Iranian-linked hackers are now deploying highly targeted spear-phishing campaigns that can escalate into attacks on critical infrastructure, after years of quietly harvesting personal data worldwide.
The IRGC and its affiliates have spent the last decade collecting personal data from all over the world, not only from Israelis, allowing phishing attempts to continue to grow more sophisticated, Dr. Daniel Cohen, head of Policy and Technology at Reichman University’s Abba Eban Institute, and a senior researcher at Tel Aviv University’s Blavatnik Interdisciplinary Cyber Research Center told The Jerusalem Post.
For attacks by the regime and the groups it directly sponsors, these phishing attempts are used as part of a more intricate cyber campaign targeting government infrastructure and private companies, while hacktivist groups focus on psychological warfare.
More recently, since October 7, the Islamic regime has evolved its strategies to a methodology known as spear-phishing, sending fraudulent emails posing as a trusted sender in order to collect confidential information from targeted individuals.
In 2024, suspected Iranian agents employed this strategy, posing as the Post in a failed attempt to collect information from former Israeli spokesperson Eylon Levy. The poor Hebrew translation in the email alerted Levy, though technology has advanced significantly since then.
More recently, malign actors sent a trojanized version of the official Home Front Command application, which would have installed sophisticated malware on Israelis' devices, allowing the hackers to intercept complete SMS inboxes, harvest contact books, and continuously track exact GPS coordinates, according to risk-monitoring firm Cloudsek.
Fake Google Meet link allows IRGC hackers to snap photos from victims
Despite the frequent attacks, the national authorities claimed they were able to foil the attempted breaches by coordinating their monitoring and response efforts.
DieNet, Team 313, Liwa Thar Allah, Fad Team, Cyb3rDrag0nzz, and Fynix are among the hacktivist groups that have claimed responsibility for the attacks, and several of the groups have listed their motivations as revenge for the assassination of Ayatollah Ali Khamenei.
Group 313 Team confirmed in a statement that it was targeting Israel, Jordan, the US, Saudi Arabia, the UAE, and Kuwait in response to the assassination.
The significant efforts made by Israel and its regional allies have largely contributed to the countries’ success in avoiding the attacks, Cohen explained, though he disclosed that he was unaware of how countries without normalized ties with Israel were managing the current level of cyber warfare.
The intelligence-sharing platform Crystal Ball, which Israel has used with Abraham Accords partners, has likely played a significant role in protecting the UAE, Cohen theorized.
He added that lessons learned from the Russia-Ukraine War created “more awareness” of how both cyber and physical attacks can disrupt critical infrastructure.
While seemingly collectively strengthened against the regime’s strategy, Cohen confirmed that many regional partners have not adequately tackled the disinformation campaigns from malign actors, which can have a radicalizing impact.
The intelligence sharing platforms have proven ineffectual for this threat, he explained.
Israel’s own government has “fallen behind” in this aspect, he claimed while discussing a paper he recently published on Israel’s needs for a coordinated response to the online campaigns aimed at undermining public trust in Jerusalem and influencing decision-making.
“In recent years, advanced technologies such as artificial intelligence, large language models [LLMs], and deepfakes have become accessible and inexpensive. As a result, state and non-state actors around the world – including Israel’s adversaries – have already begun integrating these technologies into their efforts to carry out cyberattacks and influence operations,” he wrote.
While Cohen said he didn’t think there was a systematic funneling of disinformation to radicalize individuals, he said that the constant false information could lead to incitement and, in turn, physical attacks like those seen in Europe in recent years.
“There were many attempted attacks in Europe in the last decade by local Iranians who worked together with the IRGC or Ministry of Intelligence,” Cohen said, noting the planned 2018 bombing attack on the National Council of Resistance of Iran rally in France.