creator-of-cyber-espionage
17:13 Some info on those particular negotiations: https://www.cfr.org/backgrounder/what-iran-nuclear-deal
17:45 The NY Times article: https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html
18:38 Correction: Iranian officials disconnected oil terminals themselves as a reactive measure. BBC reporting about initial attack – https://www.bbc.com/news/technology-17811565 – and followup: https://www.bbc.com/news/technology-18253331
19:44 Pegasus (NSO Group): https://en.wikipedia.org/wiki/Pegasus_(spyware) – interestingly, just after we finished this recording, there were reports of “fake” Pegasus variants for sale: https://www.infosecurity-magazine.com/news/fake-pegasus-spyware-dark-web/
20:16 Kaspersky on Flame: https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-experts-provide-in-depth-analysis-of-flame-s-c-c-infrastructure
20:51 NSO Group: https://www.nsogroup.com/
21:18 Chrysaor: https://www.independent.co.uk/tech/chrysaor-android-spyware-app-smartphone-cameras-hack-photos-pegasus-google-a7666306.html
21:34 https://www.calcalistech.com/ctech/articles/0,7340,L-3927410,00.html
21:41 Should have dug just a little more: https://www.reuters.com/technology/microsoft-watchdog-group-say-israeli-spyware-used-hack-civil-society-2023-04-11/
22:33 Again the Guardian: https://www.theguardian.com/world/2022/may/03/over-200-spanish-mobile-numbers-possible-targets-pegasus-spyware
23:32 Start here: https://en.wikipedia.org/wiki/Rif_War – see you in a few months
23:56 https://www.telegraph.co.uk/world-news/2024/05/17/spain-blocks-ship-carrying-weapons-israel-gaza-war/
24:09 This is a very contentious, and very open legal question.
24:21 (German link) https://www.sueddeutsche.de/politik/us-geheimdienst-nsa-forschte-merkel-umfassender-aus-als-bislang-bekannt-1.2876007 – caveat: it’s Wikileaks. They have been known to have…issues. That said, the investigation was closed in 2015 due to insufficient evidence: https://www.npr.org/sections/thetwo-way/2015/06/12/413866194/germany-closes-probe-into-alleged-u-s-hacking-of-merkels-phone – again, make of that what you will.
25:26 Predatory Sparrow/Gonjeshke Darande: https://www.bbc.com/news/technology-62072480 (with bonus steel mill fire video and dramatic music). Wired article with timeline of attacks: https://www.wired.com/story/predatory-sparrow-cyberattack-timeline/
25:54 https://foreignpolicy.com/2024/04/16/iran-israel-conflict-missile-attack-cyberattacks-warfare/
28:50 https://www.jpost.com/business-and-innovation/article-731636 – interestingly, a lot of the best investigative journalism exposing this kind of Israeli activity comes from the Jerusalem Post, Haaretz, and other Israeli news channels. Another story from Haaretz, and one from The Guardian on the topic
31:13 Very intelligently, we failed to note down the link to the specific story. Good job. But looking for idf manipulate social media site:haaretz.com yields a bonanza of articles on the topic.
31:51 Given Eurovision’s colorful history of political controversies, we’re not even going to start on this one…for the 2024 contest, there’s numerous claims that the Israeli Ministry of Foreign Affairs ran a campaign to influence audience voting – here’s an article (in Hebrew, use the translation site of your choice) from Ynet: https://www.ynet.co.il/news/article/sykjyhaza
32:36 For example, via the IDF Spokesperson’s Unit International Media Branch: https://en.wikipedia.org/wiki/IDF_Spokesperson’s_Unit. In fairness, a lot of government agencies / armed forces actively try to shape public perception through relationships with private sector channels. The US Defense Department’s relationship is a very well documented example, with the Entertainment Media Office providing personnel and equipment to film productions that follow strict rules about how the US armed forces are portrayed: https://www.latimes.com/archives/la-xpm-2011-aug-21-la-ca-military-movies-20110821-story.html (Wikipedia: https://en.wikipedia.org/wiki/Military%E2%80%93entertainment_complex). It’s a safe assumption that most major militaries do not have just media and public relations teams, but actively cultivate contacts with journalists to try and influence their reporting.

Bonus links from Hugo:

https://www.disinfo.eu/israel-hamas-resource-hub/ – a list of resources surrounding disinformation in the Israel-Hamas conflict
Our friends at Natto Thoughts on disinformation in the Mideast conflict: https://nattothoughts.substack.com/p/mideast-crisis-and-russia-cyberspace
The New York Times on fact hunting in the Israel-Hamas conflict: https://www.nytimes.com/2024/01/25/business/media/misinformation-fact-checking-israel-hamas.html

You can find CyAN’s Secure-in-Mind YouTube channel at https://youtube.com/@cybersecadvisors – and of course, our videos about cyber conflict on the State of (Cyber)War playlist here. All of our episodes are also available in audio format on Apple iTunes, Amazon Audible, Podcast Republic, Spotify, and Libsyn – links on our Media page.