Nathan Weil – August 9th, 2023

The modern world’s appetite for a kinetic conflict is seemingly at an all-time low. Across the world, major conflicts are continuously denounced by the world stage, forcing the international community to often support one side or the other in order to push for a quicker ending to a conflict; regardless of how the end is met. Setting the stage for one of the most consequential conflicts: the Iranian-Israeli proxy war. Since the Iranian revolution in 1979 and the establishment of a theocratic autocracy in Iran, the two states have maintained consistent negative interaction, leading Iran to consistently employ proxy forces to this day targeting Israel. In the future the Iranian’s–through their military force the Iranian Revolutionary Guard Corps (IRGC)–will continue to leverage unconventional warfare (UW) forces cyber-domain capabilities within Israel, to degrade Israeli government and Israeli Defense Force (IDF) capabilities while in a continual crisis stage. They will do by fiscally supporting Hezbollah and Hamas cyber-domain capabilities, conducting information operations through their proxy forces, and degrading Israeli legitimacy in the foreign relations arena. The resulting degradation of Israeli legitimacy and trust could affect domestic support of the Knesset and possibly persuade supporting countries to withdraw support to the Israeli anti-terrorism efforts.

Main Vectors of Iranian State-Sponsored Terrorism

The 3 main vectors that reap the benefits of Iranian state sponsored terrorism are Hezbollah, Hamas, and the Palestinian Islamic Jihad (PIJ). These organizations yearly receive millions of dollars in small and heavy arms, lethal-aid, and tactics development support. Additionally, with the consistent support from Iran and other parties, they present an ever evolving nexus of cyber-based challenges that directly support anti-Israeli efforts.

Hamas

Hamas (Harakat al-Muqawama al-Islamiya (“Islamic Resistance Movement”)) was formed in 1987 by Sheikh Ahmed Yassin, as the Palestinian branch of the Muslim Brotherhood. It emerged during the intifada uprising against the Israeli occupation. According to the Wilson Center, “Its original charter advocated destroying Israel and establishing an independent Islamic state in historic Palestine. A revised charter, introduced in May 2017, provisionally accepted a Palestinian state based on the 1967 borders.” (Levin, 2021). Additionally, according to the Council of Foreign Relations, Hamas originally started as a political arm of the Muslim brotherhood and maintained their non-kinetic front until 1993; 5 months before the Oslo Accords meeting, they conducted their first suicide attacks (Laub, Robinson, 2021).

            Following this doctrinal shift, Hamas acted as an anti-Israeli organization till 2006 (achieving Foreign Terrorist Organization designation in 1997). Hamas carried out various suicide bombings, ambushes, and acted as a kinetic force in the 2^nd Intifada of 2000; resulting in over 1100 Israeli’s killed and over 5000 Palestinians killed. In 2006 however there was a dramatic shift, as Hamas put themselves back into the political realm and won the governing seat of Gaza and have maintained that position since. Since the change to the present day, Hamas has launched various antagonistic missile attacks against Israel during times of political distress, changeover of governments, or oppressing IDF movements into the Palestinian settlements. Which will be a trend that will likely continue in the future, presenting a window for Israel and its supporters to be more focused on indications and warnings of potential cyber-based or kinetic attacks from Hamas.

Hezbollah

The Lebanon based Hezbollah, originates from the Shiite resistance movement; born out of the Lebanese civil war. Having pledged themselves to Iran since their birth, they have the heaviest Iranian influence within the region and across the various extremist organizations. Outside of a month-long conflict in 2006, the contestant nature between Hezbollah and Israel has been relatively sporadic. Border firefights in the Golan Heights, Missile attacks, cross border trafficking, and unclaimed bombings are the modus operandi of Hezbollah. Where Hezbollah has evolved is in their ability to be Iran’s arm into the Levant, being a force in the crippling Lebanese nation-state, representing Iranian influence in Israel, and even supporting the Assad regime in Syria. These lines of effort are likely to be what their focus is for the future, as Lebanon is no more stable than it used to be and their experience in Syria could propel them to more kinetic efforts such as conducting Cyber Domain based attacks on Israel or supporting Hamas through kinetic attacks from lebanon into Israel, creating a pincer–north to south from Hezbollah and West to East via the PIJ and Hamas–dilemma for Israel to defend against.

