Newsletters
The number of Iranian cyberattacks against Israel has tripled since the launch of renewed Israeli military operations against Iran this year, a senior Israeli security official told German newspaper Die Welt, warning that "unlike in the kinetic realm, there's no ceasefire in cyberspace."
Director General of Israel's National Cyber Directorate Yossi Karadi said that during Israel's "Rising Lion" operation against Iran in June 2025, authorities registered around 1,600 hostile cyber incidents.
During the same month in 2026, amid the "Roaring Lion" operation, that number rose to roughly 4,800, a threefold increase in cyber incidents and hostile online activity.
"Some groups are very skilled," Karadi said, noting, "we can handle them, but we have to take them seriously. Unlike in the kinetic realm, there's no ceasefire in cyberspace."
He noted that cyberattacks against Israel doubled on the very day the ceasefire ending the 12-day war was signed in June 2025.
Asked who carries out the attacks, Karadi described a multi-layered ecosystem.
"You can picture it as a system made up of several layers. At the core are the cyberattack groups within Iran's security apparatus and the Revolutionary Guards. Then some civilians hack out of conviction or are paid to do so. Another layer consists of activists who want to harm Israel," he said, noting that these activists produce propaganda videos, including some featuring Lego figures, aimed at influencing public opinion.
Karadi said Tehran also attempts to recruit cyber groups from abroad, sometimes including ransomware gangs that typically hack companies and hold their systems hostage for payment.
Asked whether this resembled the hacker ecosystem Russia has built, and whether the Kremlin supports Iran's cyber war, Karadi was cautious.
"I want to be careful here. There's a difference between hiring a ransomware group from another country and a state helping another state attack Israel," he said.
"In the case I mentioned, we believe the group initially didn't know the purpose of the attack; it later withdrew without demanding a ransom. We have not seen organized state support from Russia for Iran's cyber war so far. That would also be very problematic for us," he added.
Asked whether this meant Iranian capabilities still lag behind Russia's, Karadi said Tehran is trying everything available to it during wartime.
"The leadership demands results, so they acquire capabilities, learn from other models, use everything available. Some groups are very good. We manage them, but we have to take them seriously," he said.
Karadi said the war prompted a structural shift in how Iranian hacking groups operate.
"We have learned a great deal. In the cyber domain, we are seeing new developments as well as familiar tactics carried out at new levels of intensity," he said.
"For example, until last year, every Iranian cyberattack group acted autonomously, without coordination with other groups. With the start of the war, they began sharing information and attack knowledge. That was new," he added.
He said the shift followed direct pressure from Tehran's leadership after Israel's strikes on Iran's nuclear program in June 2025.
"The Iranian leadership demanded fast, visible results. To achieve that, the groups were ordered to cooperate. That was a command," he said.
Karadi described how Israel categorizes cyberspace into four concentric defensive rings, with critical infrastructure at the center.
"That is the core of my mission. The adversary must not succeed there. Next come central organizations, small and medium-sized enterprises, and finally the public," he said.
"So far, and hopefully it stays that way, we've managed to fend off attacks on critical infrastructure," he said, noting, "But you cannot protect every person and every system in cyberspace. That's why later attacks targeted easier targets, in order to at least show some visible success, law firms, accounting companies, small businesses."
He said the databases of affected computer systems were often wiped entirely, without naming specific victims.
Asked whether AI is purely a threat or could also assist defense, Karadi said Israel already uses AI in cyber defense, but cautioned against oversimplifying the dynamic.
"Many people say: if AI is used for attacks, we'll just use it for defense too. It's not that simple," he said, adding, "an attacker only needs one piece of software to successfully attack a system once, in a single operation. A state, on the other hand, has to deploy multiple models simultaneously to continuously protect all systems. An attacker might need a month to attack one system. How long do I need for a national system that protects every point of entry? That's already a challenge."
Asked whether Europe underestimates China's cyber capabilities compared with Russia and Iran, Karadi said he prefers the term "cyber capabilities" over "cyberwarfare."
"China is a superpower when it comes to cyber capabilities. What it does with those capabilities is China's own decision. I don't view the People's Republic as my adversary," he said.
He noted that digital espionage often goes unnoticed compared with destructive attacks, saying, "Our lesson from previous cyber wars is: don't prepare for the adversary's intentions, prepare for their capabilities. Because you don't know when they'll decide to use those capabilities to harm you."
Asked about China's heavy investment in quantum computing research, which could massively increase computing power, Karadi said it remains unclear how quickly quantum computers will affect daily life, though he believes they eventually will.
"China has built significant quantum capabilities in research and at elite universities. We have to ask ourselves: what do we need to invest, what do we need to do?" he said.
He said quantum computing's most significant impact will be on encryption.
"We need to prepare for Q-Day, the day quantum computers can break standard encryption. Data considered well-encrypted today could no longer be secure," he said, adding that countries must consciously decide what defensive, offensive, or digital capabilities to build.
Set as preferred source
Set as preferred source
1 min read
1 min read
