Full Report
The number of Iranian cyberattacks against Israel has shot up since the launch of the US-Israeli war with Iran this year, Yossi Karadi, director general of the National Cyber Directorate, was quoted as saying on Monday. Karadi told German newspaper Die Welt that in June 2025, during the first round of war between Israel and Iran, Israel’s authorities registered…
Analysis Summary
# Incident Report: Surge in Iranian Cyber Operations Against Israel (2025-2026)
## Executive Summary
Since the onset of the US-Israeli conflict with Iran, there has been a massive quantitative surge in Iranian-directed cyberattacks against Israeli infrastructure. Hostile incidents increased by 200% year-over-year, jumping from 1,600 monthly incidents in 2025 to 4,800 in June 2026. This increase reflects a sustained state-led offensive targeting various national sectors in tandem with kinetic warfare.
## Incident Details
- **Discovery Date:** June 2026 (Reporting date)
- **Incident Date:** June 2025 – June 2026 (Ongoing campaign)
- **Affected Organization:** Multiple Israeli National entities
- **Sector:** Government / Critical Infrastructure / Cross-sector
- **Geography:** Israel
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing June 2025
- **Vector:** Not explicitly disclosed (typically involves social engineering and vulnerability exploitation in state-sponsored contexts)
- **Details:** The offensive began scaled operations during the "first round" of the war in mid-2025.
### Lateral Movement
- Details regarding specific lateral movement techniques were not disclosed in the public briefing provided by the National Cyber Directorate.
### Data Exfiltration/Impact
- **Impact:** Significant increase in hostile volume, totaling 4,800 registered incidents in a single month (June 2026).
### Detection & Response
- **How it was discovered:** Continuous monitoring by the Israeli National Cyber Directorate.
- **Response actions taken:** Integration of national defense posture; director general Yossi Karadi emphasized preparing for "adversary capabilities" rather than just "intent."
## Attack Methodology
*Note: As this is a high-level summary of state-sponsored activity, specific technical TTPs for each of the 4,800 incidents were not listed in the source article.*
- **Initial Access:** High-volume automated and targeted probing.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Continuous reconnaissance of Israeli digital assets.
- **Lateral Movement:** Not disclosed.
- **Collection:** Not disclosed.
- **Exfiltration:** Not disclosed.
- **Impact:** Resource exhaustion of defense teams and disruption of national services.
## Impact Assessment
- **Financial:** Undisclosed; costs associated with increased defensive man-hours and incident remediation.
- **Data Breach:** Scope varies across the 4,800 incidents; likely includes sensitive government and civilian data.
- **Operational:** High operational strain on the National Cyber Directorate and affected sectors.
- **Reputational:** Public notice of the surge in vulnerability during wartime conditions.
## Indicators of Compromise
*Specific IOCs were not provided in the executive briefing; however, the following categories are typical for this threat actor:*
- **Network indicators:** Traffic originating from known Iranian-affiliated IP blocks (e.g., AS12660, AS58224 - defanged: [xxx[.]xxx[.]xxx[.]xxx]).
- **File indicators:** Not provided.
- **Behavioral indicators:** Surge in brute-force attempts and exploitation of zero-day vulnerabilities in regional VPNs/Gateways.
## Response Actions
- **Containment measures:** Rapid identification and blocking of hostile IP ranges.
- **Eradication steps:** Hardening of critical infrastructure endpoints.
- **Recovery actions:** Ongoing monitoring and public-private sector information sharing via the National Cyber Directorate.
## Lessons Learned
- **Key takeaways:** Cyber activity is now inextricably linked to kinetic warfare; a surge in physical conflict correlates directly to a tripling of cyber offensive volume.
- **What could have been done better:** Shift from a reactive "intent-based" defense to a "capability-based" defense model earlier in the conflict cycle.
## Recommendations
- **Prevention measures:**
- Implementation of Zero Trust Architecture (ZTA) across all government sectors.
- Enhanced monitoring of "living-off-the-land" techniques utilized by state actors.
- Geo-fencing non-essential traffic from known hostile regions during active kinetic conflicts.
- Continuous stress-testing of critical infrastructure against high-volume DDoS and intrusion attempts.