Bank hacks, internet shutdowns and crypto heists: Here's how the war between Israel and Iran is playing out in cyberspace
The war between Iran and Israel has already expanded from the battlefield into cyberspace.
The conflict between the two Middle East adversaries has so far largely played out in public view, with hundreds of missiles and drones causing mass casualties across major cities. But Iran and Israel have also been launching cyber attacks against one another from the shadows — which officials are now warning may soon spill over onto U.S. targets.
Overnight strikes by the U.S. against Iranian nuclear facilities have heightened the threat environment, and Iran could retaliate by hacking into U.S. electrical grids, water plants, and other critical sectors.
'Cyber is one of the tools of Iran's asymmetric warfare,' said Alex Vatanka, senior fellow at the Middle East Institute.
The National Terrorism Advisory System warned Sunday of a range of Iranian threats to the U.S., including attacks on 'poorly secured U.S. networks and Internet-connected devices.'
'Low-level cyber attacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks.'
Joint Chiefs Chair Gen. Dan Caine told reporters on Sunday that U.S. Cyber Command was helping support the strikes, although he did not elaborate on its involvement.
A spokesperson for U.S. Cyber Command did not respond to a request for comment. A spokesperson for the Cybersecurity and Infrastructure Security Agency, the main U.S. cyber defense agency, declined to comment.
Critical infrastructure groups last week called on U.S. companies to proactively step up their defenses in anticipation of an attack.
Former CISA Director Jen Easterly posted on LinkedIn on Sunday that U.S. critical infrastructure organizations should have their 'shields up' and be prepared for malicious cyber activity.
'While it's unclear whether its cyber capabilities were at all impacted by recent Israeli strikes, Iran has a track record of retaliatory cyber operations targeting civilian infrastructure, including: water systems; financial institutions; energy pipelines; government networks; and more,' she wrote.
Both Iran and Israel are considered global cyber powers and have traded barbs online, particularly in the aftermath of the Oct. 7, 2023, Hamas attacks on Israel. An Iranian gang claimed responsibility for hacking into an Israeli hospital and stealing patient data in 2023, and an Israeli hacking group followed by shutting down large swaths of Iran's gas stations.
But Israel's cyber capabilities are widely considered more sophisticated. 'The Iranians … are good, they are emerging, but I don't think they're at the level of the Israelis or Americans,' Vatanka said.
Some of the most aggressive efforts over the past week have been cyberattacks against major financial institutions in Iran and disinformation campaigns aimed at causing chaos and confusion in Israel.
A pro-Israeli hacking group known as Predatory Sparrow claimed credit for a cyberattack last week on Iran's Bank Sepah, which caused widespread account issues for customers. The group also later claimed credit for draining around $90 million from Nobitex, Iran's largest cryptocurrency exchange, and for posting stolen Nobitex source code lists on the social media platform X.
Hackers also targeted Iranian news stations. Videos circulated online appeared to show Iranian state TV broadcasting anti-regime messages last week.
The Iranian government shut down the nation's internet in response to the attacks late last week, a blackout that was largely still ongoing on Sunday.
'Gaining control of the flow of information is certainly to be expected from the regime … they suspect that there is maybe an attempt to mobilize public attention,' Vatanka said.
Top Iranian officials and their security teams were also advised last week to stop using internet-connected devices, in particular telecommunication devices, to protect against potential Israeli disruptions. Last year, thousands of pagers used by the Iranian proxy militant group Hezbollah exploded across Lebanon, leaving thousands injured.
One reason Israel's cyberattacks may have been more effective in this round of fighting is that Israel struck Iranian facilities first, giving it more time to prepare its offensive and defensive options before Iran could retaliate.
Iran and its proxy organizations are fighting back, albeit on a smaller scale. Israel's National Cyber Directorate warned Israelis abroad on Saturday not to fill out forms on malicious websites that are seeking to gather intelligence on these individuals.
Gil Messing, chief of staff for Israeli cyber company Check Point Software, said Saturday just before the U.S. strikes that his company had tracked cyber and disinformation campaigns against Israel 'escalating a bit,' though no new major attacks had been reported.
Messing said that there was a 'flood of disinformation' pouring onto social media last week, including messages discouraging Israelis from entering shelters during attacks and erroneous texts about gas and supply shortages.
Israel's civilian cyber defense agency warned that Iran was renewing its efforts to hack into internet-connected cameras for espionage purposes.
John Hultquist, chief analyst for Google Threat Intelligence Group, posted on X on Saturday shortly after the attacks that Iranian cyber forces usually use their 'cyberattack capability for psychological purposes.'
