Israel Enters 'Stage 3' of Cyber Wars With Iran Proxies - Dark Reading

THREAT INTELLIGENCE ICS/OT SECURITY CYBERATTACKS & DATA BREACHES CYBER RISK NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Israel Enters 'Stage 3' of Cyber Wars With Iran Proxies While Israel and Iranian proxies fight it out IRL, their conflict in cyberspace has developed in parallel. These days attacks have decelerated, but advanced in sophistication. Nate Nelson,Contributing Writer April 3, 2025 5 Min Read SOURCE: ODED KARNI VIA INCD Reported cybersecurity incidents in Israel rose 24% in 2024, largely thanks to Iran and its proxy militias. But the trajectory of this cyber conflict has not followed a straight path, as recent signals suggest it might be slowing and evolving. Any simple comparison of cyber threat data before and after Oct. 7, 2023, tells a seemingly straightforward story. In 2023, the Israel National Cyber Directorate (INCD) released 367 alerts about vulnerabilities, attacks, and threats. In 2024, that number doubled to 736, with 518 of them being "red alerts" directed to specific organizations. Calls to Israel's 119 cyberattack hotline rose 24% year-over-year, with 17,078 reports in only 365 days. In a closed door briefing at INCD headquarters last week, government representatives reported even more significant figures. In the wake of the Oct. 7 attacks, calls and alerts to Israel's national security operations center (SoC) multiplied 10 times over — from an average of 50 per day to 500-plus. The number of known APTs targeting the country has reportedly doubled as well, though Dark Reading hasn't received specific figures to confirm this. Related:China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years Despite the metrics, cyber threats to Israel haven't risen in some sort of consistent pattern over the past year and a half. Instead, INCD defense division executive director Tom Alexandrovich tells Dark Reading that the cyber war against Israel has progressed roughly in three phases. Today — during what he deems phase three — attacks aren't coming quite so hard and fast, but they have matured significantly. The Evolution of Israel's Cyber War With Iran The most noticeable campaigns targeting Israeli civil society have been disruptive operations: distributed denial-of-service (DDoS) attacks, loud hacktivist-ish activity aimed at psychological influence, and similar threats. There was the incident, for example, when attackers shouted warning messages through public address systems in around 20 kindergartens. Additionally, there was an hourlong denial of service against a point-of-sale (PoS) service used across Israeli gas stations, supermarkets, etc. Early on in the war, digital signage was blasted with violent messaging. "We conducted a video conference with the billboard companies and told them [about Iran's] modus operandi, how their systems are unsecured, and asked them to shut down the billboards. [Later] I drove along the highway, and I saw everything was shut down, everything was black," Alexandrovich recalls. Over time, he says, the incidents causing the most trouble shifted. More regular businesses were being targeted with more conventional cyberattacks — most notably managed service providers (MSPs), and most often through phishing. Phishing is still the most commonly reported cyber incident in Israel, comprising 41% of 119 hotline reports in 2024. Related:INC Ransomware Group Holds Healthcare Hostage in Oceania As the INCD tells it, Israel gradually adjusted and hardened against these threats, and the sheer volume of incidents began to plateau. In turn, however, Iran-aligned actors appear to have gotten more creative. "They've changed constantly not only their internal arrangement — how they work together, and with other groups — but also their infrastructure. And where previously they used more self-developed tools — very old malicious scripts, easily blocked — in this third stage they transferred to using RMMs, and legitimate software that you already have on Microsoft Windows or any other device," Alexandrovich explains.  Iran proxies have grown more efficient by purchasing infrastructure and initial access to organizations, rather than developing it all on their own. Different proxies work together by sharing information was well as research and development capabilities, leading to faster exploitation of recently disclosed vulnerabilities. "If previously, exploitation of one-days took the Iranian state a couple of days, or a week, now it's 40 minutes, half an hour. This is new," he says. Related:Chinese Cyber Threat Lurks In Critical Asian Sectors for Years Threats to the IDF These advanced capabilities have allowed the threat actors to aim at more exotic and high-value targets. And while large corporations, critical infrastructure providers, and service providers all qualify, there's one target that stands above the rest. "A good target to deploy CNA attacks against is all of the organizations supporting the Israel Defense Forces (IDF). Those supporting the battlefield, all of the emergency services, etc. So [Iran and its proxies] constantly target the ecosystem that's supporting the war. It can be a transportation industry, it can be cameras, it can be any type of food manufacturer that produces or stores food, and so on. And the missile defense system, of course, has multiple supply chain companies," Alexandrovich explains. To take some of the burden off of the military and defense establishment, he reports, "We tracked about 3,000 companies that supply some kind of critical mission services to the IDF. We mapped their assets, and provided them with a kind of umbrella [defense] as part of our 'Cyber Dome.'" Alexandrovich is credited as having devised the "Cyber Dome," a lofty project in progress that aims to utilize artificial intelligence (AI) and big data analysis to shield Israel's government, military, economy, and civil society from cyber threats. INCD markets it as a kind of cyber parallel to the Iron Dome missile defense system. The Feeling on the Ground Though sophisticated attacks against exotic targets might be the most interesting, even those pesky disruption attacks have taken a toll on Israeli society. "Imagine you're [running] your organization, and every day I'm reporting to you that you have an incident. How much time and effort will you put into this call during a war?" Alexandrovich asks. "You will be exhausted. This is what they want. To exhaust us." In this regard, cyber imitates life. In the evening following INCD's press briefing, Houthi militants shot a ballistic missile toward central Israel. Sirens blared across Tel Aviv, Jerusalem, and beyond. Citizens rushed or, more often, moseyed to find cover, or just did nothing. The IDF intercepted the projectile outside of its airspace, and nobody was harmed. Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Sandworm Blamed for Wiper Attack on Polish Power Grid by Alexander Culafi JAN 26, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE