‘Iranian Cyberattacks Are Improving – but They Have Made Many Mistakes’

Dr. Gil David, formerly of a cyber unit in the Prime Minister’s Office, explains how Iranian cyber operations against Israel have come a long way

Yossi Melman head
Yossi Melman
Send in e-mailSend in e-mail
Iran's President Ebrahim Raisi delivering a speech at Tehran University, in December.
Iran's President Ebrahim Raisi delivering a speech at Tehran University, in December.Credit: Photo by Iranian Presidency / AFP
Yossi Melman head
Yossi Melman

There was an element of psychological victory for Iran in the double terror attack that took place two weeks ago at a Jerusalem bus stop, killing Aryeh Shechopek and Tadesse Teshome Ben Madeh – but the media barely took note.

Twenty-four hours after the attacks, a hacker group known as Moses Staff, which is affiliated with Iran’s intelligence services, posted videos from a surveillance camera installed by an Israeli security unit at the entrance to the capital, near one of the sites of the attacks. The camera, for reasons unknown, had not been checked – or it had been, but the footage from it had not been released to the media.

Members of Moses Staff were the ones to release it, and in doing so, gave the impression that the two-fold attack was a daring Iranian operation. Incidentally, the Shin Bet security service is still searching for the perpetrators of the twin attacks. Their identities and affiliations have yet to be released to the public.

Dr. Gil David: ‘If citizens have advanced tools at their disposal, they’ll be able to convey ‘forbidden information’ and overcome strict censorship.’Credit: Omer Hacohen

“Hacking into the security camera – one of many in Israel’s public spaces – is an easy thing to do. Any amateur hacker can do it. You don’t need the [resources] of a country for it. It’s not like the Iranian virtual army got up one morning and went to war,” says Dr. Gil David, an international expert in cybersecurity, artificial intelligence and information security – and the author of the book “The Art of Hiding,” which was recently published in Hebrew.

“Companies and governmental organizations that monitor these hacking groups give them names according to their coding and programming styles. Moses Staff is an example of one such group. Most of the groups have a sort of fingerprint; If the coded message looks like a snake, the researchers will call the group ‘snake.’ Identifying shared code or cooperative acts will make the defenders' work much easier over time,” David says.

Are these groups independent, or are they part of the Iranian intelligence’s larger cyber enterprise?

They are part of the Iranian cyberprogram of its intelligence agencies. Everything is directed from above.

The bus station in Jerusalem where a bomb went off, on Wednesday.Credit: Ohad Zwigenberg

Who are these attacks directed against?

“These groups – and they’re not just Iranian, of course – attack individuals, groups, government organizations, including espionage and intelligence agencies and governments. As we know from open sources, Israel, too, is attacked by the Iranians all the time.”

For what purpose?

“Mostly to collect information. What I identify is the increasing use by the Iranians of methods to conceal information and communicate clandestinely. They attack while making an effort to hide their communications with the attack tool.”

Within the field of information security, this practice is called “steganography,” derived from the Greek words steganos – which means covered or concealed – and graphia – meaning writing. Or, in other words: Hiding messages in a way that no one but the recipient can know they exist. It is important to differentiate in this context between steganography and cryptography, the latter of which is the field of secure communications and encryption – in which the existence of the information is not hidden, just its content.

In his book, David presents a long list of examples, throughout history and through the digital age, in which individuals (such as prisoners), groups, companies, intelligence organizations and governments tried to conceal their secrets. He invites the reader – though sometimes with jargon not best suited to laypeople – into a world in which the protagonists are secret agents, spies, bots and mathematical algorithms.

Here’s an example: “When you sit at a table in a restaurant and try to decide what to order from a menu accessed through a QR code, someone can hide information there – and nobody except the recipient of the message would know. I conducted such an experiment, and I was able to hide the message. Even scanning the code or its image would not let you discover the secret message.”

Hiding everything

After David, 48, completed his army service as a tank commander, he studied computer science at the Hebrew University of Jerusalem. He did his doctorate at Tel Aviv University on identifying online cyberattacks by means of machine learning, and later conducted a study at Yale University on artificial intelligence. And for seven years, he headed the research and development department at a cyber unit within the Prime Minister’s Office.

