Although Iran has been devastated by the coronavirus, it continued its offensive cyber activities around the world throughout March and April. Aside from COVID-19-specific efforts such as attempting to phish scientists and researchers working on a vaccine for the virus — recent reports suggest Iran may have returned to targeting critical infrastructure/key resources (CI/KR) following the purported infiltration of an Israeli water system in late April.

A summary of the incident revealed that the actors routed their attack through American and European servers. Israeli officials claim that no damage was done despite the targeting of two computers that control programmable logic controllers for water flow and treatment of wastewater, emphasizing that the attack was detected early and thwarted. U.S. officials and intelligence agencies offered no commentary, and the incident became public when two unnamed foreign government officials reported watching it “in real time.”

The Iranian cyber program is capable of carrying out an attack like this. Furthermore, the long-standing tensions between Israel and Iran position the countries to continuously conduct cyber incidents against one another, and escalate their ongoing conflict in every realm, especially cyber. In addition to Israel, Iran regularly targets Gulf countries such as Saudi Arabia, Bahrain, and Kuwait. Tehran has stated its desire to impact CI/KR to disrupt daily life in countries that oppose it, stoking fear among their civilian populations and wreaking havoc on CI/KR that ensure daily comforts in first-world societies. Iran also prefers to conduct covert cyber incidents, which give it anonymity and plausible cover to deny its involvement — which it did again after this incident. So while this attack is in line with normal Iranian tactics, techniques, and procedures (TTPs) used against their adversaries, and Israel is a priority target for Tehran, additional evidence is needed to confirm Iran’s responsibility.

As mentioned above, no government official has yet gone on record to directly attribute this incident to Iran, even the ones who purportedly watched it happen in real time — there is only suspicion. Furthermore, no cybersecurity research companies have (publicly) offered confirmation via IP addresses, identifying or naming a server, or providing any other technical indicators of compromise confirming Iranian involvement. Despite the progress the information security community has made, attribution in cyber is notoriously difficult, and requires evidence and thorough investigation. Quickly attributing or blaming a country for a cyber incident without technical analysis, proof, and government officials willing to go on record only inflames an already tense situation. With so much going on worldwide, a more cautious tone is needed before continuing the volley of cyber incidents between adversarial nations.


Steph Shample is a Non-Resident Scholar with the Middle East Institute's Cyber Program and Vice President of Intelligence for Terbium Labs. The views expressed in this piece are her own.

Photo by Chesnot/Getty Images

The Middle East Institute (MEI) is an independent, non-partisan, non-for-profit, educational organization. It does not engage in advocacy and its scholars’ opinions are their own. MEI welcomes financial donations, but retains sole editorial control over its work and its publications reflect only the authors’ views. For a listing of MEI donors, please click here.