(Tom Uren – Lawfare)
The U.S.-Israel attack on Iran shows how cyber operations help achieve military goals when aggressors have cyber dominance. But it also highlights the small window of opportunity for them to have a significant impact once war kicks off.
At a press briefing on Monday, Joint Chiefs of Staff Chairman Gen. Dan Caine said U.S. Cyber Command was involved in “coordinated space and cyber operations [that] effectively disrupted communications and sensor networks … leaving the adversary without the ability to see, coordinate or respond effectively.”
The overall goal, he said, was to “disrupt, disorient and confuse the enemy.”
An official acknowledgment containing that much detail is new, but this kind of discombobulation attack is becoming the norm for well-planned and orchestrated military operations. Last year, Cyber Command helped blind Iranian air defenses in the U.S. strike on the country’s nuclear facilities. Cyber operations were also used to cause a blackout during the U.S. raid to capture Venezuelan President Nicolás Maduro in January this year.
Last week, cyber operations were a key contributor to the assasination of Iran’s supreme leader, Ali Khamenei. The timing of the decapitation strike against Khamenei, and the beginning of the war, was determined when intelligence officials learned he would be meeting with senior officials at his compound on Saturday morning.
The Financial Times (FT) reported that real-time intelligence from compromised traffic cameras, and what it called “deeply penetrated” mobile phone networks, was used to confirm the meeting was going ahead as planned. Sources told the FT that nearly all the traffic cameras in Tehran were being monitored by Israel. One particular camera pinpointed where bodyguards and drivers of senior Iranian officials liked to park in Khamenei’s compound.
In addition to providing targeting intelligence, the FT says a cyber operation disrupted the mobile phone system near Khamenei’s compound, so his protection detail couldn’t receive warnings about an impending attack.
The ability to pull this off was the result of years of Israeli effort to build a comprehensive intelligence architecture focussed on Tehran. This used information from signals intelligence, cyber espionage, and human intelligence.
While cyber-enabled intelligence gathering was instrumental in this attack, Israeli sources told the FT that these feeds become less useful once a war kicks off. They were used for “pattern of life” analysis to determine where targets would be and when. Falling bombs disrupt this pattern, and targets have preplanned countermeasures such as heading to underground bunkers.
In a shift from the lethal to the mundane, cyber operations were also used for, ahem, “psychological warfare.” That is, to send push notifications directly to Iranian citizens shortly after bombing started.
The Iranian prayer app BadeSaba pushed out messages to users urging them to resist the regime. The first read “help has arrived,” while another was targeted at army personnel: “for the freedom of our Iranian brothers and sisters, this is a call to all oppressive forces—lay down your weapons or join the forces of liberation. Only in this way can you save your lives.”
Compared to pinpointing the exact location of the country’s supreme leader, this campaign feels inconsequential, sure. But writing on X, Iran cyber specialist Hamid Kashfi pointed out the app is both extremely popular and requests access to the user’s location, presumably so that it can provide accurate prayer times. We expect that the primary reason the app was compromised was for its intelligence value and that data about its users was raw material for Israel’s intelligence machine. If they managed to convince a few soldiers to “lay down their weapons” as well? That’s a double win.
About four hours into the attacks, the Iranian regime imposed a country-wide internet blackout. This is the regime’s default response to internal dissent, so we doubt this was solely a reaction to adversary cyberattacks and espionage.
But it suggests that there may be a wartime dynamic that places a cap on the usefulness of cyber operations. The more effective your cyber campaign is, the more likely the victim country is to take drastic measures, like shutting down the internet.
This week the U.S. and Israel had cyber dominance. Compromising traffic cameras, entire mobile networks, and prayer apps is already a ton of pwnage. We’d be surprised if there wasn’t a lot more that didn’t make its way to news desks.
When it came to executing a surprise attack, that cyber dominance paid off in spades. But only for a few hours.