During that period, according to U.S. reports, the Israel Defense Forces’ Intelligence Directorate and the Mossad were involved in developing and mobilizing the Stuxnet computer virus. From 2004 to 2009, the virus attacked the computers that operated and monitored the centrifuges at a uranium enrichment site in Natanz, Iran, damaging about a third of them. David refuses to discuss this subject beyond previously published information.

Although his managers in the PMO cyber unit tried to persuade him to stay, David preferred to engage in academic research and to advise the defense establishment and high-tech companies involved in developing algorithms for artificial intelligence. He taught at a university in Finland, among such exploits, and some of his students were Iranians.

Do not scan this QR: The cover of Dr. Gil David’s new Hebrew language book ‘The Art of Hiding.’

“The Iranians are demonstrating amazing improvement from one operation to the next,” he says. “They recently began to use the method of concealing [information] in an image. That’s something new for them. They still don’t do it perfectly, but they are a prominent presence on the internet. Western intelligence organizations have been using this method for years.”

What is concealing information by means of an image?

“Let’s say that Iran wants to attack a target in Israel, such as installations belonging to the Mekorot national water company, which have indeed been attacked in the past. The hackers usually find a weakness and exploit it to infiltrate the company. They may have bribed someone from inside the company, or were able to infiltrate it independently. The hacker sends an order such as ‘collect all the passwords, emails and documents from the following computers.’ That’s called command and control. The question is how to send the orders and the updates without being discovered, which is why a lot of command and control in past years uses concealment.”

In other words, the objective is to send messages that look harmless to the other party, rather than like encoded messages.

“Correct. To send the other party something like an image that will look harmless to the one being hacked, to the party receiving the message – they won’t be suspicious of the sender’s intentions.”

How does that work?

“Take any image – for example a picture of a suitcase that the hacker sends by email as an attached file – anyone who looks at it sees a harmless picture of a suitcase and tells himself ‘It’s nothing unusual.’ But the sender, let’s say an Iranian hacker, is in fact using the picture of the suitcase to send concealed messages, such as operating instructions, for some kind of attack or for collecting information.

“When you conceal data in an image, you try to make small changes in it so that people won’t suspect that it’s different. But the Iranians made mistakes in many of their cyber operations and changed the image more obviously. They also sent the same image each time, but hid different information in it each time. Outwardly, to human eyes, it looked identical, but if you compare the images using a computer – you’ll see that they differ slightly. That rouses suspicion because it’s clear that someone manipulated the same image differently each time.”

You write in your book that it’s hard to discover data hidden in an image.

“Correct. It’s not easy to expose the concealment, but there are solutions that, rather than identifying the concealment, identify changes in the image, such as a change in format or size. These solutions are used mainly by large organizations, such as intelligence agencies or security companies.”

Despite all the sophisticated technological tools at the disposal of regimes, and although countries are making increasing efforts to reduce the free flow of information, David sums up his book by saying that ordinary people still have the ability to overcome and bypass every kind of monitoring. “If citizens have advanced steganographic tools at their disposal,” he says, “they will be able to convey ‘forbidden information’ to each other and overcome the strict censorship. Such tools would enable the creation of a free internet, or at least would make it possible to disseminate and transfer information freely, camouflaged as the monitored internet.”

In an attempt to pique additional interest, David presents his reader with riddles – like those written by the Mossad and the Shin Bet in bygone days in order to increase interest in potential and skillful young candidates for positions there. With my meager skills, I was able to solve just two of them, and I also failed abysmally in implanting a hidden message into this very article.

Click the alert icon to follow topics:



Automatic approval of subscriber comments.

Already signed up? LOG IN


הקלטות מעוז

Jewish Law Above All: Recordings Reveal Far-right MK's Plan to Turn Israel Into Theocracy

איתמר בן גביר

Why I’m Turning My Back on My Jewish Identity

Travelers looking at the Departures board at Ben Gurion Airport. The number of olim who later become yordim is unknown.

Down and Out: Why These New Immigrants Ended Up Leaving Israel

Beatrice Grannò and Simona Tabasco as Mia and Lucia in "The White Lotus."

The Reality Behind ‘The White Lotus’ Sex Work Fantasy

The Mossad hit team in Dubai. Exposed by dozens of security cameras

This ‘Dystopian’ Cyber Firm Could Have Saved Mossad Assassins From Exposure

מליאת הכנסת 28.12.22

Comeback Kid: How Netanyahu Took Back Power After 18 Months in Exile