'I'm most concerned about cyber espionage against our leaders and surveillance aided by compromises in travel, hospitality, telecommunications, and other sectors where data could be used to identify and physically track persons of interest,' Hultquist wrote.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
20 minutes ago
- Yahoo
Israel's Cato networks raises $359 million, valued at more than $4.8 billion
JERUSALEM (Reuters) -Israeli cybersecurity firm Cato Networks said on Monday it raised $359 million in a late stage private funding round that it said values the company at more than $4.8 billion. New investors, including Vitruvian Partners and ION Crossover Partners, as well as existing investors, including Lightspeed Venture Partners, Acrew Capital, and Adams Street Partners, participated in the financing round. The latest investment brings the total funding raised to more than $1 billion, the company said, saying its mission is to "redefine enterprise security for the digital and AI era."
Forbes
30 minutes ago
- Forbes
Silent Breach Exposes 16 Billion Passwords: 5 Things You Must Do Now
A staggering 16 billion passwords were exposed in a silent, decentralized breach compiled from years ... More of malware activity — an unseen cyber threat now looming over governments and tech giants alike. picture alliance via Getty Images While the cybersecurity world was focused on usual suspects like ransomware gangs, nation-state espionage and zero-day exploits, something massive happened in the background. A credential leak of staggering proportions quietly spilled onto the open internet. No ransom note. No press release. No named corporate victim. Just a silent detonation of more than 16 billion individual records containing usernames and passwords for Apple, Google, Microsoft, Facebook and government accounts across 29 countries. Let that sink in. Sixteen billion login records. The scope of this breach eclipses almost every known hack to date. Yet most people have never heard about it. On June 26 2025, researchers at Cybernews revealed that they had discovered 30 unsecured datasets containing over 16 billion records. These were not theoretical vulnerabilities. These were usernames and passwords that provide real access to real systems. The data included everything from private citizen logins to accounts tied to government domains. Facebook, Telegram, Instagram, PayPal, Discord, Roblox — no platform seemed untouched. The data was formatted exactly as infostealing malware delivers it: a string of website URLs, usernames and passwords scraped from infected machines over time. And it was found online, publicly accessible for a period of time before being locked down. One of the earlier warnings came from cybersecurity researcher Jeremiah Fowler, who in May uncovered 47GB of data with 184 million records, sitting in the open on an Elasticsearch server. The server was hosted by World Host Group, a global web hosting provider. Once alerted, the company disabled access and confirmed the server had been spun up by a fraudulent user. But the damage had already been done. 'This is probably one of the weirdest ones I've found in many years,' Fowler told Wired . 'As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal's dream working list.' It wasn't just tech companies that were implicated. Fowler found 220 government email addresses from more than two dozen countries, including the United States, United Kingdom, Canada, India, Israel and Australia. May 2025 : Fowler discovers 184 million exposed records, including government and enterprise credentials, and immediately notifies the hosting provider. : Fowler discovers 184 million exposed records, including government and enterprise credentials, and immediately notifies the hosting provider. Early June 2025 : World Host Group disables the server. No further public comment or disclosure from affected entities. : World Host Group disables the server. No further public comment or disclosure from affected entities. Mid-June 2025: Cybernews publishes a report about the larger aggregation of 30 databases, revealing the total exposure: 16 billion credentials. Unlike high-profile hacks with clear attribution and corporate response, this breach is fragmented. It is the byproduct of years of careless digital hygiene, cybercriminal harvesting and the steady drip of malware-infected machines feeding stolen credentials into dark web markets. How It Happened: Death By A Thousand Infostealers This was not a hack in the conventional sense. No firewalls were breached. No zero-day vulnerabilities were exploited. Instead, the records were compiled over years using infostealer malware. Infostealer malware is a class of malicious software that silently lifts login credentials from infected devices. Christiaan Beek of Rapid7 noted that the data showed 'a lot of overlap' and was 'a combination of old and new' credentials, adding that the aggregation itself posed a serious threat. 'It reflects around 30 separate breaches, stealer logs compiled over years,' he said. Much of the leaked content appears to come from previously compromised password dumps. But according to Cybernews, the presence of fresh infostealer logs makes this breach 'particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices.' Why This Leak Hasn't Made Headlines Despite its unprecedented scale, this breach has flown under the radar, unlike the United Natural Foods hack, which triggered widespread headlines. One reason is that no single company was directly compromised. There was no named victim, no regulatory filing and no incident response to point to. The data was quietly compiled over years through malware infections and older breaches, then briefly exposed on an unmanaged server. Without a clear villain or breach notification, traditional media had little to latch onto. They couldn't point to one