Palestinian Islamic Jihad (PIJ)

The PIJ splintered off from the Muslim Brotherhood in Egypt and moved to Gaza in 1981, then Lebanon in 1986. The various areas of operations have presented them multiple opportunities to learn from different environments and antagonize Israel from multiple fronts. As they are more of a direct-action force in comparison to the political intentions of Hezbollah and Hamas, they have and will continuously conduct kinetic actions against Israel. As they have used indirect fires, suicide tactics, and small arms weapons to engage IDF troops and Israeli Civilians. In recent years they have moved to more of an irregular warfare force, using sporadic attacks and IDF IOT not directly engaging Israeli forces; falling under more of a Iranian proxy force as of recently, ECFR states “Iran remains a key source of funding to this day. It is thought to have good working relations with Egyptian intelligence, although it has moved closer to Iran under al-Nakhalah.” (Lovatt, 2021), supporting the idea that Iran is spreading their UW wings to more than Hezbollah.

Unconventional Warfare and Cyber Domain Capabilities

On the first page of On War, Clausewitz lays out why violence is the means to complete their object—or goal—within a conflict. However, as stated within the first paragraph, the international community’s appetite for a kinetic conflict, especially in the Middle East, is not high in this current political atmosphere. With that said, the object of the Iranian government is to non-kinetically leverage unconventional warfare forces–the VEOs above via Quds force integration and Iranian fiscal support–, the means of doing so is by way of cyber domain attacks, information warfare, and disinformation campaigns aimed at discrediting the legitimacy of the Israeli government.

The most likely candidate for robust cyber domain-based attacks will be the Lebanese Cedar cyber cell, an assumed to be Hezbollah owned cyber entity. Following the infamous Stuxnet computer network attack, the IRGC has heavily invested into cyber domain control in the Middle East. Leading to the development of Lebanese Cedar, who has conducted cyber operations since 2012 and has two main TTPs infiltrating foreign internet servers. Clear Sky Cyber Security—the team who made the original assessment that Lebanese Cedar is a Hezbollah group—stated “Many of the tools in Lebanese Cedar APT’s arsenal are open source, however, the group relies mainly on two prominent tools that are custom-made. These tools include: “Caterpillar” WebShell, used to collect system and network information, locate assets within the network and install additional files “Explosive” RAT (Remote Access Trojan) which used to harvest sensitive information” (Soreni, 2021). This group has demonstrated the ability to sophisticatedly infiltrate over 250 state run foreign servers. To include: the Oklahoma Office of Management & Enterprise Service, the UK’s Iomart Cloud Services Limit, and the Saudi Arabian Saudi Net.

These cyber operations solidify their sophistication and make them a prime candidate to possibly infiltrate and disrupt Israeli systems on behalf of the Iranian government, maintaining Iranian obfuscation which will almost certainly be one of the main priorities in these cyber domain attacks. Due to the recent Tik Tok trials bringing the worries of consumer data to the mainstream, and my understanding–serving as a counter-China intelligence professional for 5 years–of state-sponsored cyber-based collections, data mining and online security, state level exploitation of consumer data and open-source intelligence has become one of my main concerns. Chinese owned and exploited apps such as Tik Tok, WeChat, and WhatsApp are very concerning apps, as they have the ability to track users across multiple platforms and pull targetable information such as, emails, addresses, financial information, and internet history. This presents an interesting worry as data from one person can be chained to a target of interest. I think twice about downloading specific apps, do basic research about the developing company and country of origin, as I am aware of the Chinese Communist Party’s ability to recall data from private companies for state-controlled exploitation. This is a consistent worry I have in the social media sphere, warning my family about specific apps, to at least impede Chinese abilities to develop packages based on my selectors and data as an intelligence professional. This fear is present in the majority of American intelligence minds at the strategic level, and to have this fear at the tactical level for the average Israeli, is something to be aware of, as this can become a SOP for guerilla groups across the world, especially against un-disciplined conventional forces.

