A special report released Wednesday morning by global Microsoft, led by Microsoft Israel, sheds light on Iranian cyber activities following Hamas's attack on Israel on October 7.
More stories:
The company's researchers examined Iranian cyber activities in the context of the ongoing conflagration in the Gaza Strip and other fronts, yielding numerous insights that shed light on Hamas's strategies and how Iran was not initially part of the secret planning of the October 7 attack but was subsequently drawn into action by Hamas's designs.
The research was conducted by the Microsoft Intelligence Center, an international body of the tech giant comprising over 8,000 cybersecurity experts, researchers and analysts who analyze 65 trillion signals daily to detect threats and provide timely and pertinent insights.
According to the report, “Since Hamas attacked Israel in October 2023, Iranian government-aligned actors have launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners.”
Researchers said that Iranian groups “made use of new techniques we’ve not seen from Iranian actors, including using AI as a key component to its messaging” in order to “undermine Israeli security and intimidate the citizens of Israel and its supporters by delivering threatening messaging and convincing target audiences that their state's infrastructure and government systems are insecure.”
The use of artificial intelligence in social media influence campaigns was strikingly evident to anyone who encountered such content. This ranged from the dissemination of fake images of children amid ruins to the distortion of IDF operations, falsely depicting them as attacking the civilian population in Gaza.
"This isn't something new, but the scale at which we're seeing it now is unprecedented," Microsoft Israel National Security Officer Itzik Tzalaf explained to Ynet.
Tzalaf, who is responsible for the company's security relations with various state entities in Israel, from the government to security organizations, highlights Israel as a strategic asset for Microsoft. This strategic value is not derived from Zionism per se but rather because the company possesses significant assets in Israel that are crucial both from a business-economic and technological standpoint.
For example, the data center established in the Holy Land is pivotal for providing cloud computing services, applications and services to thousands of its regional clients.
Why does Iran need AI?
“It's a kind of transformation that the world is generally undergoing, impacting perception and more. How to scale? In influence operations, the Iranians aren't like the Chinese, who can deploy 10,000 researchers to write content right now. That's where the technology comes in. Public opinion is shaped by social media; hence, they've extensively used bots for content creation,” Tzalaf says.
However, Iran didn't turn to ChatGPT to ask OpenAI's friendly bot to write defamatory texts about Israel or its government. These bots are closely controlled and monitored, making it hard to believe Iran would risk exposing its cyber-influence efforts. Instead, it utilized public models, likely those that are open-source and not monitored.
"They are very cautious not to use models that are under surveillance because then they would be caught, and it would be quite easy to trace back to them. I assume they do it in ways, you know, that are anonymous," says Tzalaf.
Researchers explain in the report that Tehran’s main goal is to undermine the state but also to muddy the water in the online space in order to sow confusion and distrust.
The study notes that the scale of cyberattacks and their impact on Israel nearly doubled in the weeks following the war, representing a blunt attempt to reshape the discourse on the events and the war globally. Researchers also found a significant increase in the consumption of fake news and Iranian propaganda during October and November – even after the initial peak, consumption was about 30% higher than in the period before the war in English-speaking countries that support Israel, including the U.S.
The Iranian propaganda effort likely does not stop with English and is presumed to operate in other languages as well. However, the report notes a 42% surge in the reach of Iranian state-affiliated media in the first week after the outbreak of the Israel-Hamas war. “That surge was particularly pronounced in English-speaking countries closely allied with the United States,” it stated.
Where does this meet the average Israeli?
Tzalaf: "Mainly on social media, Telegram and TikTok. We can identify channels, including funded ones and the entities financing these channels. That means this is the information we know and, of course, share with those who need it, so not everything is published in this report. They focus it very well, it's very easy to spot fakes on Hebrew channels because they don't perfect it to the end. In English-language channels, where AI probably generates very high-quality content, it's easier for them. And there we also see an increase."