actor or failure. In truth, we are all to blame. Many of the records were previously stolen which led some to dismiss the incident as old news. But that misses the point. The true threat lies in the scale, the recency and the way this data can now be weaponized by attackers against organizations that have not enforced basic security practices. Further, just because the records were previously stolen, a significant percentage were still active. The Bigger Picture: What We Are Doing Wrong This breach was not about a single company failing. It was about everyone failing. As security analyst Chester Wisniewski of Sophos put it, 'These massive dumps are typically just a recycled pile of credentials with a few new ones sprinkled in.' But even old passwords still work when users reuse them. When organizations fail to enforce password resets. When there is no MFA. And therein lies the danger. Infostealer malware is doing exactly what it was built to do: harvest credentials from unprotected machines. The real problem is how unprepared the world remains to stop it. What Needs To Happen Now This is a five-alarm fire for anyone not practicing basic cybersecurity hygiene. Sixteen billion records are now in circulation. Many are still active. Some are tied to government systems. And nearly all were exposed without any one company triggering the alarm. This should be a wake-up call not just for IT departments, but for every executive and individual who relies on digital tools to function. This is not the time to assume you're safe. This is the time to act. Five Immediate Actions For Individuals: Change your passwords across all platforms: Start with your primary email, banking and social media accounts. If you use the same password in multiple places, change every one of them. Password reuse is the single biggest vulnerability exploited in these kinds of leaks. Use unique passwords for every service: One password per account. No exceptions. This ensures that if one login is compromised, the rest remain safe. Use a password manager if you need help generating or storing them. Enable multi-factor authentication on every account that allows it: MFA is no longer optional. Even a simple text message code can stop an attacker with your password. Wherever possible, use app-based or hardware key MFA for stronger protection. Scan your devices for malware, especially infostealers: This data did not appear out of nowhere. It was harvested from infected machines. If you have not scanned your device recently, or if you have never run anti-malware software, now is the time. Infostealers run silently in the background, siphoning off your credentials without leaving a trace. Monitor account activity for unauthorized access: Watch for unfamiliar logins, password reset attempts, or new devices on your accounts. Most services provide tools to review recent activity. Use them. Set up alerts for suspicious behavior. If anything looks off, change your credentials immediately. Five Immediate Actions For Businesses And IT Leaders: Deploy Endpoint Detection and Response tools: Infostealer malware thrives on unmanaged or poorly protected endpoints. EDR tools allow your security team to detect, isolate and remediate these threats in real time before they cause widespread damage. Enforce password managers and centralized identity platforms: Encourage or even better, mandate the use of enterprise-grade password managers. Combine that with Single Sign-On and identity federation to reduce the number of credentials employees must manage and attackers can steal. Conduct ongoing employee security training: One-time training is not enough. Phishing and credential theft are constantly evolving. Organizations need to build a culture of cybersecurity awareness that reinforces good behavior, simulates attacks and rewards vigilance. Implement real-time credential leak monitoring and dark web scanning: Do not wait for a breach notification. Be proactive. Invest in services that scan known dark web marketplaces and data dumps for your domains, employee emails and customer credentials. When a match is found, move fast to rotate access and contain the risk. Apply Access Controls Based on Risk, Not Convenience: Implement role-based access and least privilege policies. Restrict administrative access to only those who absolutely need it. Too many organizations default to broad permissions, giving attackers more room to move once they are inside. Aligning access with actual job function reduces the blast radius when credentials are compromised. The playbook is not complicated. But it does require discipline and urgency. The organizations that act now will be the ones still standing when the next wave of credential-based attacks begins. Compliance Is the Starting Line, Not the Finish Too many organizations mistake compliance for security. Checking the box on a framework does not stop infostealer malware. But it does give you a baseline. Compliance is the first signal that your organization is taking security seriously. It offers structure, policy and governance. But it must be paired with continuous improvements, proactive monitoring and threat intelligence. Treating compliance as the finish line is like bolting your front door while leaving all the windows wide open. A Sobering Reminder This breach should be a sobering reminder that we are losing the war on credentials. Sixteen billion of them just got dumped onto the internet. Some old. Some new. All dangerous. And the biggest threat may not be the data itself, but how few people noticed. If this breach did not reach your radar, let it serve as a wake-up call. If your organization is still relying on usernames and passwords without MFA or threat monitoring, you are playing defense without a helmet. The calculous has now changed. Cybercriminals are not just breaking in. They are now logging in.
