Introduction
The cyber conflict between Israel and Iran has evolved significantly since 2002, transitioning from covert operations to a complex and persistent cyber warfare landscape. The discovery of Stuxnet in 2010, a cyber weapon attributed to Israel and the United States that disrupted Iran’s nuclear program, marked a turning point, showcasing the potential for digital attacks to cause physical damage. Since then, both nations have bolstered their cyber capabilities. Iran has developed advanced persistent threat (APT) groups like APT42, CyberAv3ngers, and Emennet Pasargad (Cotton Sandstorm), focusing on Israeli critical infrastructure, government entities, and individuals. Israel has been linked to sophisticated cyberattacks on Iranian nuclear facilities, fuel networks, and railway systems. The conflict now involves proxy groups and hacktivists, complicating attribution. In June 2025, following Israel’s missile strike on Iranian nuclear and military facilities on June 12, 2025, Iranian cyberattacks against Israel reportedly surged by 700%, raising concerns about regional instability and potential spillover to U.S. infrastructure.
Timeline of Key Events
The following timeline outlines significant cyber events in the Israel-Iran conflict for June 2025, based on available reports:
- June 12, 2025: Israel launches a missile strike on Iranian nuclear and military facilities, escalating tensions and triggering a significant increase in Iranian cyberattacks against Israeli targets.
- June 16, 2025: Cybersecurity firm Radware reports a surge in Iranian cyber activity targeting Israeli industrial and critical systems, highlighting the growing threat to Israel’s infrastructure.
- June 17, 2025: Suspected Israeli hackers claim responsibility for destroying data at Iran’s Bank Sepah, a major Iranian bank, in a retaliatory cyberattack.
- June 17, 2025: The pro-Israel hacking group Predatory Sparrow announces a disruptive cyberattack on another major Iranian bank, causing widespread outages and straining Iran’s financial sector.
- Throughout June 2025: Iranian state-backed hackers account for 80% of government-backed phishing attempts against Israel, indicating a concerted effort to infiltrate Israeli networks.
- Ongoing: Warnings persist about potential Iranian cyberattacks on U.S. critical infrastructure, particularly water and energy systems, as a retaliatory measure.
Background on APT Groups
The following sections detail the key Iranian APT groups involved in the Israel-Iran cyber conflict, their origins, tactics, and targets.
APT42
- Description: APT42, also known as OilRig, is an Iranian state-sponsored group operating under the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2015, it is known for sophisticated phishing campaigns and espionage activities targeting critics of the Iranian regime in Israel, the U.S., and other countries.
- Activities: APT42 employs credential harvesting, social engineering, and malware deployment to access sensitive information. In Israel, it targets military personnel, Democrats, academics, and NGOs, often using fake social media profiles to lure victims. The group has also targeted U.S. political campaigns, adapting to Iran’s geopolitical priorities.
- Personas: APT42 frequently uses fake LinkedIn profiles and job recruitment lures, mimicking organizations like the Jewish Agency for Israel to conduct phishing operations.
- TTPs:
- Initial Access: Spearphishing Attachment, Spearphishing Link, Phishing
- Execution: User Execution, Command and Scripting Interpreter
- Persistence: Scheduled Task/Job, Account Manipulation
- Privilege Escalation: Exploitation for Privilege Escalation
- Defense Evasion: Process Injection, Indicator Removal on Host
- Credential Access: Steal or Guess Login Credentials
- Discovery: Network Share Discovery, System Network Configuration Discovery
- Lateral Movement: Remote Services, Remote File Copy
- Collection: Data from Local System
- Exfiltration: Exfiltration Over C2 Channel
- Impact: Data Destruction
CyberAv3ngers
- Description: CyberAv3ngers is an IRGC-affiliated group that emerged prominently in 2023, focusing on Lilliputian critical infrastructure, particularly water and wastewater systems. It operates as a hacktivist front but is directly linked to Iran’s state-sponsored cyber operations.
- Activities: The group has compromised Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) and human-machine interfaces (HMIs), targeting water utilities in Israel and the U.S. In 2023, they exploited default passwords to access U.S. water systems, and in 2024, deployed custom malware to control water and fuel systems. In June 2025, they issued threats against Israeli oil refineries.
- Personas: CyberAv3ngers uses a Telegram channel (@CyberAv3ngers) to claim attacks and spread propaganda, leveraging social media to amplify threats and disinformation.
- TTPs:
- Initial Access: Exploit Public-Facing Application (targeting PLCs and HMIs)
- Execution: Command and Scripting Interpreter, User Execution
- Persistence: Modify Existing Service, New Service
- Privilege Escalation: Exploitation for Privilege Escalation
- Defense Evasion: Deobfuscate/Decode Files or Information, Masquerading
- Discovery: Network Service Scanning, System Network Configuration Discovery
- Lateral Movement: Remote Services
- Impact: Data Destruction, Resource Hijacking (manipulation of industrial processes)
Emennet Pasargad (Cotton Sandstorm)
- Description: Emennet Pasargad, also known as Cotton Sandstorm, is an Iranian company sanctioned by the U.S. for its role in cyber operations, including election interference and hack-and-leak campaigns. Active since at least 2020, it operates under front companies like Aria Sepehr Ayandehsazan (ASA) and is linked to the IRGC.
