The Israeli invasion of Lebanon began on October 8th, 2024, when they declared part of the country near the border with Lebanon a “closed military zone”, and ordered most of the inhabitants of southern Lebanon to evacuate. Israel’s strategy so far has been limited to clearing the border area and concentrating on destroying Hezbollah’s rockets, launchers, command posts, firing posts, and weapons depots to clear Hezbollah’s military infrastructure from the south of the country, to enable Israelis living in northern Israel to return to their homes (where many have fled to since Hamas’ raid on Gaza last year).
The Israeli army has hit thousands of Hezbollah targets in Lebanon and Syria, eliminating both Hezbollah leader Hassan Nasrallah and the Hamas commander in Lebanon, Fatah Sharif. Iran responded by carrying out a large ballistic missile strike on Israel, and now the rest of the global community is poised for Israel’s response as a war in this region – particularly considering Iran’s nuclear efforts – would have wider consequences for the whole world.
When Israel announced the killing of Hassan Nasrallah on the morning of October 5th, 2024, many in Lebanon dismissed the news as Israeli propaganda. The previous night, the Israeli army had warned of strikes on the southern Beirut suburb of Dahiya (a Hezbollah stronghold) and other nearby neighborhoods which sparked a mass exodus throughout Beirut, while those who had nowhere to flee to moved into the streets.
When Hezbollah confirmed Nasrallah‘s death that afternoon, chaos was unleashed in Beirut, with people taking to the streets to fire shots into the air – some out of joy, others out of anger and a desire for revenge. The Lebanese army deployed armored vehicles in the streets in anticipation of possible violent demonstrations.
Unlike three weeks ago – when Israel employed a sophisticated intelligence operation to target Hezbollah operatives using their pagers – the killing of Nasrallah was achieved indiscriminately, with up to 80 tons of bombs reportedly dropped on his hideout.
The following day, smoke still billowed from the attack site, and according to the Lebanese Ministry of Health, at least 11 people were killed and 108 wounded. In total, over 1,000 people have lost their lives since the Hezbollah pager and radio explosions three weeks ago, with many others unaccounted for.
Israel has arguably forgotten the lessons from the last time they assassinated a Hezbollah leader (Abbas al-Musawi, in 1992) and it could be said that Israeli policymakers have once again reverted to thinking that eliminating leaders of enemy movements will solve complex, long-standing problems.
Neither assassinations nor bombings have deterred Hezbollah’s threat to Israel, nor compelled the organization to abandon its objectives, and Nasrallah – who assumed power following al-Musawi’s demise) has proven to be a more effective and aggressive leader, shifting the group’s focus towards guerrilla warfare to target military assets.
In May 2000, Israel’s premature withdrawal from occupied southern Lebanon can be attributed in part to Hezbollah’s relentless and effective attacks. This victory elevated Nasrallah and Hezbollah to a position of prominence in the Middle East.
The current IDF incursion into Lebanon appears primarily aimed at dismantling Hezbollah’s strongholds and logistical infrastructure in southern Lebanon, establishing a buffer zone. A larger-scale operation would likely play into Hezbollah’s hands, as the organization has been meticulously preparing for guerrilla warfare under Nasrallah’s leadership by developing an extensive network of fortified positions, tunnels, and underground facilities connected by buried communication lines.
Hezbollah’s fighting units in southern Lebanon operate with a high degree of autonomy, making it uncertain how much the Israeli campaign has impacted the organization’s central leadership. Recent reports indicate that the Israelis have encountered stiff resistance, prompting additional Israeli divisions to join the fight.
The killing of Nasrallah and many other senior commanders marks a paradigm shift, after 18 years of mutual attempts at deterrence. The relentless bombing campaign is clearly intended to paralyze the organization, forcing it to accept peace on Israel’s terms. According to some reports, more than 150 of the organization’s 200 most senior leaders have been killed, and with Nasrallah’s death, the organization’s cash reserves accounting for at least a year’s budget were supposed to be incinerated.
These operations by Israel show that it has been able to completely penetrate Hezbollah’s communications networks, possibly due to expansion during its involvement in the Syrian war, as well as superior Israeli cyber capabilities. In this situation, Hezbollah leaders arguably face a choice: they can communicate and organize the remaining forces – putting themselves at acute risk of death – or they can go into hiding, leaving their organization without direct leadership and losing ground within Lebanon. The Israeli ability of cyber intrusion is clearly a strong part of this dilemma.
According to Israeli estimates, half of Hezbollah’s arsenal has already been identified and eliminated by Israel, along with most of its leadership. Israel has thus clearly been preparing for the war for years in terms of intelligence and has an extensive list of targets (unlike in 2006, when it became bogged down in a guerrilla war in the south of Lebanon).
The pace of losses for Hezbollah this time around is so intense, and the degree of disruption is so high that it presents the remaining leaders with a difficult dilemma. According to some reports, this has caused a split within the organization, with pragmatists who are open to some degree of cooperation with Israel to stymie the attacks, and more fanatical elements who are violently opposed. The former option would secure an Israeli victory and would allow 60,000 displaced Israelis to return to their homes in the north.
Whatever Hezbollah decides, it is historically quite rare for such groups to be defeated simply by removing a key leader. In decades of counterterrorism activity, Israel has killed the leaders of a number of Palestinian groups, including Hamas, Palestinian Islamic Jihad, the Popular Front for the Liberation of Palestine, but for the most part, these groups continue to fight.
While Hezbollah patiently wishes to avenge the death of its leader, any inaction has a negative effect on its credibility. With a huge rocket arsenal potentially capable of hitting all locations in Israel, the threat from Hezbollah remains serious. Moreover, Nasrallah stated before his death that all options are on the table in the event of war and that Hezbollah could retaliate with terrorist attacks on Jewish targets elsewhere in the world (as it has repeatedly before in Argentina and Bulgaria, for example). It is also reasonable to assume that cyber operators connected to Hezbollah would hit any and every target of opportunity.