At a lower strategic level, Hamas has developed a recognized cyber cell as well; the “al-Quds Electronic Army”.  Who have disrupted IDF C2 nodes, Kibbutz communities in the vicinity of Gaza, and even planted surveillance malware on IDF soldiers’ phones through dating apps. Hamas is known for their sporadic kinetic missile campaigns against Israeli civilian and military infrastructure, usually triggered by a change in legislation, leadership, an overstep of IDF soldiers into the settlement area or abuse of an Arab Israeli. However, kinetic strikes come at a severe cost. They can turn their opponent into a martyr, and with the heavy-handed support of the US and most of Europe, the international community has consistently leaned more towards Israeli support rather than Palestinian; this is up for debate but not the topic of this essay. With that being said, it is pertinent for Hamas to weigh the cost-to-benefits of kinetic attacks, and it seems they have recently leaned towards soft power more than hard. Especially since 2020, as Israel has responded with effective fires and raid missions into Hamas hubs such as Jenin, and removing key personnel.

With their reliance on sporadic fires fading, their lack of sophistication has been met with outside resources to support their goals, Hezbollah and Iran more than others. Following the 2017 election of Yahya Al-Sinwar, Hamas has entrenched itself across Hezbollah controlled Lebanon, allowing for a possible reunification of pre-Arab Spring relations—both parties disagreed on the Syrian civil war side and eventually lead to a temporary cease of cooperation—that could be deadly in the case of future conflicts. As Hezbollah has demonstrated its ability to interfere in state-owned technology capabilities, and Hamas having demonstrated their ability to disrupt local infrastructure and degrade IDF force protection, this marriage could allow for the further development of a cyber jihad.

This Tehran lead axis of resistance in a modern age would act differently than 20-30 years ago. As the cyber domain does not have an iron dome like capability to defend an overwhelming barrage of cyberattacks; a multi-pronged approach is the best scenario for the Islamic extremist movements. This multi-pronged approach could hypothetically work like an insurgency campaign online. Meaning, multiple organizations with plausible deniability, being funded by a larger dark web of allies, could conduct harassment attacks on a static enemy. In theory, Hamas and Hezbollah—and eventually leveraging the PIJ to support the kinetic offense—would act on behalf of their supporters to conduct disinformation campaigns, attack critical Israeli civilian and military infrastructure via the cyber domain, and discreetly target IDF and Knesset officials via various vexing targeting i.e; honeypotting schemes, Distributed Denial of Server (DDOS) attacks, and app-based malware implantation.

One could ask, what would cause the Iranian proxies to conduct a coordinated assault on Israeli government and defense mechanisms. The answer is chaos. The Hudson Institute states that these proxies specialize in “capitalizing on instability” (Cropsey, 2023). During the various violence during 2023 Iranian linked cyber cells were able to successfully DDOS multiple Israeli state-owned enterprises and more than 10 banks, demonstrating their ability to disrupt necessary state institutions and further sewing disruption during a chaotic period.

The Potential of a Multi-Pronged Cyber Jihad

The Iranian proxies are most likely to initiate or intensify periods of turmoil within Israeli politics, such as during election cycles, power transitions, or escalations in hostilities between the Israeli Defense Forces (IDF) and Palestinian militants, potentially reaching the levels of an Intifada. A plausible catalyst could be an upsurge in violence involving the Israeli and Palestinian populations. To exacerbate such tensions, the information operations cells of Hamas and Hezbollah would likely engage in disinformation campaigns. This could involve manipulating social media reports of the conflict to depict Israeli forces as oppressive and inhumane, drawing parallels to the cyber domain tools utilized in Syria. This strategy aims to galvanize increased resistance against the IDF, potentially providing the Iranian proxies with a perceived justification for launching rocket attacks on civilian infrastructure within Israel.