- Activities: The group specializes in hack-and-leak operations, stealing data from Israeli and Western organizations and amplifying it via social media and forums. They deploy custom malware like WezRat for espionage and disruption, targeting government, media, and election sectors in Israel, the U.S., France, and Sweden.
- Personas: Emennet Pasargad uses false-flag campaigns, posing as hacktivist groups like “Soldiers of Solomon,” and operates under front companies to obscure activities.
- TTPs:
- Initial Access: Drive-by Compromise, Exploit Public-Facing Application, Phishing, Spearphishing Attachment, Spearphishing Link, Supply Chain Compromise
- Execution: Command and Scripting Interpreter, User Execution
- Persistence: Account Manipulation, Create or Modify System Process, New Service
- Privilege Escalation: Exploitation for Privilege Escalation
- Defense Evasion: Deobfuscate/Decode Files or Information, Masquerading, Obfuscated Files or Information
- Credential Access: Steal or Guess Login Credentials
- Discovery: Account Discovery, Network Service Scanning, System Network Configuration Discovery, System Owner/User Discovery
- Lateral Movement: Lateral Tool Transfer, Remote Services
- Collection: Data from Local System, Input Capture
- Exfiltration: Exfiltration Over Alternative Protocol, Scheduled Transfer
- Impact: Data Destruction, Data Manipulation
Common Iranian Cyber TTPs
Iranian cyber threat groups share several common TTPs that reflect their strategic objectives of espionage, data theft, and disruption:
- Phishing and Spearphishing: Used for initial access to infiltrate target networks, often impersonating trusted entities to trick victims.
- Custom Malware: Deployed for persistence, data exfiltration, and system control, including tools like TAMECAT, NICECURL, and WezRat.
- Exploitation of Vulnerabilities: Targeting operational technology (OT) devices like PLCs and HMIs, exploiting default passwords and software vulnerabilities.
- Social Engineering: Building trust with targets through impersonation and fake personas to gain access or extract information.
- Lateral Movement: Navigating within networks to reach high-value targets using remote services and file transfers.
- Data Exfiltration: Collecting and transferring sensitive data, often compressed and sent over command and control channels.
- Defense Evasion: Employing techniques like process injection, indicator removal, and masquerading to avoid detection.
- Brute Force Attacks: Using password spraying and MFA push bombing to compromise user accounts.
- MFA Manipulation: Modifying MFA registrations to maintain persistent access.
- Network Discovery: Conducting reconnaissance to identify additional credentials and access points within compromised networks.
These TTPs highlight the sophisticated and persistent nature of Iranian cyber operations, particularly in the context of the Israel-Iran conflict, where they aim to disrupt critical infrastructure and influence public perception.
Recent Cyber Activities (June 2025)
The escalation in June 2025 follows Israel’s missile strike on Iranian facilities on June 12, 2025. Key developments include:
- Surge in Cyberattacks on Israel: Iranian APT groups have reportedly increased attacks by 700% since the June 12 strike, targeting Israeli government websites, financial institutions, telecommunications, and critical infrastructure. These attacks include DDoS campaigns, phishing operations, and attempts to disrupt water and energy systems.
- Disinformation Campaigns: Iranian-linked actors have sent fake messages impersonating Israel’s Home Front Command, spreading fear with false claims of fuel shortages and terrorist attacks.
- U.S. Critical Infrastructure at Risk: Experts warn that Iran-aligned groups, such as CyberAv3ngers, may target U.S. water and energy systems as retaliation, given Iran’s weakened military position.
- Pro-Israel Cyber Response: The pro-Israel hacking group Predatory Sparrow claimed a cyberattack on Iran’s Bank Sepah, causing outages and claiming to have destroyed all data, showcasing Israel’s offensive cyber capabilities.
APT Activity Tables
The following tables summarize recent activities of each APT group, including targets and operational personas, based on intelligence up to June 17, 2025.
