Our Approach

Detecting targeted attacks

Definitive Guide to Ransomware

Threat profileIsrael

Israel can be considered as one of the world's leading cyber powers. It was one of the first countries to acknowledge the importance of cyber in modern day conflict. It has also faced innumerous cyber-attacks since then. Its offensive activities in cyberspace can be characterized by quality over volume. A limited number of highly targeted and sophisticated operations is attributed to Israel. These operations are in line with their political and security interests. Furthermore, Israel has developed a unique ecosystem of public-private cooperation that led to the creation of a vibrant cyber security tech-industry. This has created a fruitful ground for further capability development.

  • Strategic motives: Espionage, information theft, disruption
  • Strategic goals: Becoming a leading nation in cyberspace; mitigating regional threats; achieving regional cyber superiority
  • Cyber capabilities: ★★★★☆
  • Number of known cyber operations: ★☆☆☆☆
  • Number of APTs: 11

Cyber capabilities

Highly advanced, mature and integrated in intelligence services

Israel was one of the first countries that started to acknowledge that cyberspace can pose significant threats to national security.[1] It is also constantly under attack by neighbors for geopolitical/ideological reasons. Therefore, Israel has set out the goal to become one of the world’s leading cyber powers while achieving regional cyber superiority and developed a sophisticated set of both defensive and offensive cyber capabilities to accompany this ambition. Israel has a relatively low number of known operations, but the ones that are known are highly sophisticated and successful. This indicates that Israel carefully uses its capabilities in a very targeted manner (in line with political and security interests).

It is assessed that Israel has multiple military and intelligences agencies equipped with offensive cyber capabilities.[1] The Israeli Defense Forces (IDF) houses two units that are mainly responsible for its cyber operations. The first one is the C4I Directorate, which is primarily tasked with defensive operations and support. The second is Unit 8200, which is subordinate to Aman (the Military Intelligence Directorate). Unit 8200 reportedly is primarily responsible for offensive cyber capabilities. The development of the Stuxnet worm is for example attributed to the US in collaboration with Unit 8200 (see case 1). It is assessed that, since then, Israel has developed an arsenal of offensive capabilities focus on disrupting critical infrastructures of (potential) adversaries.[1] Israel’s other intelligence services, the Mossad (Secret Intelligence Service) and Shin Bet (Israeli Security Agency), also have their own cyber capabilities, but reportedly also collaborate and use the capabilities of Unit 8200.[1]

Furthermore, what characterizes Israel's position in cyberspace, is that it has created an outstanding ecosystem of close cooperation between the government, its intelligence agencies, the private industry and academia.[1][5] The government heavily invests in the IT-and cyber security sectors to develop both its offensive and defensive capabilities and to maintain cyber superiority in the Middle East. Israel has created an invaluable ecosystem of public-private cooperation that fuels the development of its vibrant cyber security tech-industry. These factors combined make that Israel has globally one of the most competitive cyber industries.[1][5] ShinBet for example revealed how it has built a ‘garage’ of technology start-ups with the goal of in order to cooperate on challenges relating to national security.[17] However, some of its technologies have been criticized by other countries for providing authoritarian regimes with solutions to spy on its citizens (see case 2).

Next to that, there are sections within Unit 8200 that specialize in R&D on cyber capabilities. There are many employees within the Israeli cybersecurity start-up community that have previously worked for Unit 8200.[1] This creates a unique collaboration and knowledge transfer between Israel's private sector and its intelligence agencies, often leading to technological advantages as such technologies can be tested on actual 'battlegrounds' before bringing them onto the global market.[1][5] This is contrary to the practice within most western countries that maintain some distance between its intelligence services and tech-industries. Shin Bet even publicly announced this invitation for creating this 'win-win situation' through cooperation with the tech start-ups.[15]

Israel also heavily invests in human capital. It is one of the few countries that offers courses in cybersecurity starting at the high-school level.[1] This creates a breeding ground for cybersecurity talents that the IDF can in turn recruit for a position within its units. Another way in which Israel tries to strengthen its position in cyberspace, is by creating closer ties with other strong cyber nations and international private organizations.[1] This set-up enables more collaboration and knowledge-sharing opportunities for Israel, which is likely to further strengthen its position in cyberspace.

CASE 1: Operation Olympic Games (2010)

In 2010, a piece of malware called Stuxnet was discovered on computers within a nuclear plant facility in Natanz, Iran.[3] The malware was designed to target (SCADA) systems in the industrial environment. After the malware was activated, the nuclear centrifuges started to continuously changing speed, eventually breaking the centrifuges. It is believed that the malware was built by the USA in collaboration with Israel, with the purpose of destroying the centrifuges in the nuclear power facilities and therewith delaying Iran’s nuclear program.