Furthermore, the most likely execution is a coordinated, yet non-attributed, cyber-attack targeting multiple financial institutions across the Israeli state. Such a calculated disruption of financial institutions could further sow chaos among the Israeli populace, potentially creating an opportunity for favorable Palestinian leverage in negotiations to halt the kinetic strikes. In addition, the cyber domain could facilitate targeting efforts based on factors like social media activity and cell phone usage, incorporating geo-location, collateral telemetry data exploitation, and even basic geo-tagging of images or active location sharing on platforms like Snapchat or fitness apps. Leveraging tactics, techniques, and procedures (TTPs) established over the past decade, such as honey-potting dating apps, exploiting backdoors in fitness apps, and implanting malware on various applications, would significantly enhance the Iranian proxies’ situational awareness of targeted individuals, potentially enabling near-real-time location tracking for kinetic actions.

Moreover, these demonstrated TTPs, if applied effectively against conventional targets like the IDF, could have broader implications. Other groups, such as the Kurdish Resistance, Chechen rebels, or Islamic factions in Northern Europe, might adopt similar capabilities, potentially shifting the conventional response to terrorism from force-on-force engagements to a cyber domain defense paradigm. Such a transition, however, would face substantial challenges due to the inherent non-attributability complexities of the cyber domain. 

However, it is more likely that the latter event would fall into the most dangerous course of action. In this hypothetical alternative analysis, an intifada is ignited to the point that Palestinian government will not accept a truce without their goal of Israeli destruction being achieved, raising the bar and lethality of TTPs. It is almost certain that in this situation Iran will try to maintain its plausible deniability in the conflict but will certainly support their in-state proxy services to debilitate Israeli defense mechanisms. Above is a possible course of action that I wanted to paint out to provide a picture for possible implementation of a cyber-enhanced insurgency. Working with MARSOC, I experienced a complex COMSEC sophisticated group that severely hindered our targeting capabilities. I believe that targeting a cyber enabled terrorist group would add a dynamic to the force protection requirements of organic forces. I used to run apps all the time, and to think that my adversary could possibly exploit that data for kinetic attacks, definitely raises the force protection concerns on a day-to-day basis.

Within the cyber domain, if Hezbollah can maintain their near state-level–the ability to critically impact state infrastructure rather than doing persona-based targeting at a lower level sub-strategic level–cyber attack capabilities, they will concentrate efforts to DDOS Israeli defense systems, destroy critical infrastructure facilities such as water treatment centers, nuclear facilities, electric grids, and transportation efforts. If even one of the distributed attacks is successful it will heavily impede the readiness of the IDF and significantly impact the safety of the Israeli citizens. With the state-level cyber domain targeting being handled by Hezbollah, coordination with Hamas will allow them to do the more tactical targeting of individuals spoken about above. A critical piece of this alternative analysis is the information operations campaign that the Axis of Resistance must conduct leading up to and during this conflict.

 Without a severe degradation of Israeli support across the international community, and a swing in at the very least UN support, the ability of the Palestinians (and their supporters) to maintain a drawn-out conflict will be less than likely. The probable axis of exploitation is by bot campaigns on social media, where on Twitter, Telegram, and Tik Tok, the proxies will fake photos, videos, and news reports in order to change the narrative likely to show the Israelis as an aggressor rather than on the defensive. Within the last few months, we have seen the trust be dissolved immensely due to the Israeli supreme court reform. The millions of outspoken citizens, loss of revenue and change in social support of the government is outstanding, and this is in a time of peace. In a time of war, when tensions are high and stress is at its zenith, the dissolve of trust due to information operations could critically degrade the Israelis ability to rely on their citizens’ support for war and continual support. The Israeli government already has a non-reliable relationship with the international community and the loss of trust in regard to that aspect could again, greatly reduce the support from third parties. Looking at the Ukraine, conflict it is a safe assessment to make that the Ukrainians would not be able to defend at the rate they have been without the support from third parties, and I think that billions of dollars and hard support via weapons and vehicles would be a evident loss, if not received due to the loss of Israeli trust.

