During Operation Roaring Lion, Iran, naturally, launched several cyberattacks against Israel. One of the most widely known incidents involved SMS messages to many Israelis urging them to update the Home Front Command application. Opening such a link would have resulted in being targeted by an Advanced Persistent Threat.
APTs are highly targeted attacks in which the attacker focuses on a specific organization or group, develops customized attack tools, and, after breaching the target’s systems, remains inside the network for an extended period. During this time, attackers may monitor emails, extract sensitive information, or conduct additional malicious activities.
Iranian cyber groups routinely target Israeli organizations and individuals, though most of these activities remain largely invisible to the public.
Cybersecurity company Mandiant, one of the most recognized firms in the field, introduced a numbering system for these groups several years ago, which has since become something of an industry standard.
The Iranian cyber groups focusing on Israeli targets
Each group identified with a unique operational pattern receives a specific number. Below are several groups known to focus on Israeli targets.
APT35 runs sophisticated phishing campaigns aimed at Israeli academics and journalists. These attacks often rely on carefully crafted emails that lead victims to malicious websites designed to harvest credentials or install malware.
APT42 uses familiar communication platforms such as WhatsApp as entry points to approach government and security officials. Once a victim is compromised, the malicious file injected into the computer establishes covert communication with the attacker via platforms like Telegram and Discord.
These services make it easy to create encrypted and difficult-to-trace communication channels. Their tools frequently include keyloggers that secretly record keystrokes, capture screenshots, and steal browser-stored passwords before transmitting them to attackers outside the organization.
APT34 is associated with the Islamic Revolutionary Guard Corps. This group primarily targets government organizations and critical infrastructure. Its focus is typically on installing malicious backdoor software that communicates with the attacker’s infrastructure, commonly referred to as Command and Control (C2) servers, allowing them to remotely control the compromised machine.
An interesting characteristic of these groups is their specialization in specific sectors and the development of tailored attack mechanisms.
For example, groups focusing on aviation and critical industries may use LinkedIn to distribute infected files to professionals in those sectors. Other groups targeting opponents of the Iranian regime concentrate on communities formed on platforms such as Facebook, using them to identify and approach potential victims.
For those who still wonder about the scope of the threat, it is important to understand that Israel has been engaged in a continuous and intelligent cyber war for several years. These operations surround us through almost every familiar digital platform.
The attackers invest considerable effort in developing sophisticated malware that is unknown to cybersecurity defense tools, commonly referred to as zero-day vulnerabilities, which makes detection and prevention far more difficult.
Defending against such threats requires more than awareness. Organizations must adopt a robust information security strategy, strengthen internal network defenses, and significantly reduce excessive access permissions.
In practical terms, organizations should operate under the assumption that the attacker may already be inside the network and focus on preventing further malicious activity.
One advanced method involves conducting periodic threat hunting processes. This means systematic searches within the organization’s network to identify hidden malicious files before a cyber incident occurs.
The writer is CEO of MADSEC, SQLink Group.