Articles
Invisible conflict: The paths of cyberwar between Iran and Israel and its repercussions on the Middle East
No Comments
Prepared by: Riham Mohamed
Researcher at the Middle East Affairs Unit
Contemporary warfare is no longer confined to conventional battlefields; the cyber domain has emerged as a parallel strategic front-one where security and military calculations intersect with the tools of technology and intelligence. In this space, traditional notions of deterrence and sovereignty are being redefined through unconventional means. The Iranian-Israeli war of June 2025 marked a pivotal shift in this evolving landscape, as it featured -for the first time on such a broad scale- a synergistic convergence between conventional military strikes and coordinated cyberattacks, these operations targeted the strategic depth of both sides, including critical infrastructure, financial institutions, command and control systems.
Against this backdrop, the present report undertakes a temporal analysis spanning from 2010 to mid-2025, a period that witnessed the structural emergence of cyber warfare between Iran and Israel; it is a timeline marked by significant transformations in the scope, complexity, and intensity of operations, this specific timeframe was selected because it begins with the watershed “Stuxnet” cyberattack, which signaled a turning point in the digital conduct of the nuclear conflict, and extends to the dramatic escalation of June 2025-arguably the most perilous cyber-military confrontation to date between the two rivals, one that may well redefine the parameters of warfare in the Middle East.
The report traces the evolution of the Iran-Israel cyber conflict through a sequential analysis of the attacks, their strategic objectives, and cumulative consequences while emphasizing both the direct and indirect ramifications for regional security dynamics across the Middle East.
First: diverging goals…Conflict in different concepts:
The cyberattacks carried out by the two sides were characterized by a clear difference in objectives, scope and methods:
On the Israeli side, a strategy emerged based on precise pre-emptive strikes, which aimed to disrupt or reduce the effectiveness of sensitive Iranian infrastructure, especially nuclear facilities, ports, energy and logistics facilities, as part of continuing efforts to prevent “Tehran” from reaching the nuclear threshold or strengthening its regional presence. Israel has used advanced technologies supported by a powerful electronic intelligence service led by Unit 8200 and the Mossad, which allowed it to carry out complex operations that combine the field and cyber dimensions.
in contrast; Iran relied on “symbolic and retaliatory attacks,” targeting civilian institutions inside Israel such as hospitals, water networks, insurance companies, and some government sites, the main goal behind these operations was to weaken Israeli citizens’confidence in their security and government system to sabotage their daily lives and send messages of deterrence through unconventional means, Iran has also benefited from networks of cyber agents such as the “Black Shadow,” “Moses Stick,” and APT35 groups This gave it the ability to deny and helped it diversify its methods of attack and increase its scope.
Second: An ascending sequence of attacks: from limited sabotage to comprehensive hybrid warfare:
On the Israeli side; The development of Israeli attacks against Iran and its regional proxies during the period from 2010 to 2025 can be traced through four main stages, reflecting a gradual shift from tactical cyber operations to hybrid warfare with multiple tools and arenas:
The phase of selective sabotage and technical control (2007–2014): Israeli operations began with what are known as “smart strikes” that aimed to disrupt vital infrastructure without provoking a direct confrontation, which was embodied in the “Stuxnet” attack as the first offensive cyberattack attributed to Israel and the United States, Iran’s nuclear program was targeted by destroying thousands of centrifuges in “Natanz” the operation to intercept the Iranian ship in the Red Sea (2014) was also an indication of the extension of the military intelligence dimension to the sea lanes, and thus this stage witnessed a combination of electronic sabotage and secret field operations, while maintaining the character of “shadow war”.[1]
The stage of intelligence and cyber penetration (2015–2020): The scope of operations expanded to include third countries such as Lebanon, through the hacking of the “Ogero” company (2017) for broad espionage purposes. Inside Iran, the theft of the nuclear archive (2018) represented the culmination of coordinated intelligence work, the repeated “Natanz” bombings and the assassination of “Fakhrizadeh” (2020) constituted a turning point towards combining cyber sabotage and smart assassination using artificial intelligence[2].