The link between Iran's English-language activities hints at the possibility that it could be influencing a shift in attitudes among young Americans, particularly those aligned with liberal and progressive ideals. However, Tzalaf notes that the researchers did not specifically investigate this aspect, leaving this hypothesis unverified.
The study also did not find any evidence of coordination between Iranian cyberattacks and Hamas during the attack on Israel on October 7.
"Much has been said about the extensive cyberattack launched on the day of the terror attack, but even if very extensive cyber activity was found, it likely did not originate from Iran. At least not at first,” Tzalaf says.
“However, in the two weeks following October 7, Iran increased its support for Hamas through targeted breaches combined with cyber-based influence operations enhanced on social media. By the end of October, nearly all of Iran's influence and its key cyber players were focused on Israel in a more concentrated, coordinated and destructive manner, leading to an unrestricted campaign against Israel."
We've seen significant cyber activity from Iran against Israel, including breaches into companies and hospitals, among others.
“Our perspective, distinct from any other cybersecurity firm and any state cyber entity, is informed by a wide range of information we see both locally and globally. Thus, we have many angles on these attacks and do not view them in isolation. Only after they saw a Hamas attack did they launch their own attacks. Now, how do we prove this? If you noticed, this report is divided into three parts; the first is reactive, up to mid-October, which covers the first two weeks of the war. The Iranian groups active in Israel continued their operations without any significant increase in their involvement.
"There wasn't an addition in terms of new groups, and the volume indeed grew because they essentially leveraged the foothold they already had. That is, we didn't see anything new, no new tools, no new attacks; they just did more of it. After two weeks, there indeed was an addition of more attack groups from other areas directed toward Israel, where you then see a surge. Therefore, our analysis shows that they were also surprised but felt obliged to somehow support the attack (by Hamas). Thus, it was executed in such a manner and wasn't something of quality."
And Hezbollah, are they part of this? And the Russians?
"No. Hezbollah usually operates as a proxy organization, mostly guided by Iran and appearing under its threat umbrella. There is no coordination between the Iranians and the Russians. The Russians are very cautious, wary of being involved alongside the Iranians."
Have you observed any serious attempts to attack infrastructure?
"Attempts, yes. But again, these were attempts by existing groups with existing tools. They didn't manage to do anything significant, like cameras, hospitals; these are specific incidents that would happen in any way. Ultimately, it's an exploitation of known vulnerabilities."
So, are the Iranians lying in wait?
"They are currently waiting on the sidelines, which is why the scope of the attacks is more focused on perception, more of an annoyance cyber-wise. As a citizen sitting at home hearing about attacks on hospitals here and there, you get the impression of chaos and that Israel isn't coping with it. That's the level they are maintaining right now. We assume that their heavier tools haven't been deployed yet."
Iranian influence operations skyrocketed from one every two months in 2021 to 11 recorded instances in October alone. However, no attacks on high-quality targets, such as critical and security infrastructure, by Iranian-aligned actors were recorded.
According to Tzalaf, most Iranian bluster about successful cyber achievements were usually exaggerated representations of minor incidents. For example, a hacker group named Cyber Avengers, associated with Iran’s powerful Revolutionary Guards Corps, published numerous photos of Electric Company facilities or unclassified documents, which in most cases did not result from a successful cyberattack but from combing public databases available online to anyone interested.
Nevertheless, the Iranians did not leave the stage solely to Hamas or the Russians. Starting in November, the Houthis and other Iranian-backed proxy groups in Iraq and Syria began to join in, primarily targeting U.S. targets.
Additionally, the Iranian campaign expanded to Muslim countries sympathetic to Israel, such as Albania or Bahrain. Companies engaging in trade with Israel also became targets of Iranian cyber operations.
However, at the current stage, as long as Iran does not become an active ally alongside Hamas, the likelihood that the scope of Iranian cyber operations will increase beyond influence operations remains relatively low.