Iran has attacked Israel with approximately 180 ballistic missiles, which in some instances managed to overwhelm Israel’s air defenses (primarily based on Arrow 2 and Arrow 3 ABM missiles). Areas targeted by this strike include Nevatim airbase, Tel Nof airbase, Mossad headquarters, and civilian infrastructure in central Israel (which reportedly only resulted in one casualty).
Nevatim air base, however, was hit by about a dozen missiles with yet unclear consequences (NB this base was inconsequentially hit by missiles in the previous attack in April). The 116th, 117th, and 140th squadrons – which operate F-35I Adir aircraft – are based at Nevatim, but the majority were airborne due to early warnings provided by U.S. military assets).
A hit on Tel Nof Air Base appears to have caused secondary detonations, but damage at this site appears negligible given the scale of the attack (except perhaps in the financial aspect of the matter).
In April, a former financial adviser to the IDF Chief of General Staff said that a single Arrow missile normally costs “around $3.5 million“: disposing of a hundred ballistic missiles would therefore easily run into a hundred million, while the ballistic missiles themselves could have cost Iran about 10 to 15 times less each than a single Arrow air-defense missile.
Israeli officials announced an impending major retaliation against Iran, with targets likely to be their oil industry, air defense systems, and other strategic sites, with the possibility of further assassinations of key Iranian officials, dramatically increasing the likelihood of an all-out war with Iran. They further stated that if Iran decides to respond to their retaliation, “all options“ would be actively considered, including the destruction of Iran’s nuclear facilities. Previous experiences also indicate that Israel is more than capable of using cyber warfare to target its nuclear program or critical infrastructure.
Former Prime Minister Naftali Bennett stated that now that Hezbollah and Hamas are paralyzed, and Iran has given Israel the pretext of two major long-range attacks on its territory, it is Israel’s duty to attack Iran’s nuclear program. He is certainly not alone in this view among Israeli politicians, and the coming days thus threaten to unleash the most terrible war the region has seen in decades with a massive risk of spillover, that would likely start in the cyber realm.
As we have recently reported, Iran is already targeting U.S. elections, trying to change the balance of power. In 2018, President Trump unilaterally abandoned the 2015 nuclear accord that Tehran had signed with world powers, imposing waves of sanctions on the Islamic Republic and putting its economy under severe pressure. Iran’s long-term strategy is the removal of U.S. influence from the Middle East, where Tehran intends to become the dominant power, and to fulfill this role, the Iranian regime does not want to deal with another Trump administration.
Iran is among the world leaders in terms of using cyber warfare as a tool of statecraft. Iranian hackers have been repeatedly successful in gaining access to emails from an array of targets, including government staff members in the Middle East and the US, militaries, telecommunications companies, and critical infrastructure operators. The malware used to infiltrate the computers is increasingly more sophisticated and is often able to map out the networks the hackers had broken into, providing Iran with a blueprint of the underlying cyberinfrastructure that could prove helpful for planning and executing future attacks.
Moreover, Iran is now supplementing its traditional cyberattacks with a new playbook, leveraging cyber-enabled influence operations (IO) to achieve its geopolitical aims. Iran is likely trying to tap into Chinese and Russian expertise in “soft war”, which is an Iranian doctrinal term that refers to the use of non-military means (such as economic and psychological pressure and information operations) to erode regime legitimacy, cultivate domestic opposition, and, propagate Western values in Iran.
During our investigation, we identified over 270+ small, medium, and large groups actively targeting Israel’s cyberspace. These groups, which we have categorized as pro-Palestinian hacktivist organizations, originate from various regions, including Indonesia, Turkey, Pakistan, Azerbaijan, Iran, France, Russia, and many other countries.
A growing trend of global collaboration among these hacktivist groups has been observed, with many forming strategic alliances to amplify their impact. Notably, pro-Palestinian hacktivists are increasingly working in tandem with pro-Russian groups, aligning their efforts to disrupt the cyber infrastructure of Israel and its allies. This coordinated approach has led to a significant increase in cyberattacks, including DDoS attacks, defacements, data breaches, and other forms of digital disruption across Israeli cyberspace.
On September 22, 2024, the APT group “Handala” released a post on a Russian forum, detailing a cyberattack involving a pager explosion.
In the post, Handala claimed responsibility for hacking Vidisco, a company they allege is a shell entity for Mossad. Handala stated that they exfiltrated around 10GB of confidential data.
On October 8, 2024, the APT group “Handala” leaked 50,000 emails allegedly belonging to the Israeli ambassador in Germany. This leak is part of the group’s continued cyber offensive targeting Israeli figures and entities.
The APT group Handala and the threat actor StackTheSlack have both been involved in several notable cyberattacks targeting top Israeli officials and organizations.
A simmering low-level cyber war is already ongoing on the sidelines of the conflict between Israel and Iran. In case of a full-scale war between Israel and Iran, all bets would be off, and every hacktivist and state actor in the region would be incentivized to cause maximum damage, opportunistically choosing targets.
Pro-Palestine hacktivist groups are highly likely to significantly ramp up DDoS attacks on organizations in Israel, as well as on those with perceived links to Israel (e.g. the USA), as well as Muslim countries perceived as not doing enough to oppose Israel. Iran might enable some groups to go after government services, energy, banking, finance, and telecommunications in countries considered hostile, but Iran itself is not ready for potential cyber retaliation from Israel or its allies and may prefer to outsource some of its state-driven cyber campaigns to smaller groups outside its territory.