The stage of destabilizing the Iranian depth and dismantling networks of influence (2021–2023): During this period, Israel intensified its operations targeting the Iranian institutional and security structure through precise cyber strikes and exposing intelligence penetrations within the Iranian regime, as stated in the statements of “Ahmadinejad” and “Ali Younesi”, the scope of the targets was expanded to include military factories (Isfahan 2023) and command centers, in parallel with the use of marches and guided weapons.
The phase of comprehensive cyberwar– field (2024–2025): With the escalation of tension in mid-2024 and the assassination of prominent leaders such as “Ismail Haniyeh” inside Tehran, the conflict entered the phase of comprehensive hybrid war, and this phase included assassinations of military leaders inside Iran, and the bombing of the pagers of thousands of Hezbollah members which was known as the “Beiger” bombings The operations also extended to Lebanon through a series of systematic assassinations of party leaders, most notably the assassination of the party’s Secretary-General, Hassan Nasrallah, and from there to Syria and the Red Sea as advanced sites for security work.
In June 2025, Israel was able to deliver precision strikes to advanced Iranian air defense systems, such as the “Power-373” and “Khordad-15”, by destroying their radars and launchers, crippling Iran’s ability to monitor or intercept air attacks, followed by the systematic targeting of the associated defense structure, which included radar systems such as “Kavush” and “Marsad”, as well as missile platforms and ammunition depots, the In parallel with the penetration of military communications centers and the disruption of operational coordination within the Iranian Revolutionary Guard, especially in the electronic warfare units and the Encrypted Communications Command. [3]
On the cyber side, Iran was subjected to unprecedented electronic attacks that paralyzed 97% of the Internet on June 18, and caused the collapse of the country’s digital infrastructure, this coincided with an attack on “Sepah Bank” that led to the theft of 12 terabytes of sensitive data and its public leak while the “Nobitex” cryptocurrency exchange was targeted with direct losses amounting to about $90 million.[4]
In light of this, the qualitative transformations witnessed by the Israeli attacks can be summarized as follows:
2010–2014: It started with advanced viruses like “Stuxnet”, and hacks directed at the nuclear structure.
2014–2018: witnessed a geographical expansion in Israeli operations, to include Lebanon, Syria and the Red Sea.
2018–2021: Duplicate operations have increased, including cyber and field operations, such as assassinations of scientists.
2022–2025: That period embodied the shift to a comprehensive hybrid war, targeting the economy, the media, and political leaders.
On the Iranian side: Iranian cyberattacks on Israel, since 2011, have constituted one of the most prominent manifestations of the undeclared war between the two parties, as Tehran sought to exploit the digital space as a means of pressure and response, in addition to developing unconventional deterrence tools to compensate for its traditional deficiency in the balance of power with Tel Aviv. Accordingly; The development of Iranian attacks against Israel and its allies during the period from 2010 to 2025 can be traced as follows:
In the period between 2011 and 2013: Iranian activities focused on targeting American institutions, especially in the financial sector, through “DDoS” attacks that targeted 47 banks and institutions. In addition, there were attempts to penetrate infrastructure, such as an attempt to control a water dam system near From New York in 2013, which was thwarted as a result of a technical (maintenance) coincidence Iranian groups also carried out large-scale infiltration operations into academic institutions in the United States and other Western countries and were able to steal more than 31 terabytes of data from about 176 universities.[5]
Between 2014 and 2020: Attacks towards the Israeli side began on a limited basis during the aggression on Gaza in 2014 (“Protective Edge”), where the account of the Israeli Minister of Defense was hacked and some platforms were jammed without resulting in major strategic damage. By 2020, the digital confrontation had moved to A bolder stage with accusations that Iran is attempting to penetrate and control the Israeli water network with the aim of carrying out a sabotage attack that may threaten public safety these attempts were followed by efforts to target research centers working to develop vaccines against Corona, despite their failure to achieve clear goals.[6]
From 2020 to 2023: A period began that can be described as the “stage of psychological and economic attacks,” as the group (Black Shadow) linked to Iran emerged through the hacking of the insurance company “Sherbit” which led to the data of thousands of customers being leaked and demanding a financial ransom. In 2021, The “Moses Stick” group appeared, targeting Israeli hospitals and defense companies, revealing vital data and stealing sensitive information, causing temporary paralysis of some health facilities Groups such as “APT35” (Charming Kitten) also attempted to exploit global vulnerabilities such as “Log4j” to target seven Israeli government agencies, but the attempt was thwarted.[7]
In March 2022, parties believed to be linked to Iran launched a “DDoS” attack on the Israeli government domains gov.il, causing some sites to be disabled for a certain period, as for the January 2023 attacks, they focused on a symbolic media hack represented by the publication of pictures of “Qassem Soleimani” and threatening messages through Israeli media.[8]
In light of this, the features of Iranian doctrine in this field can be summarized as follows:
Gradual and compound escalation; ranging from jamming attacks to psychological direct targeting.