Yahoo
44 minutes ago
- Yahoo
As Ted Cruz calls for a regime change in Iran, other Texas Republicans are more cautious
WASHINGTON — U.S. Sen. Ted Cruz is pushing for military strikes and a possible regime change in Iran, a hardline stance few in the Texas delegation have yet to embrace. Texas' junior senator this week suggested the U.S. take a larger role in the conflict between Israel and Iran, something President Donald Trump is considering. Trump has, during the last decade, pushed Republicans toward an isolationist agenda, compared to the hawkish days of former President George W. Bush, who sent troops to both Afghanistan and Iraq. Trump has yet to announce a decision on military intervention. More specifically, he is debating, according to multiple news reports, whether to provide Israel with a 'bunker buster' bomb to destroy a nuclear enrichment site embedded within an Iranian mountainside. 'I may do it, I may not do it,' he told reporters outside the White House Wednesday. Cruz said on his podcast that an American attack on Fordow 'makes a lot of sense.' 'There is a reasonable possibility that the president will choose to authorize a targeted bombing strike on the Fordow nuclear weapons research facility,' he told reporters later at the Capitol on Wednesday afternoon. Cruz also said he has shared his opinions with Trump directly. Cruz also discussed the situation at length with conservative commentator Tucker Carlson. The combative interview between Carlson, an isolationist who does not support intervention, and Cruz, a self-described 'noninterventionist hawk,' has become a flashpoint inside Trump's MAGA movement. While Cruz said he does not currently support putting American troops on the ground, 'If the risk got severe enough, I would support that.' U.S. Rep. Pete Sessions, R-Waco, who is supportive of a military strike, told the Tribune that in conversations with members of Congress, he has found the 'vast majority' of them are supportive of military action. 'I do admit that there are those that do not support it,' he said in a Wednesday interview. The widest gap between Cruz and other Republicans is whether to seek a regime change. Such a change, Cruz argued on Monday, would 'enhance American security massively' given the animosity Iran has for the United States. 'I am advocating that we use maximum pressure and economic sanctions to pressure the regime in a way that might encourage this regime to fall,' he said. Texas' senior senator, John Cornyn, was more measured on the issue. 'I think that's up to the Iranian people,' he told the Tribune when asked about a regime change. 'Hopefully, they will take the opportunity that this may provide.' Cornyn appeared to be in support of limited military intervention, characterizing the use of larger U.S. munitions as 'a continuation of the current policy' toward Israel. On Fox News a few hours later, though, Cornyn stressed that the United States does not need 'to take the lead in this effort.' 'Israel has a variety of options, and they seem to be doing a very effective job on their own with our support,' he said. When pressed on whether Israel would be able to destroy the Fordow facility without American support, Cornyn said, 'I think they have multiple options,' including the deployment of Israeli ground troops. Other Texas Republicans have yet to take an explicit position on military strikes but say they stand with both Trump and Israel. 'We need to be ready to trust and support the President's decision,' Rep. Dan Crenshaw, a Houston Republican and former Navy SEAL, said on Tuesday. 'I stand with President Trump as we will continue to support our friend and ally, Israel, as it rightfully takes action to defend itself,' Rep. Chip Roy, R-Austin, said last week. Roy expressed support Tuesday for 'strategic limited support' for 'Israel's targeting & denial of Iranian nukes' but is in clear opposition of sending in 'ground troops, regime change, soccer fields, supplemental funding.' Sessions, who was first elected to the House in 1996, has been a player in national politics through several U.S. military operations in the Middle East. But he's not fearing a wide war if America intervenes to strike the nuclear facility. He praised Israel's response, but without American military power, he said, the country 'cannot necessarily finish the fight.' Rep. Ronny Jackson, R-Amarillo, appeared ripe for military confrontation. Responding to Iran's Supreme Leader Ali Khamenei's declaration 'the battle begins,' hours after Trump declared him an 'easy target,' Jackson said 'BRING IT.' Three Texas Democrats, along with a bipartisan group in the Capitol's lower chamber, are urging the president to resist joining the fray without congressional approval. Reps. Greg Casar, Lloyd Doggett and Veronica Escobar have signed onto a resolution that would ask Trump to seek congressional approval if he decides to commit U.S. armed forces to Iran. Big news: 20 more speakers join the TribFest lineup! New additions include Margaret Spellings, former U.S. secretary of education and CEO of the Bipartisan Policy Center; Michael Curry, former presiding bishop and primate of The Episcopal Church; Beto O'Rourke, former U.S. Representative, D-El Paso; Joe Lonsdale, entrepreneur, founder and managing partner at 8VC; and Katie Phang, journalist and trial lawyer. Get tickets. TribFest 2025 is presented by JPMorganChase.
