Endless Cyber Conflicts: From Tehran to Tel Aviv

The Twelve‑Day Cyber War
The twelve‑day conflict between Iran and Israel, which took place from June 11 to 17, marked a turning point in the history of Middle Eastern cyber warfare. Initiated by Israel’s Operation “Rising Lion”, the confrontation saw a 700 percent increase in cyberattacks against Israeli infrastructure. Unit 8200, the largest military unit within Israel’s Defense Forces and often compared to the U.S. NSA or the UK’s GCHQ, played a pivotal role. Responsible for clandestine operations, SIGINT collection, codebreaking, counter‑espionage, cyber warfare, and surveillance, Unit 8200 has become one of the most sophisticated cyber units globally. Its importance is underscored by the fact that its veterans founded companies such as Check Point, CyberArk, Claroty, CyCognito, and Palo Alto Networks, which both support national security and serve as instruments of Israel’s cyber soft power abroad.

Unit 8200’s Role in the Twelve‑Day War
During the June 2025 conflict, Unit 8200 carried out a wide range of cyber operations against Iran. According to CloudSEK, between June 11 and 17, more than 35 pro‑Iranian hacker groups launched coordinated cyberattacks on Israeli military, governmental, and infrastructure targets. In response, Israel activated only four to five groups, but the sophistication of Unit 8200 and affiliated groups such as Predatory Sparrow far outweighed sheer numbers. This group, regarded as the successor to INDRA, employed unique cyberattack methods against Iran’s critical infrastructure, having previously inflicted significant damage on rail systems, steel plants, and fuel stations. Israel’s National Cyber Directorate (INCD) reported that in 2024, the number of alerts doubled, with cyberattack damages estimated at over $3 billion. These figures highlight the unprecedented intensity of the conflict, which went far beyond simple DDoS attacks or website defacements, encompassing complex intrusions into critical infrastructure, theft of sensitive data, and disruption of industrial systems.

Technological Transformation and AI Tools
One of Unit 8200’s most significant advancements has been the development and deployment of advanced artificial intelligence systems. According to The Guardian and +972 Magazine, Unit 8200 is building a large language model (LLM) similar to ChatGPT, trained on millions of intercepted Arabic conversations from Palestinians. Still in its training phase, this AI tool is designed to analyze, translate, predict, and summarize text, dramatically enhancing the unit’s surveillance and intelligence capabilities. INCD’s new strategy for 2025–2028 includes the creation of a “Cyber Dome”, an AI‑based national cyber defense system aimed at countering growing threats from Iran and Hamas. At a conference in Tel Aviv, Unit 8200’s commander revealed that AI technology had already been used to select Hamas targets. Reports also indicate that Microsoft and other major U.S. tech firms have supported Unit 8200 by providing Azure cloud services, enabling the migration of 70 percent of sensitive data to the cloud. This reflects the deep integration of Western technologies into Israel’s cyber warfare structure.

Analysis of Tactics and Operational Methods
In the twelve‑day war, Unit 8200 employed a wide array of advanced tactics, showcasing significant evolution in cyber warfare methods. According to Dark Reading, the attacks against Iran unfolded in three distinct phases: the first marked by massive DDoS waves and initial intrusion attempts; the second focused on targeting managed service providers (MSPs); and the third, ongoing phase, characterized by slower but far more sophisticated operations.

Iranian attackers, who previously relied on outdated malware and easily blocked scripts, have shifted to using remote management tools (RMMs) and legitimate Windows software, making detection and blocking far more difficult. Exploitation of zero‑day vulnerabilities, which once took days or weeks, now occurs within 30–40 minutes.

This dramatic increase in speed and efficiency reflects growing cooperation among Iran‑aligned groups, with shared intelligence, infrastructure, and R&D capabilities. In response, Unit 8200 has deployed advanced tools to target high‑value and unconventional assets.

Strategic Consequences and Regional Impact
The twelve‑day cyber war had profound strategic implications for the Middle East. According to the Lieber Institute, in the six months following the Gaza war’s outbreak in October 2023, about 60 percent of Iran’s cyber operations were directed against Israel, intensifying across all fronts from espionage to infrastructure attacks. This escalation was reinforced by Tehran’s allies in Lebanon, Iraq, and Syria. Israel’s National Cyber Directorate, which issued 367 alerts in 2023, raised the figure to 736 in 2024, including 518 high‑priority “red alerts.”