CASE 2: NSO Group Pegasus spyware (2016)

NSO Group is an Israeli technology company specialized in offering surveillance applications to customers such as governments and law enforcement agencies. One of its applications is called ‘Pegasus’, which is a mobile phone spyware suite. When installed on a phone (without the user’s knowledge or permission), it begins to collect the target’s data, such as passwords, contact lists, calendar events, etc. An investigation of Citizen Lab showed that Pegasus has been used by 33 different customers in 45 countries, for surveillance operations.[16] Although the application is developed for ‘Lawful Interception’ purposes, at least six of the countries have questionable human rights records. Therefore, NSO Group’s due diligence procedures have been severely questioned and it has been accused of providing authoritarian regimes with tools to spy on its citizens, therewith facilitating the violation of human rights. This has led to 'Pegasus' and NSO itself to become controversial in recent years.

SWOT analysis

Strengths, weaknesses, opportunities & threats

Strengths

  • Advanced defensive and offensive cyber capabilities
  • Close cooperation between the government, private industry and academic sector
  • One of the most competitive cyber industries in the world
  • Large pool of human capital

Weaknesses

  • Their technology and solutions will not be trusted by every nation and may hinder growth potential
  • Reputational damage from organizations like NSO

Opportunities

  • Developing increasingly sophisticated cyber capabilities through investments in the Israeli IT sector
  • Creating technological advantages by testing cyber capabilities on actual 'battlegrounds' before bringing them onto the global market

Threats

  • Constantly under attack by regional adversaries
  • The close relation (and arguably integration) between intelligence agencies and the cyber tech-sector may backfire (e.g. NSO)s

Geopolitical relations

Interactions with other nations

Whilst sentiments on Israel's position have eased over the years, relations between Israel and neighbors in de Middle East remain volatile and marked by rivalry for regional influence and ideological differences.[2] This rivalry can be explained by the Arab-Israel conflict, which is centered around the contested sovereignty of the State of Palestine.[12] Historically, Israel and the US have had a strong relationship. The US has provided longstanding diplomatic, financial and military support to Israel.[13] This support appears to be primarily rooted in advancing the US's own strategic interests (e.g. countering illiberal regimes and having a better intelligence position in the Middle East).

Strategic motives

Controlling your cybersecurity risks

Israel has been part of a longstanding conflict with Arab countries in the Middle East. This rivalry has resulted in Israel facing a plethora of threats from both nation states and organized groups. Israel's activities in cyberspace are therefore (partly) motivated by the need of collecting intelligence on neighboring countries on the one hand, and strategic disruption of adversary targets on the other.

The legitimacy and sovereignty of Israel are under a constant threat, ranging from nation states (e.g. Iran and Lebanon), to substate organizations (e.g. Hezbollah and Hamas) and terrorist organizations (e.g. (Palestinian) Islamic Jihad and ISIS).[7] To avert these threats, Israel actively uses cyberspace as a mode of deterrence, to neutralize threats and to retaliate (see case 3), as Israel holds the view that this cannot be done by only focusing on having strong defenses, but that offensive operations are necessary to achieve results.[7] Therefore, one of Israel's most important strategic goals is to maintain regional cyber superiority.[8]

Moreover, because of the volatile environment in which Israel is situated, it aims to maintain intelligence superiority to ensure sufficient early warnings on adversaries' movements.[7] Therefore, cyber espionage operations are largely focused on collecting strategic intelligence on intentions from neighboring countries. The Flame and Duqu viruses are two examples of malware being (partly) developed by Israel with the purpose of collecting intelligence on Iran's nuclear program (case 4).[9][10]

Concluding, to understand Israel's activity in cyberspace, it is relevant to looked at the relationship between Israel and its adversaries. There has been long-standing hostility between Israel and other countries in the region and that Israel wants to dominate cyberspace in this conflict. Therefore, one can speak about a persistent adversary relationship with regional adversaries.[11] A persistent adversary relationship is characterized by an actor who has the motivation, resources and capabilities to inflict harm upon adversaries for a long period of time, whilst at the same time having a stronger motivation to resist any threats as result of its actions. In this case, Israel is very motivated to maintain regional cyber superiority and already has indicated that offensive operations are a part of this ambition. At the same time, it is continuously under attack and although it has faced successful attempts, it manages to mitigate the majority of the attacks.

CASE 3: Cyber attack on Iranian port (2020)

In May 2020, the port of Shahid Rajaei, located in Iran, was hit by a cyberattack.[4] The attackers managed to damage a number of systems, that impacted operations at the port. The attack was reportedly carried about by Israel, as a form of retaliation against an earlier cyberattack on Israeli water systems.