Diversity of objectives; including vital installations such as water, important sectors such as health and insurance and media platforms.
To use symbolic threat tactics and financial demands; to bring about public and political pressure on the Israeli Government.
Relying on intermediary groups; This gives Tehran greater flexibility and deniability without incurring direct losses.
The impact of cyber conflict on regional security in the Middle East:
The cyber escalation between Israel and Iran in June 2025 brought about a radical shift in the nature of regional threats, as the digital space moved from being a secondary arena to a main field of conflict, this shift included multiple parties that went beyond the borders of the two traditional rivals, affecting the regional security systems and sovereignty of neighboring countries. The repercussions of this confrontation appeared through several strategic paths:
Expanding the scope of the conflict to unconventional regional dimensions: The use of cyber tools has transcended the bilateral nature of the conflict (Israel-Iran), as attacks targeting digital environments were observed in neighboring Arab countries, whether directly or through non-governmental agents (hacktivist), in Qatar, for example, a number of Doha residents reported strange changes to their locations on their mobile phones during the final days of the June war, they have been wrongly located as an activity inside Iran, and this extension means that any future clash between major regional powers may quickly spill over to third countries without prior warning or preparation; This creates a new security reality that shows that neutrality no longer provides protection against digital involvement[9].
Changing concepts of regional deterrence: Cyberwarfare has imposed a new type of deterrence, relying on asymmetric and undeclared response as an alternative to traditional military response, any country or even a non-governmental organization can now carry out a disruptive attack on infrastructure without being exposed to clear political costs. This analysis has led to New rules of the game lead to great confusion; The red lines became blurrier than before This reduces the ability to control escalation and increases the possibility of sudden crises.
The fragility of the information infrastructure and the absence of institutional protection: The war demonstrated the fragility of most of the digital infrastructure in the region, as it was noted that a large number of countries lack integrated digital defense mechanisms or effective strategies to recover from cyberattacks, any political or security crisis could develop into a cyber crisis. Parallel, by targeting electronic payment systems, government service platforms, or sensitive data centers Which leads to partial or complete paralysis in government operations.
Consolidating technical polarization in the region: The cyber conflict has deepened the existing division in the Middle East between two technical axes:
The first axis possesses outstanding offensive capabilities and is led by an Israeli entity supported by modern Western technologies (American and European cybersecurity and intelligence assistance companies).
The second axis seeks to bridge the gaps by penetrating and emulating or relying on support from the West’s opponents, this axis is led by Iran and enjoys the support of parties such as Russia and non-governmental groups, this differentiation not only reveals differences in capabilities but also deepens the long-term imbalance and threatens to create a “sovereign digital divide” that may be used during crises to reshape the balance of power.
The absence of regional cooperation to confront common digital threats: Although most Arab countries are aware of the seriousness of the threat, no signs of joint regional coordination appeared during the war period, nor were early warning mechanisms activated, and there is still a lack of an Arab cyber operations center. Unified or a collective framework for exchanging information between sovereign entities, this is due to the varying levels of digital security between different countries and different political visions and a lack of technical confidence between some bodies.
This deficiency not only threatens the effectiveness of crisis response, but also gives adversaries the opportunity to exploit individual weaknesses to undermine the Arab system in general.
The absence of “digital self-sufficiency”: The war resulted in the emergence of the problem of external dependence on digital security service providers from abroad, in light of this escalation, some Gulf countries moved to strengthen their contracts with cybersecurity providers from abroad, especially from the United States, Germany, and Israel, in an unannounced manner; these arrangements have proven relatively effective in thwarting some digital risks. However, it revealed a deep strategic crisis represented by the absence of “digital self-sufficiency” Relying heavily on foreign tools and companies may seem technically beneficial, but it exposes digital sovereignty to external interference and postpones the establishment of an independent local structure.
Conclusion and recommendations:
The cyber war between Iran and Israel is no longer just one of the chapters of the “shadow war” between the two parties. Rather, it has become a clear example of changing the balance of power in the twenty-first century, the balance of power has become measured not only by the size of armies or weapons, but also by the ability of countries to control information, disrupt systems, and penetrate Minds before borders, the digital environment provided each of them with an unconventional arena for settling scores, but the results revealed a clear disparity in effectiveness More importantly, this cyber conflict is no longer a closed bilateral matter; Rather, it is a warning signal to the rest of the countries of the region and the world that their national security is no longer limited to land, sea and air borders, but rather has become vulnerable to hacking through single codes or simple vulnerabilities in operating systems.
Accordingly, it is expected that the conflict will witness deeper changes at the level of tools and parties involved, as reliance on artificial intelligence is likely to increase in carrying out attacks with high accuracy and speed, while reducing the need for human intervention, this comes in parallel with the privatization of attack tools and the use of digital agents, which makes the deterrence and accountability process more complex, more dangerous than that is the possibility of these tools leaking to non-governmental actors Which may lead to digital chaos that extends across borders and poses a threat to the national security of countries without the need to declare war. As this situation develops, the need to reconsider the concepts of deterrence and sovereignty within cyberspace emerges.
Based on the above, a set of recommendations stand out that can strengthen cybersecurity at the district level and reduce the risk of digital escalation in unstable contexts:
Strengthening digital sovereignty as a strategic priority: Information security should be considered an integral part of national security, by integrating digital infrastructure into the state’s defense doctrine, and developing strict policies to protect data and sensitive cyber areas.
Establishing a unified Arab cyber front: The new reality in the Middle East requires the establishment of a regional digital defense network, operating according to a common strategy and advanced mechanisms for monitoring threats and exchanging information, in a way that reduces the gap with advanced regional powers in this field.
Developing offensive cyber deterrence capabilities: Traditional defensive approaches are no longer sufficient; Rather, countries must adopt digital deterrence tools capable of anticipating threats and imposing a political and technical cost on any party that tries to target their cyber depth.
Fortifying highly sensitive civilian facilities: hospitals, water stations, and energy networks are no longer just service facilities, but rather strategic targets in cyber wars, which imposes the necessity of rehabilitating them electronically and providing them with independent and effective protection systems.
Investing in cyber human capital: It is not possible to build a digital defense infrastructure without qualified cadres, which requires supporting specialized education and training programs in cybersecurity, and encouraging the establishment of national institutes and research laboratories that produce their tools and solve their problems from within.
Reducing dependence on foreign security providers: Dependence on foreign companies that provide digital security services must be reduced, as this poses a threat to cyber sovereignty and gives external parties an indirect ability to influence national systems during crises.
Engaging in formulating international rules for cyberspace: The Arab world should not remain a spectator in shaping the laws of war and peace in the digital space, but rather participate actively in building an international legal system that governs this field and safeguards regional interests.