Full Report
New insights from Radware identified that Israel launched high-impact cyber strikes targeting Iranian financial infrastructure. In response, Iran... The post Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Israel-Iran Cyber Conflict Escalation (Q2 2025 Summary)
## Executive Summary
The escalating geopolitical conflict between Israel and Iran rapidly expanded into cyberspace, characterized by state-sponsored disruptive attacks targeting critical infrastructure and an intense parallel disinformation war. Israeli-linked actors launched high-impact strikes, including data destruction in Iranian financial institutions, while Iranian-aligned groups responded with DDoS, ransomware, espionage, and mass psychological operations against Israeli civilian systems. The conflict showcases modern hybrid warfare, posing significant risks of regional destabilization and collateral damage to global organizations.
## Incident Details
- **Discovery Date:** Ongoing since the start of hostilities last week (Specific date TBD from context, generally "last week" leading up to Wednesday advisory).
- **Incident Date:** Conflict began "last week." Major events reported throughout the week.
- **Affected Organization:** State-owned Bank Sepah (Iran); Various Israeli Critical Infrastructure (CI) sectors.
- **Sector:** Financial Services, Government/Public Sector, Manufacturing, Telecommunications, Media/Internet.
- **Geography:** Israel and Iran, with wider international targeting (US, Jordan, UK).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing, escalated "last week."
- **Vector:** Varied, including phishing, leveraging vulnerabilities in internet-connected devices (security cameras).
- **Details:** Attacks suggest both state-sponsored spear-phishing campaigns and opportunistic exploitation of known security weaknesses.
### Lateral Movement
- **Details:** Reports from prior Iranian-backed activity (APT groups) indicate historical targeting of Israeli water, transportation, and surveillance networks, suggesting capability, though specific lateral movement details for the *current* surge are less defined than the impact events.
### Data Exfiltration/Impact
- **Date/Time:** On June 17, Israeli hacking group Gonjeshke Darande claimed infiltration of Bank Sepah.
- **Impact (Israel):** Widespread service outages at Bank Sepah, inability for customers to access accounts/cash. Also, waves of DDoS attacks and spam/disinformation messages targeting Israeli civilian systems.
- **Impact (Iran):** Israeli-linked actors conducted "major cyber strikes" on Iranian critical infrastructure.
### Detection & Response
- **Detection (Israel):** Detection of phishing, DDoS activity, and fake emergency broadcasts targeting civilians. Israel National Cyber Directorate confirmed increased targeting of internet-connected cameras for Iranian intelligence gathering.
- **Detection (Iran):** Detection of service outages and data destruction at Bank Sepah following claims by Gonjeshke Darande.
- **Response Actions:** Israel mounted active defense against DDoS and disinformation campaigns. Iran engaged in counter-influence and disinformation operations to mitigate perceived damage/fear.
## Attack Methodology
- **Initial Access:** Phishing, Exploitation of Internet-Connected Devices (e.g., security cameras).
- **Persistence:** Not explicitly detailed, but implied through state-sponsored group activity.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** High volume of nuisance attacks (DDoS) to overwhelm defenses while more targeted espionage/destructive attacks proceed.
- **Credential Access:** Implied as part of state-sponsored espionage targeting infrastructure.
- **Discovery:** Espionage campaigns mentioned related to Iranian APTs targeting various Israeli sectors.
- **Lateral Movement:** Not explicitly detailed in scope for this incident cycle.
- **Collection:** Intelligence gathering via hijacked private security cameras in Israel.
- **Exfiltration:** Data destruction methods used by Gonjeshke Darande (Bank Sepah).
- **Impact:** Destructive malware/data wiping (Bank Sepah), Denial of Service (DDoS), and Psychological Warfare/Disinformation.
## Impact Assessment
- **Financial:** Service outages and remediation costs likely significant, including the disruption at Bank Sepah.
- **Data Breach:** Data destruction at Bank Sepah; Intelligence gathering via compromised security cameras in Israel.
- **Operational:** Significant disruption to the Iranian banking sector; High operational tempo for Israeli CI defenders fending off DDoS and managing ongoing disinformation.
- **Reputational:** Coordinated disinformation campaigns designed to undermine public confidence in Israel.
## Indicators of Compromise
- **Network Indicators (Defanged):** High volume of DDoS traffic from various hacktivist groups skewing toward Iran-aligned sources.
- **File Indicators:** Destructive wiper malware claimed used against Bank Sepah (details unspecified).
- **Behavioral Indicators:** Mass distribution of AI-generated disinformation and spoofed emergency text messages appearing to originate from Israeli Home Front Command. Coordinated targeting of specific CI sectors (Government, Manufacturing).
## Response Actions
- **Containment:** Israeli agencies actively defending against high volumes of ongoing DDoS attacks and monitoring for espionage intrusions.
- **Eradication:** Banking systems impacted by data destruction likely required full restoration from backups post-incident.
- **Recovery:** Public communication efforts in Israel addressing false alarm text messages.
## Lessons Learned
- The conflict highlights the immediate translation of geopolitical tensions into high-intensity, multi-vector cyber warfare involving state actors and aligned hacktivists.
- Disinformation, amplified by AI, is a primary weapon used concurrently with disruptive technical attacks to achieve psychological dominance.
- Reliance on unpatched or poorly secured IoT/internet-connected devices (e.g., security cameras) creates significant national security intelligence gaps.
## Recommendations
- Mandate immediate review and securing of all geographically dispersed internet-connected surveillance devices (e.g., security cameras) to prevent intelligence gathering.
- Implement advanced detection capabilities specifically targeting AI-generated synthetic media used in influence operations.
- Increase defensive posture across critical infrastructure (especially finance and government) against high-volume DDoS attacks driven by surge hacktivist activity.