Israel and Iran Broaden Cyberwar to Attack Civilian Targets
Farnaz Fassihi and Ronen Bergman
Millions of ordinary people in Iran and Israel recently found themselves caught in the crossfire of a cyberwar between their countries. In Tehran, a dentist drove around for hours in search of gasoline, waiting in long lines at four gas stations only to come away empty.
In Tel Aviv, a well-known broadcaster panicked as the intimate details of his sex life, and those of hundreds of thousands of others stolen from an L.G.B.T.Q. dating site, were uploaded on social media.
For years, Israel and Iran have engaged in a covert war, by land, sea, air and computer, but the targets have usually been military or government related. Now, the cyberwar has widened to target civilians on a large scale.
In recent weeks, a cyberattack on Iran’s nationwide fuel distribution system paralyzed the country’s 4,300 gas stations, which took 12 days to have service fully restored.
That attack was attributed to Israel by two U.S. defense officials, who spoke on the condition of anonymity to discuss confidential intelligence assessments. It was followed days later by cyberattacks in Israel against a major medical facility and a popular L.G.B.T.Q. dating site, attacks Israeli officials have attributed to Iran.
The escalation comes as American authorities have warned of Iranian attempts to hack the computer networks of hospitals and other critical infrastructure in the United States. As hopes fade for a diplomatic resurrection of the Iranian nuclear agreement, such attacks are only likely to proliferate.
Hacks have been seeping into civilian arenas for months. Iran’s national railroad was attacked in July, but that relatively unsophisticated hack may not have been Israeli. And Iran is accused of making a failed attack on Israel’s water system last year.
The latest attacks are thought to be the first to do widespread harm to large numbers of civilians. Nondefense computer networks are generally less secure than those tied to state security assets.
No one died in these attacks, but if their goal was to create chaos, anger, and emotional distress on a large scale, they succeeded wildly.
“Perhaps there’s a war going on between Israel and Iran, but from the little civilian’s perspective we are being held as prisoners here in the middle and are helpless,” said Beni Kvodi, 52, an editor at an Israeli radio station.
Mr. Kvodi has been openly gay for years, but the hack on the Israeli dating site threatened to expose thousands of Israelis who had not come out publicly about their sexual orientation. The site collected embarrassing information about users’ sexual habits, as well as explicit photos.
Ali, a 39-year-old driver with the national taxi company in Tehran who, like other Iranians interviewed, asked that his last name not be used out of fear for his security, said he lost a day of work waiting in gas station lines that snaked for miles.
“Every day you wake up in this country and you have a new problem,” he said in a telephone interview. “It isn’t our fault our governments are enemies. It’s already hard enough for us to survive.”
Both countries appear to be striking out at civilians to send messages to their governments.
The hack on Iran’s fuel distribution system took place on Oct. 26, near the two-year anniversary of large antigovernment protests set off by a sudden increase in gasoline prices. The government responded then with a brutal crackdown, which Amnesty International said killed more than 300 people.
The cyberattack appeared aimed at generating another wave of antigovernment unrest.
Gas pumps suddenly stopped working and a digital message directed customers to complain to Iran’s supreme leader, Ayatollah Ali Khamenei, displaying the phone number of his office.
The hackers took control of billboards in cities like Tehran and Isfahan, replacing ads with the message “Khamenei, where is my gasoline?”
“At 11 a.m. suddenly the pumps stopped working,” said Mohsen, the manager of a gas station in northern Tehran. “I have never seen anything like this.”
Rumors spread that the government had engineered the crisis to raise fuel prices. Iran’s app-based taxi companies, Snap and Tapsi, doubled and tripled their normal fares in response to drivers having to purchase expensive unsubsidized fuel, Iranian news media reported.
The antigovernment uprising never materialized but the government scrambled to contain the damage and tamp down the uproar. The Oil Ministry and the National Cyber Council held emergency meetings. The oil minister, Javad Owji, issued a rare public apology on state television, and pledged an extra 10 liters of subsidized fuel to all car owners.