Due to the lack of mechanized infantry, immense difference in missile mag depth, and the speed of the IDF it will be easier to exploit and spin the message against the aggressive defensive measures that the IDF will likely employ to destroy joint HQ locations, occupy religious terrain, and sweep through population dense areas of insurgents, as the Ukrainians have done in Ukraine. Every missile strike that hits a house, every convoy littered across roads, and bodies of children caught in the crossfire will be heavily exploited, like the Kurds, Iraqis, and Syrians did while ISIS expanded throughout the levant. Thereby, likely degrading the international communities already shaky support of the Israeli measures against the Palestinian forces.

Conclusion

The outlined hypothetical analysis underscores the abundant possibilities within the cyber domain for Iranian proxies to exploit and disrupt various Israeli institutions. For the Iranian government, concealing direct actions against the Israeli government remains paramount, as any direct kinetic conflict would likely trigger economic and potential kinetic responses from the United States and potentially other NATO nations. The Iranian government’s approach in the coming decades will likely involve providing financial support, training, equipping, and covert backing to their proxy forces in potential future conflicts or non-kinetic crisis scenarios.

Given the rapid pace of conflicts in Israel—marked by frequent missile strikes, raids, and violent protests—it is highly probable that Iranian support will persist. While unforeseen events like the 2013 split between Hamas and Hezbollah over Sunni-Shia disagreements in the Syrian civil war have occurred, it is unlikely to lead to a decrease in Iranian support. The absence of jihadist intent is likely to grow, fueled by Israel’s ongoing settlement construction and the Knesset’s increasing influence, which may lead to denouncing Palestinian expansion or even advocating for a one-state solution without a viable plan. This complex problem remains unresolved, leaving the future of a sovereign Jewish state intertwined with uncertainties and challenges. While Israel’s intelligence agency, Shin Bet, acknowledges the threat posed by the axis of resistance, it is uncertain if second and third order contingencies are in place to address a potentially crippled economy or reduced second-strike capability.

The looming potential of Iran’s support for unconventional warfare forces and cyber-domain capabilities presents a significant risk of disrupting Israeli critical infrastructure, financial institutions, and eroding foreign and domestic trust. The United States and its allies should maintain a keen situational awareness of proxy cyber domain activities and develop recognition of tactics, techniques, and procedures. This enhanced understanding could lead to preemptive actions similar to Stuxnet, aiming to degrade Iranian cyber infrastructure, or providing targeting support to eliminate proxy forces and their cyber command and control nodes. Such preemptive measures can slow down the evolution of the threat nexus not only for Israel but also for other organizations that employ non-conventional methods to undermine national security. It is imperative that the United States and its allies remain deeply concerned about the formidable cyber threat that Iran and its proxy forces pose within the cyber domain.

References

Levin, D. (2021, May 21). Iran, Hamas & Palestinian Islamic Jihad. Wilson Center. https://www.wilsoncenter.org/article/iran-hamas-and-palestinian,-islamic-jihad

Laub, Z. & Robinson K. (2021, August 17). What Is Hamas?. Council on Foreign Relations. https://www.cfr.org/background/whatishamas

Lovatt, H. (2018, March 21). Islamic Jihad (PIJ). ECFR. https://ecfr.eu/special/mapping_palestinian_politics/palestinian_islamic_jihad/

Soreni, T. (2021, January 28). https://www.clearskysec.com/cedar/

Cropsey, S. (2023, July 18). Destroy Hezbollah. Hudson. https://www.hudson.org/national-security-defense/destroy-hezbollah

The post     Iran’s Cyber-Domain Efforts Through Unconventional Warfare Forces Against Israel. appeared first on Key Terrain Cyber.