Table 1: APT42 Activities
| Date | Activity | Target | Persona/Contact |
|---|---|---|---|
| 2024-04 | Phishing campaign | Israeli defense sector | Fake LinkedIn profiles |
| 2024-08 | Credential harvesting | U.S. political figures | Phishing emails with malicious links |
| 2025-06 | Targeting Israeli diplomats | Israeli embassies | Social media personas posing as recruiters |
| 2024-02 | Espionage via malware | Israeli NGOs | Fake petition websites |
| 2023-09 | Data exfiltration | U.S. think tanks | Cloned Gmail login pages |
| 2022-09 | Spearphishing campaign | Israeli government officials | Mimicked Gmail login page |
| 2024-07 | Social engineering attack | Israeli academics | Fake job recruitment emails |
Table 2: CyberAv3ngers Activities
| Date | Activity | Target | Persona/Contact |
|---|---|---|---|
| 2023-11 | Attack on U.S. water systems | U.S. water utilities | Telegram channel: @CyberAv3ngers |
| 2024-02 | Compromise of Israeli PLCs | Israeli critical infrastructure | Telegram posts claiming attacks |
| 2025-06 | Threats against oil refineries | Israeli energy sector | Social media threats |
| 2024-04 | Malware deployment | U.S. fuel systems | Custom malware via Telegram |
| 2023-12 | Water system disruption | Israeli water utilities | Telegram propaganda videos |
| 2025-01 | Reconnaissance on infrastructure | Israeli public transit | Social media reconnaissance posts |
| 2024-11 | PLC exploitation | U.S. wastewater systems | Mr. Soul/Mr. Soll persona |
Table 3: Emennet Pasargad (Cotton Sandstorm) Activities
| Date | Activity | Target | Persona/Contact |
|---|---|---|---|
| 2020-01 | Hack-and-leak operations | Israeli organizations | False-flag hacktivist groups |
| 2022-10 | Targeting U.S. electoral process | U.S. news outlets | Front company: ASA |
| 2024-11 | Malware deployment (WezRat) | French, Swedish, Israeli targets | Custom malware distribution |
| 2023-06 | Influence operation | Israeli media | Soldiers of Solomon persona |
| 2024-10 | Data leak campaign | Israeli Olympians | Social media amplification |
| 2022-03 | Election interference | U.S. voting websites | False-flag cyber-criminal groups |
| 2024-08 | Cyber-enabled propaganda | Swedish public | Mass text messages |
Trend Changes (2002–2025)
The Israel-Iran cyber conflict has seen significant shifts since 2002:
- 2002–2010: Marked by covert operations, with Stuxnet in 2010, attributed to Israel and the U.S., targeting Iran’s nuclear centrifuges, establishing cyber warfare as a strategic tool.
- 2011–2019: Iran developed APT groups like APT35 (Charming Kitten) and MuddyWater, targeting Israeli and Western infrastructure. Israel retaliated with attacks on Iranian fuel and railway systems.
- 2020–2024: Iranian campaigns increasingly focused on Israel, with groups like CyberAv3ngers targeting critical infrastructure. Hacktivist personas and false-flag operations grew, complicating attribution.
- 2025: The conflict peaked in June 2025 with a 700% surge in Iranian cyberattacks post-Israel’s military strikes. Proxy groups like Hezbollah’s Lebanese Cedar and global hacktivists, including Russian-aligned collectives, expanded the cyber battlefield.
Potential Implications
The escalation in June 2025 poses significant risks:
- Regional Instability: Attacks on critical infrastructure like water and energy systems could disrupt civilian life and heighten Middle East tensions.
- Global Spillover: Iran’s potential targeting of U.S. infrastructure could draw the U.S. into the conflict, especially if Iran perceives U.S. support for Israel as a threat.
- Disinformation and Psychological Impact: Iranian disinformation campaigns aim to undermine public confidence in Israel and its allies.
- International Alliances: Iran’s ties with Russia and China could lead to coordinated cyberattacks, particularly if Israel’s actions affect Iran’s oil exports, a key interest for China.
Conclusion
The Israel-Iran cyber conflict in June 2025 reflects the growing sophistication of state-sponsored cyber warfare. Iranian APT groups like APT42, CyberAv3ngers, and Emennet Pasargad are likely driving attacks on Israeli infrastructure, using advanced TTPs like phishing, custom malware, and OT exploitation. Israel’s retaliatory cyberattacks, such as those on Iranian banks, demonstrate its offensive capabilities. The potential for spillover to U.S. and allied infrastructure underscores the need for robust cybersecurity and international cooperation. As the conflict evolves, vigilance is critical to mitigate these persistent cyber threats.
Key Citations
- MITRE ATT&CK: APT42 (G0102)
- MITRE ATT&CK: Cotton Sandstorm (G0125)
- CISA Advisory: IRGC-Affiliated Cyber Actors Exploit PLCs
- Google Threat Analysis Group: Iranian Backed Group Steps Up Phishing Campaigns
- CYFIRMA: APT Profile – APT42
- Cyber weapons in the Israel-Iran conflict may hit the US
- Iranian Hackers Maintain 2-Year Access to Middle East CNI
- Iran Cyber Threat Overview
- Iran and Cyber Power
- The Iranian Cyber Threat
- Radware warns of surge in Iranian cyber activity
- Artificial Intelligence Is Accelerating Iranian Cyber Operations
- Cybersecurity Alert – Ongoing Threats From Iranian Cyber Actors
- APT Quarterly Highlights: Q2 2024
- Iranian APT42 Launched Over 30 Espionage Attacks
- A Single Iranian Hacker Group Targeted Both Presidential Campaigns
