In April 2020 hackers infiltrated the systems of an Israeli water-pumping station and tampered with equipment. Individual pumps started malfunctioning as officials scrambled to keep water supplies flowing for millions of people. After the incident, which has been linked to Iran, officials said the damage could have been much worse: They suspect the attack was intended to poison water supplies by increasing chlorine levels. Weeks later, hackers targeted an Iranian port in an apparent act of retaliation.
“This was the first time that a nation responded immediately through the cyber medium for a cyberattack,” says Lotem Finkelstein, director of threat intelligence and research at Israeli cybersecurity company Check Point. The attacks, he says, marked the start of a new wave of hacking against infrastructure in the region, which has disrupted millions of lives.
In the past several months, those strikes have escalated. Fuel supply systems, railway controls, and an airline in Iran have all faced attacks. At the same time, hackers have posted the personal information of a million Israeli LGBTQ dating app users, and exposed certain details about the Israeli army. The skirmishes—which have included physical sabotage and the destruction of facilities—are the latest moves in the decades-long hostilities between Iran and Israel. They’re now spilling further into shadowy acts of digital espionage and disruption.
The attacks worry experts, who say the infrastructure that underpins large parts of daily life should be off-limits for state-sponsored hackers. The US Cybersecurity and Infrastructure Security Agency has set out 16 crucial sectors—including energy, health care, dams, and food—that it believes should be out of the scope of state-sponsored hackers. The attacks also come as Iran restarts nuclear weapons negotiations with world superpowers.
“It seems that this is a case of different actors trying to demonstrate their capabilities in order to basically establish a new kind of balance of power in the region,” says Esfandyar Batmanghelidj, a visiting fellow at the European Council on Foreign Relations think tank, who adds there has been greater diplomacy between countries in the Middle East in recent months.
The high-profile hacks on Iranian infrastructure have been wide-ranging in their targets and attributed to both state-sponsored actors and independent hacking groups. But they have one thing in common: They’ve caused chaos and confusion for ordinary people and businesses in the country.
On July 9 and 10 of this year, hackers disrupted Iranian train services and posted fake delay notices on digital billboards. “Long delays due to cyber attacks. More information: 64411,” read a message displayed on railway station signs. The phone number is linked to the office of Iran’s supreme leader, Ayatollah Ali Khamenei.
The railway attacks, according to analysis by Check Point that has subsequently been confirmed by New York–based threat intelligence company Intezer, was linked to a group of hackers dubbed Indra, after the Hindu god of war. The group has also conducted attacks in Syria, and is “unlikely” to be linked to a country, the analysis says. Check Point says that the little-known group appears to be “focused” on targeting entities that “cooperate with the Iranian regime,” and that it has also attacked a currency exchange and a Syria-based private airline, and threatened to attack a Syrian oil refinery in 2019 and 2020.