CASE 4: Flame and Duqu viruses (2012)

The Flame and Duqu viruses are two examples of malware (partly) developed by Israel with the goal of collecting intelligence on adversaries. The Flame virus was allegedly jointly developed by the US and Israel with the purpose of collecting intelligence to help slow down Iran’s nuclear program.[9] The Duqu virus has for example been used by Israel to collect intelligence on the talks that were going on between China, France, Russia, the UK, the US and Europe on Iran’s nuclear capabilities.[10] In both cases, the malware was assessed to be highly sophisticated, illustrating Israel’s intelligence gathering capabilities on this front.[9][10]

Israeli APTs

OUR OBSERVATIONS

0

Advanced Persistent Threats (APTs)

0

Tactics, Techniques & Procedures (TTPs)

0

Attack tools

Hunt and Hackett currently observes four Israelian APTs. Note that this is a small dataset and that anomalies in the data appear larger than they actual are. Despite the statistical significance being lower in this case, on a general level it adequately illustrates how Hunt & Hackett's Threat Diagnostic System works and on the country level it still does give context on Israel's focus in cyberspace. Figure 1 shows that Israel has a large focus on other countries situated in the Middle East. This can be explained by the long-standing hostility between Israel and other countries in the region and Israel wanting to dominate cyberspace in the conflict.

Picture 1-1

Figure 1 - targeted countries by Israeli APTs

Anomalies are based on differences between Israel and the rest of the actors in the dataset. In other words, anomalies indicate to what extent Israel has a larger focus on certain countries or sectors when compared to all the actors that Hunt & Hackett tracks. A large spike can be observed in Tunisia (see figure 2). Although this outlier looks more extreme to the small dataset, it still gives more context on Israel's regional focus. In this case, an APT called Bahamut targeted human rights activists situated in Tunisia. Although Bahamut reportedly is a spy-for-hire group rather than a nation state actor, it appears to be working for multiple states in the Middle East.[14] Therefore, although there is no evidence of Israel contracting Bahamut, it is not beyond the realm of possibility that it has made use of Bahamut's capabilities at some point in time.

Picture 2-1

Figure 2 - anomalies in the data compared to the global threat landscape (observed countries)

Israeli APTs primarily target entities in the government and political sectors (see figure 3). This focus can be explained by the large volume of intelligence that Israel wants to gather in order to ensure sufficient early warnings on adversaries' movements.

Picture 3-1

Figure 3 - targeted sectors by Israeli APTs

The anomalies also confirm Israel’s large focus on political targets (see figure 4). It characterizes Israel’s profile as actor in cyberspace, as its operations are centred around the need to collect strategic intelligence on countries in the Middle East to ensure sufficient early warnings and to occupy a position of regional superiority.

Picture 4

Figure 4 - anomalies in the data compared to the global threat landscape (sectors)

This profile aims to describe Israel's cyber power from a threat intelligence perspective. For a geopolitical angle of Israel's cyber power, see the chapter on Israel from IISS’s research paper called 'Cyber Capabilities and National Power: A Net Assessment' (downloadable as PDF) on https://www.iiss.org/blogs/research-paper/2021/06/cyber-power---tier-two.

Sources

  1. IISS. Cyber Capabilities and National Power: A Net Assessment.

  2. https://www.brookings.edu/research/the-new-geopolitics-of-the-middle-east-americas-role-in-a-changing-region/

  3. https://www.cfr.org/cyber-operations/stuxnet

  4. https://www.washingtonpost.com/national-security/officials-israel-linked-to-a-disruptive-cyberattack-on-iranian-port-facility/2020/05/18/9d1da866-9942-11ea-89fd-28fb313d1886_story.html

  5. Partnership for Peace Consortium of Defense Academies and Security Studies Institutes. Israel Defense Forces and National Cyber Defense.

  6. State of Israel Prime Minister’s Office, National Cyber Directorate. Israel National Cyber Security Strategy in Brief.

  7. Belfer Center Special Report. Deterring Terror: How Israel Confronts the Next Generation of Threats. English Translation of the Official Strategy of the Israel Defense forces

  8. French Institute of International Relations. Israeli Cyberpower: the Unfinished Development of the Start-up Nation.

  9. https://www.reuters.com/article/net-us-usa-cyber-flame-idUSBRE85I1QQ20120619

  10. https://www.theguardian.com/technology/2015/jun/11/duqu-20-computer-virus-with-traces-of-israeli-code-was-used-to-hack-iran-talks

  11. Sergio Caltagirone, Andrew Pendergast & Christopher Betz. The Diamond Model of Intrusion Analysis.

  12. https://www.cfr.org/global-conflict-tracker/conflict/israeli-palestinian-conflict

  13. https://fpif.org/why_the_us_supports_israel/

  14. https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/

  15. https://www.jpost.com/breaking-news/article-699022

  16. https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

  17. https://www.jpost.com/breaking-news/article-699022

Our articles covering Israelian threats

From Hunt & Hackett experts

Questions or feedback?

Get in touch