With much of Iran’s defensive infrastructure destroyed and several senior military officials killed by Tel Aviv’s air campaign, Tehran’s strategic options have been significantly constrained. This operational damage reduces the feasibility of a major conventional response in the short term, making asymmetric tools—especially cyber warfare—far more attractive. Meanwhile, Saudi Arabia and the UAE, scarred by the Shamoon attack that wiped 30,000 computers and temporarily crippled Saudi Aramco, are increasingly turning to cyber capabilities as instruments of national security. Western states, on the other hand, continue to portray Iran as a disruptive actor in this domain, though experience shows Israel does not wait passively—conducting periodic attacks reminiscent of the Stuxnet virus.

Below, three possible scenarios for the evolution of this new type of warfare are outlined:

Scenario One: AI‑Driven Cyber War
In the first scenario, Unit 8200 leverages its advances in artificial intelligence to enter a new phase of cyber warfare. Once its developing LLM is completed and operational, the unit will be able to process vast amounts of surveillance data in real time. This capability will enable faster target identification, more accurate enemy movement predictions, and automated cyber operations. The planned AI‑based Cyber Dome (2025–2028) could evolve into a multilayered defense system that not only repels attacks but also acts preemptively against potential threats. In this scenario, Unit 8200 is expected to use deep learning algorithms to detect complex patterns in network traffic and anticipate zero‑day attacks before they occur. Deeper collaboration with U.S. tech giants such as Microsoft, Google, and Meta would provide massive computing resources and training data, potentially leading to the development of autonomous cyber weapons capable of independently deciding on targets and attack methods. In response, Iran is likely to invest heavily in AI‑based defensive capabilities and may seek cooperation with countries such as Russia and China to access advanced technologies.

Scenario Two: Expansion of Cyber Warfare to Regional Critical Infrastructure
In this scenario, cyber conflict extends beyond Iran and Israel to encompass the entire Middle East. Unit 8200 may adopt a strategy of “maximum cyber pressure,” targeting not only Iran’s military and nuclear infrastructure but also vital civilian systems such as electricity grids, water networks, transportation, and banking. Reports indicate that the CyberAvengers group, affiliated with Iran’s Revolutionary Guard, targeted Unitronics PLC devices across multiple U.S. critical infrastructure sectors—including water and wastewater systems—for a year beginning October 7. Such attacks highlight the growing tendency to strike critical infrastructure, with potentially catastrophic consequences for civilian populations. In this scenario, Unit 8200 would likely exploit its capabilities to penetrate industrial control systems (ICS) and SCADA networks in Iran, aiming to cause widespread disruptions that could trigger social unrest. Conversely, Iranian cyber groups may attempt to strike Israel’s critical infrastructure, including water treatment facilities, power plants, and transportation networks. This escalation could evolve into a “cyber cold war”, where both sides continuously probe each other’s defenses and search for vulnerabilities without necessarily launching full-scale destructive attacks.

Scenario Three: Convergence of Cyber Warfare with Physical Operations
The third scenario is the most complex and dangerous, involving the integration of cyber operations with physical attacks and psychological warfare. Here, cyberattacks are not used as standalone tools but as part of a multi-layered strategy. For example, Unit 8200 might first disable Iran’s air defense systems through cyber intrusions, then conduct airstrikes, followed by information operations to amplify psychological impact. Reports suggest that during recent operations, false messages attributed to the Israeli military—warning of bomb shelter attacks—were disseminated by pro-Iranian groups to spread panic among civilians. Such hybrid operations are highly destructive, as defending against them requires coordination across military, security, and civilian sectors. Leveraging its AI capabilities, Unit 8200 could design sophisticated disinformation campaigns, using deepfakes and AI-generated content to manipulate public opinion. In this scenario, the boundaries between cyber warfare, information warfare, and conventional conflict blur entirely. Iran, in turn, may coordinate cyber-physical attacks through its regional allies against Israeli and allied interests. Israel itself has long engaged in such operations, often playing a role in initiating or facilitating unrest inside Iran.

Conclusion: An Uncertain Future in Cyberspace
The twelve-day conflict in June demonstrated that a new era of cyber warfare has begun—an era in which Israel’s Unit 8200, armed with advanced AI technologies, extensive international cooperation, and innovative tactics, seeks to maintain cyber superiority in the region. Yet, as reports indicate, this advantage is fragile, with Iran rapidly expanding its own capabilities. The three scenarios analyzed—AI-driven escalation, expansion to critical infrastructure, and convergence with physical operations—all point to the potential for dangerous intensification in the future. What is clear is that the cyber war between Iran and Israel has entered a new phase, one in which international laws and norms are repeatedly violated and civilian populations bear the greatest burden. The development of Israel’s Cyber Dome and Iran’s likely countermeasures could push the region into a cyber arms race with no foreseeable end. Ultimately, the international community must remain alert to the growing risks of this cyber conflict and work to establish legal and diplomatic frameworks to contain it before its consequences spiral out of control.