Leaked Iranian Intel Sheds Light on Proxy War With Israel

Sky News obtained five top secret reports by Iranian Revolutionary Guards intel unit potentially revealing plans by Iran to use possible cyberattacks to target ships. However, sources say it may be more defensive than offensive

Omer Benjakob
Omer Benjakob
Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Screengrab from the Sky News investigation
Screengrab from the Sky News investigationCredit: YouTube
Omer Benjakob
Omer Benjakob

A bundle of leaked intelligence documents purportedly created by a secret intelligence unit within Iran’s Revolutionary Guards Corp and obtained by Sky News reveals proxy wars being fought between Israel and Iran online and at sea.

The documents, dubbed “Iran’s secret cyber files,” detail five different reports created during 2020 by what Sky News identified as “Intelligence Group 13,” said to be “a sub-group within the IRGC Shahid Kaveh unit," according to a source the British news network spoke with.

Pegasus scandal: How the Mossad pushed invasive spyware to friendly dictators. LISTEN

-- : --

Each of the reports were labeled “very confidential” and relate to maritime and cyber sectors. Together they purportedly show a secret effort by Iran to find ways to use cyberattacks to target vessels and cargo ships, for example by causing their fuel pumps to malfunction and explode.

"Iran must become among the world's most powerful in the area of cyber," the intel reports said, directly linking tensions between Israel and Iran on the high seas and the digital wars the two countries have fought online over the past decade.


Though the leaked reports could not be verified independently, the content as presented by Sky News is in line with previous reports and incidents relating to Israel-Iran tensions at sea and in the cyber arena.

At the beginning of the year, for instance, Israel accused Iran of “ecological terrorism” during the massive Mediterranean oil spill, claiming without proof that an Iranian-linked ship had intentionally dumped oil to tarnish Israel’s shores. At the time, rumors and reports suggested Israel had targeted illegal shipments of Iranian oil crossing the Mediterranean and the Red Sea through the Suez Canal. There were speculations that the oil spill that reached Israel resulted either from a retaliatory Iranian attack or an Israeli attack on an Iranian ship that backfired ecologically. 

In a number of cases before and after the oil spill, mysterious blasts sunk or severely damaged vessels that open source intelligence experts linked back to Iran and its proxies. It was long speculated that Israel was behind the attacks. Tensions peaked in April when the Israeli ship Hyperion Ray was targeted off the coast of the United Arab Emirates by a blast and one week later when the Iranian intel ship the Saviz was hit in the Red Sea.

Israel and Iran have a long history of indirect conflict, with the cyber arena serving as one of the enemies' main proxy battlegrounds. Some parts of the leaked reports obtained by Sky News seem to indicate how cyber capabilities can be put to use in the maritime conflict between Israel and Iran.

For example, one of the reports focuses on “ballast waters” and the systems used by ships to filter out their water and heavy oils. The report includes a diagram that “showed how commands could be sent remotely to a ship from a control center on land via a satellite link.”

According to the report, such commands could be used to target water pumps and be used “to bring water into the tanks through centrifuges [and...] could result in the sinking of the ship."”  The report further said that, "Any kind of disruptive influence can cause disorder within these systems and can cause significant and irreparable damage to the vessel."

Another one of the Iranian reports exposed by Sky News also focused on the damage that can be inflicted on a ship through a remote cyberattack – this time by targeting its fuel system. The report focused on a U.S. firm that supplies fuel pumps to ships across the world and whose system can be used to remotely control a specific vessel's fuel system.

According to the report, an “explosion of these fueling pumps is possible if these systems are hacked and controlled remotely."

At the time of the February 2020 oil spill in Israel, some experts who spoke with Haaretz suggested that it was not crude oil reaching Israel’s shores, but rather the toxic and oil-heavy ballast discharges that oil tankers use, or perhaps even the ship fuel they use.

“Oil spills can be caused by all three and once the oil reaches the water it is very difficult to ascertain if it is crude, ballast or ship fuel, and all three can leak if a ship is attacked or suffers damage due to a accident at sea,” one international expert told Haaretz at the time.

Israeli soldiers clean up a beach following a disastrous oil spill, last month.Credit: Ariel Schalit,AP

It is important to note that despite their possible nefarious intentions or ramifications, the Iranian intel reports are predominantly based on openly available information and serve more as summaries than reports containing new and sensitive information.

However, one of the reports, focused on methods for maritime communication, does show the potential damage that openly available information and systems can pose when weaponized by an offensive cyber actor.

That report also revealed a search for such systems that could be accessed remotely, and specifically, searches for devices linked to Israel, the U.S., the U.K. and France, among others. The resulting document produced in the report seems to include an assessment of the overall number of open (and therefore possibly exploitable) communication systems in each of the countries, indicating a possible intention for these systems to be used in hacking operations.

Two other reports dating back to November and April 2020 were also revealed: One focused on “the computer-based systems that control lighting, ventilation, heating, security alarms and other functions” and the other about electrical equipment produced for ships by a German company. The latter “examined vulnerabilities in what is called a programmable logic controller or PLC – a computer control system,” Sky News reported, but added that “the authors appeared to conclude that it would not be possible to exploit them.”

A senior maritime source who spoke with Haaretz and is knowledgeable about the issue but requested to stay anonymous due to ties with the Israeli defense establishment said in response to the revelations that it's possible that they were “more defensive research than an offensive attack plan.”

According to the source, who did not see the original Iranian reports, “most of the things described here are actually things we’ve seen in the past happen to Iranian ships or at least ships that were suspected of working for Iran - for example ferrying illegal oil from the Syrian coast to smaller vessels or approaching the Suez Canal.”

The source suggests that the reports perhaps reflect Iran’s attempts to defend itself against what they view as attacks – cyber and physical – against its maritime activities: “I don’t think they have such capabilities and if they do we have yet to see them used against Israeli ships."

Click the alert icon to follow topics: