Cyber War Rattling the Middle East

The retaliation attributed to Israel by Washington Post aimed neither to cause physical damage nor casualties, but to send a warning: We can harm you tenfold

by Yossi Melman 

About a month ago, Iranian intelligence launched a cyberattack on water installations in Israel. Perhaps because of the coronavirus crisis, the incident was greeted here with some indifference by the media and the general public, and seemed to pass nearly unnoticed. However, among cyber experts and organizations responsible for national security and infrastructure institutions, it aroused deep concern and intense discussion. 



Tuesday morning, The Washington Post reported that Israel was behind a cyberattack on the Bandar Abbas port terminal in southern Iran. According to the report, the attack took place on May 9, caused serious damage and disrupted shipping traffic for days. This apparent retaliation by Israel was clearly intended to send a warning to the Iranians without inflicting real physical harm or casualties.

As for the Iranian attack on Israel, aside from some minor damage to several water valves and control systems that have since been replaced, there was ultimately no significant damage to equipment or to the water supply. However, in cyberwarfare, the psychological-deterrent factor has an important effect and impact on the adversary.

Seeking to publicly play down the seriousness of the incident, the Israel National Cyber Directorate issued a laconic statement nearly two weeks ago, to the effect that “an attempted attack on water-control installations was identified” and added that “the water supply system was not affected and continues to operate normally.” The directorate’s spokeswoman, Libi Oz, declined to divulge any more details – such as who was behind the attack. However, based on American sources, Fox News reported that Iran was responsible.

The Washington Post report said that just two sites were attacked in Israel, but Haaretz has learned that the scope was in fact much broader and included dozens of installations throughout the country, focusing on control centers for water tanks, pumps, pipeline valves and more.

Standard procedure in Israel today is that the computer systems of security-related organizations (the Mossad, the Israel Defense Forces, the Shin Bet, the nuclear reactor in Dimona, the Biological Institute in Nes Tziona, military industries) and of critical civilian infrastructure are not connected to the Internet, in order to prevent a potential domino effect that would affect other sites and infrastructure in the event of a cyberattack.

In the recent incident involving Iran, the damage was minimal because the sites attacked were not connected to major water systems that are defined as “critical infrastructure.”

In the Israeli security establishment and civilian bodies in charge of offensive and defensive cyberwarfare, there is debate as to Iran’s cyber capabilities. Some feel that Iran is not a major player in this arena, certainly when compared to Israel and cyber powerhouses like the United States, China, Russia and other Western countries. Others believe that even if Iran is not among the world cyber leaders, it is definitely enhancing its capabilities and as evidence, they cite the massive attack on computers and installations belonging to Saudi Arabian oil giant Aramco last year.

In any event, Iran did not hesitate to launch its attack last month. Some experts believe that this was Tehran’s way of harassing Israel in response to its persistent campaign of strikes in Syria.

Iran operates defensive and offensive cyberwarfare units through its Revolutionary Guards and Intelligence Ministry, but like Russia, China and some other countries, it also uses individual hackers or teams of them who assume a wide variety names in an attempt to obscure the attacker’s true identity.

The fact that the incident last month was carried out via servers in the United States and Europe indicates a sophisticated effort, even though it was not the first time it was tried. The Iranian attempt to hide behind American servers angered U.S. officials who shared their analysis with Israel. Indeed, hardly a day goes by without Iranian cyber units and hackers trying to attack Israel via cyberwarfare.

There is no real clarity in Israel as to what constitutes “critical infrastructure.” For years, the Shin Bet was tasked with the cyber defense of such installations. In 2016, after a lengthy bureaucratic battle and much zigzagging, Prime Minister Benjamin Netanyahu passed a law that formalized the status of the National Cyber Directorate, defining it has having authority over and responsibility for critical civilian infrastructure alone.

Thus, in the recent Iranian cyberattack, water installations were hit, but not those that are classified as “vital critical infrastructure.” Given this latest incident, and now that a new government has been sworn in, somebody (perhaps David Amsalem, the new minister for cyber and national digital matters) ought to address this issue and put the cyber house in order. Rather than extending its responsibilities, including in the realm of research and development, the National Cyber Directorate should function as an agency where the majority of personnel deal solely with defense and not with matters that are also being addressed by other units.

From reactors to hospitals

Any discussion of cyberwarfare requires an understanding of two key terms: Information Technology and Operational Technologies. IT warfare is primarily used to infiltrate computers via the internet for espionage missions such as collecting information on enemies, disseminating false information, recruiting agents, sending messages, eavesdropping, code-breaking and so on. This type of warfare can, of course, also be used to harm or destroy software and operating systems. However, on the defense side, this same type of warfare is used to develop protective mechanisms preventing infiltrations, breaches, Trojan horses, viruses and other malware.

OT is designed to strike at the equipment that is operated by computers. This could include nuclear reactors, power stations, dams, aircraft, air traffic control systems, traffic lights, hospital equipment or water systems, which were the target of the recent attack.

For good reason, cyberwarfare is considered to be the fourth combat arm along with the ground, naval and air forces. Rather than launch a missile or drop a bomb on a nuclear reactor or power station, today one can attack a target’s computers and inflict equally serious damage. Cyberwarfare could also cause mass casualties if aimed at the electricity grid, dams, traffic lights, hospital systems, food and water plants, facilities that hold radioactive material and other targets. The potential for harm is so great that some say it is comparable to the damage from an atomic bomb or hydrogen bomb.

Alex Gibney’s 2016 documentary “Zero Days” (full disclosure: This writer was a consultant to the production) describes the joint operation (according to various reports) by Israeli intelligence (the Mossad and IDF Intelligence Unit 8200) and American intelligence (the CIA and National Security Agency) to introduce the Stuxnet virus into the Iranian nuclear program in 2011. The virus was inserted into computers that controlled the electricity boxes connected to centrifuges used for uranium enrichment at the Natanz plant.

The operation was partly successful and 1,000 (about a third of the centrifuges at the time) were damaged. The penetration was accomplished so skillfully that Iranian computer operators in the control rooms didn’t even notice it. On the downside, the virus was so powerful that it quickly got out of control and spread to other computers in Iran, among them those at other nuclear facilities, and from there to other places in the world. Even computers in the U.S. Department of Homeland Security were affected.

The success of Stuxnet as an additional tool in the effort to halt Iran’s then-rapidly accelerating nuclear program, derived in part from the country’s technological weakness. Exposure of the virus enabled the Iranians to learn from that incident, to make changes to their technological operations, to strengthen their cyber defense systems and to learn how to upgrade their offensive capabilities.