To get pumps back online, the ministry had to send technicians to every gas station in the country. Once the pumps were reset, most stations could still sell only unsubsidized fuel, which is twice the price of subsidized fuel.
It took nearly two weeks to restore the subsidy network, which allots each vehicle 60 liters — about 16 gallons — a month at half price.
But the hack may have been more serious than an inconvenience to motorists.
A senior manager in the Oil Ministry and an oil dealer with knowledge of the investigation, who spoke on the condition of anonymity to avoid repercussions, said that officials were alarmed that hackers had also gained control of the ministry’s fuel storage tanks and may have had access to data on international oil sales, a state secret that could expose how Iran evades international sanctions.
Because the ministry’s computer servers contain such sensitive data, the system operates unconnected to the internet, leading to suspicions among Iranian officials that Israel may have had inside help.
Four days after Iran’s pumps stopped working, hackers gained access to the databank of the Israeli dating site Atraf, and medical files at Machon Mor Medical Institute, a network of private clinics in Israel.
Files from both hacks — including the personal information of about 1.5 million Israelis, about 16 percent of the country’s population — were posted to a channel on the Telegram messaging app.
The Israeli government asked Telegram to block the channel, which it did. But the hackers, a little-known group called Black Shadow, immediately reposted the material on a new channel, and continued to do so each time it was blocked.
The group also posted files stolen from the Israeli insurance company Shirbit, which was hacked last December and insured employees of Israel’s Defense Ministry.
Three senior Israeli officials, who asked not to be identified in order to discuss secret cyber issues, said that Black Shadow was either part of the Iranian government or freelance hackers working for the government.
Personal data from the dating site could be disastrous “even for those who are already out of the closet,” Mr. Kvodi said. “Each one of us has a very close and intimate ‘relationship’ with Atraf.”
The site contains not only names and addresses, he said, but also “our sexual preferences, who’s H.I.V. positive, who uses prophylactics or does not, along with the fact that the site makes it possible to upload nude photographs and relevant video footage of us and to send them to other subscribers.”
Many Atraf subscribers soon complained that their Instagram, Facebook or gmail accounts had also been hacked.
Cyber experts said these hacks were not the work of Black Shadow but knock-on hacks by criminals who used the personal data Black Shadow had posted. In some cases, they blocked the accounts, demanding ransom to restore access.
Neither Israel nor Iran has publicly claimed responsibility or laid blame for the latest round of cyberattacks. Israeli officials refused to publicly accuse Iran, and Iranian officials have blamed the gas station attack on a foreign country, stopping short of naming one.
Experts say the cyberattacks on softer civilian targets could be the start of a new phase in the conflict.
Lotem Finkelstein, head of intelligence at Check Point, a cybersecurity company, said that Iranian hackers had “identified a failure in Israeli understanding” about cyber conflict.
They realized that “they do not need to attack a government agency, which is much more protected,” but could easily attack small, private companies, with less sophisticated security, “that control enormous amounts of information, including financial or intimate personal information about many citizens.”
Each side blames the other for the escalation, and even if there were the will to stop it, it’s hard to see how this genie gets recorked.
“We are in a dangerous phase,” Maysam Behravesh, a former chief analyst for Iran’s Intelligence Ministry, said in a Clubhouse chat on Monday. “There will be a next round of widespread cyberattack on our infrastructure. We are a step closer to military confrontation.
Posted in New York Times November 27, 2021
Feature image: Cars queued up in front of petrol station / service station in Iran. Arterra Picture Library / Alamy Stock Photo
Farnaz Fassihi is a reporter for The New York Times based in New York. Previously she was a senior writer and war correspondent for the Wall Street Journal for 17 years based in the Middle East. @farnazfassihi
Ronen Bergman is a staff writer for The New York Times Magazine, based in Tel Aviv. His latest book is “Rise and Kill First: The Secret History of Israel’s Targeted Assassinations,” published by Random House.