Body
An operation attributed to Iran combined digital deception with physical wartime pressure during Israel’s conflict with Iran, delivering spyware through Android phone messages that offered what appeared to be real-time information about bomb shelters. The Associated Press reported that the links in the texts prompted malware that gave hackers access to device camera, location and other data—targeting people as they fled an Iranian missile strike.
Check Point Research Chief of Staff Gil Messing, cited in the report, said the tactic stood out because of when it arrived. He described the messages as being sent while people were running to shelters and said the timing was “synced and at the same minute,” calling it “a first.”
Experts told AP that the cyber fight is likely to outlast any ceasefire because cyber operations are comparatively easier and cheaper than conventional conflict, and because their purpose is often not to seize territory but to spy, steal and frighten. They also said Iran and its supporters have treated cyber capability as a way to offset military disadvantages.
In assessing the broader pattern, DigiCert field technology officer Michael Smith said investigators at the Utah-based company had tracked nearly 5,800 cyberattacks tied to Iran-linked groups, involving nearly 50 different groups. Smith said many of the campaigns targeted U.S. or Israeli companies and also identified attacks on networks in Bahrain, Kuwait, Qatar and other countries.
AP reported that the attacks often caused limited damage to economic or military networks when compared with the scale of the activity, but that their volume still pushed companies to defend themselves quickly and patch security weaknesses. Smith added that there are “a lot more attacks happening that aren’t being reported,” describing high-volume, low-impact operations as a form of intimidation because attackers can “reach out and touch” people even across continents.
The report also described cyber activity aimed at individuals and institutions beyond infrastructure. A pro-Iranian hacking group claimed responsibility for infiltrating an account of FBI Director Kash Patel and posting documents and photos that the report said appeared to be years old, with some items described as more than a decade old. AP said this resembled other Iran-linked intrusions that are designed to boost supporter morale and undermine opponents’ confidence without materially changing the course of the war.
Cybersecurity researchers told AP that health care and data centers have been targets in particular. The report said hackers supporting Iran claimed responsibility for attacking Stryker, a Michigan-based medical technology company, under an operation the group known as Handala described as retaliation for suspected U.S. strikes that killed Iranian schoolchildren. It also cited work published by Halcyon describing a separate attack on a health care company in which hackers used a tool linked by U.S. authorities to install destructive ransomware that shut the company out of its own network, with no ransom demanded and the motive characterized as driven by destruction and chaos rather than profit.
Cynthia Kaiser, a senior vice president at Halcyon, said in the report that the combination of attacks “suggests a deliberate focus on the medical sector rather than targets of opportunity,” and she added that as the conflict continues, targeting of that sector should intensify. The report also said Iran is likely to look for weaknesses in American cybersecurity supply chains that support the economy and the war effort, as well as critical infrastructure such as ports, rail stations, water plants and hospitals.
AP linked those cyber operations to a wider information contest in which artificial intelligence can both speed technical attacks and amplify disinformation. The report said AI can help increase the volume and speed of hacking by automating parts of the process, while also enabling bogus content: it cited deepfake imagery that supporters of both sides have shared, including one deepfake image of sunken U.S. warships that the report said had drawn more than 100 million views.
The report said Iranian authorities have limited internet access and are working to shape what Iranians see through propaganda and disinformation, including research that described Iranian state-run media labeling real footage as fake and sometimes substituting doctored images. It also said the U.S. State Department opened a Bureau of Emerging Threats last year focused on new technologies and how they could be used against the United States, alongside other federal efforts.
Finally, AP reported that U.S. intelligence leaders have said AI affects both attackers and defenders. Director of National Intelligence Tulsi Gabbard, cited in the report, told Congress that AI “will increasingly shape cyber operations with both cyber operators and defenders using these tools to improve their speed and effectiveness,” while the report noted that Iran has still launched operations targeting Americans in addition to other countries seen as greater cyber threats.