Join our Community
Support ToI and remove all ads
Learn more
Avi Davidi
The Blogs
Avi Davidi
Apply for a Blog
Featured Post

Fresh hack attacks are part of Iran’s long-range cyberthreat

Breaking into the phones of two top Israelis, Tehran shows it aims to keep up covert influence efforts against its enemies abroad and at home
'Fatah-Yek,' a cyber defense exercise conducted by the Army of the Islamic Republic of Iran, May 19, 2021 (Official press photo)
'Fatah-Yek,' a cyber defense exercise conducted by the Army of the Islamic Republic of Iran, May 19, 2021 (Official press photo)

It wasn’t the first time hackers operating under Iran’s intelligence ministry announced they had breached the cellphone of a prominent public figure in Israel. Sunday, it was Tzachi Braverman, Prime Minister Benjamin Netanyahu’s chief of staff. A couple of weeks ago, it was former Prime Minister Naftali Bennett.

The attackers published, among other things, correspondence and images allegedly obtained from the devices, though the extent of the access they achieved remains unclear. In Bennett’s case, they released his list of WhatsApp contacts. The Braverman leak is still ongoing under the shadow of threats to publicize more – and more damning – material.

These intrusions, disseminated on the X platform through the “Handala” persona, are part of a broader Iranian apparatus that conducts strategic efforts against Israel through covert influence operations.

For years, Iran has waged a campaign against its adversaries – most notably Israel and the United States – designed not to defeat them militarily, but to weaken them from within. Those campaigns aim to shape perceptions, amplify social divisions, undermine trust in institutions, and embed Iranian narratives into domestic debates in target countries. It is a slow, methodical effort, better understood as a long-term strategy than as a series of isolated operations.

At the heart of this approach lies a clear doctrine. Iran’s leadership, and especially Supreme Leader Ali Khamenei, views soft power as a strategic pillar. Ideas, narratives, and psychological resilience are considered no less important than missiles or drones. This worldview has translated into sustained investment in cyber capabilities, online influence, and covert psychological operations. While no single Iranian campaign has yet been shown to decisively alter political outcomes on a large scale, the consistency and expansion of these efforts suggest patience, learning, and an expectation of cumulative effects.

Tehran works hard to maintain deniability, operating below the threshold of clear attribution using two main models. In the first, influence campaigns are entirely covert: fake grassroots movements, local-language accounts, and protest-style messaging that blend into existing public discourse. The effectiveness of these accounts depends on hiding their links to the regime; exposure typically neutralizes them. In the second model, hostile activity – usually cyberattacks – is obvious, but responsibility cannot be conclusively pinned on Iran. This ambiguity complicates retaliation and limits diplomatic consequences.

Targeting enemies, abroad and at home

Several state institutions are involved in running this apparatus. The Islamic Revolutionary Guard Corps and Iran’s Ministry of Intelligence operate offensive cyber units, bot networks, and fabricated online personas, often with the help of private contractors. The Ministry of Foreign Affairs complements these efforts through indirect influence: cultivating undeclared ties with foreign researchers, journalists, and intellectuals who can circulate Iranian-aligned narratives within Western policy and academic circles while maintaining an appearance of independence.

Iran’s covert influence activity serves four core strategic objectives. The first is destabilization of adversary societies. Iran seeks to identify existing social, political, or ethnic tensions and intensify them. In Israel, campaigns have exploited debates over judicial reform, civil-religious relations, and wartime leadership. In the West, Iran has promoted separatist narratives in the UK and attempted to interfere in US politics through hacking and information operations.

The second objective is regime preservation at home. During periods of direct confrontation with Israel, Iranian influence efforts have focused heavily on domestic audiences. Bot networks promote messages of unity, resilience, and loyalty to the Supreme Leader, while reinforcing the legitimacy of repression against internal dissent. In this sense, the influence apparatus doubles as a tool of internal social control.

Third, Iran consistently advances an anti-Israel agenda, framed internationally as pro-Palestinian advocacy. Since October 7, Tehran has intensified portrayals of Israel as aggressive, criminal, or genocidal, while spreading conspiracy theories depicting Israel as manipulating US policy and Western governments. Cyberattacks against countries cooperating with Israel function both as punishment and as messaging.

The fourth objective is targeting the Iranian opposition abroad. Cyber operations against exile media outlets and dissident networks aim to intimidate critics, disrupt their activity, and weaken their credibility in Western societies.

To pursue these goals, Iran employs a sophisticated and varied toolkit. Bot networks are used to amplify narratives, manufacture artificial consensus, and inflame polarization. Advances in artificial intelligence have significantly enhanced these capabilities, allowing the mass production of culturally and linguistically convincing content that is harder to detect.

More complex operations involve impersonation of real organizations or the creation of fictitious civil groups with “deep identities.” These entities generate original content over time, build followings, and embed themselves within local discourse. In some cases, Iran has even recruited local agents to provide real-world reinforcement to digital campaigns.

In the cyber realm, Iran frequently masks state operations behind so-called “hacktivist” groups – fabricated personas such as BlackShadow, Handala, Darkbit, and Moses Staff. These groups publicly claim responsibility for attacks ranging from data theft and leaks to attempts to disrupt hospitals, water systems, and other infrastructure, while embedding ideological messaging to obscure their state sponsorship.

The wars following October 7 and during Operation Rising Lion in June 2025 served as a stress test for this apparatus. Cyberattacks and influence activity surged, and consumption of Iranian propaganda rose notably in Western countries. Yet the concrete damage remained limited, largely due to rapid detection and growing public awareness. During Operation Rising Lion, Iran’s primary focus shifted inward: consolidating regime stability and controlling domestic narratives, while external influence efforts played a secondary role and focused mainly on demoralizing Israel and on attempts to prevent an American strike against Iran.

The broader implication is clear. Iran’s covert influence apparatus is not defined by spectacular successes or failures, but by continuity, adaptation, and learning. Going forward, artificial intelligence is likely to accelerate its effectiveness, particularly in impersonation and content production. For Israel and other democracies, the influence domain is becoming a central arena of confrontation, one in which threats evolve quietly, exploit moments of crisis, and demand constant vigilance rather than episodic responses.

For my full analysis of Iran’s cyberattack strategy, see Iran’s Covert Influence Apparatus: Objectives, Capabilities, Operational Patterns, and Strategic Implications, published by The Jerusalem Institute for Strategy and Security.

About the Author
Dr. Avi Davidi is the editor of the Times of Israel Persian edition. He is a senior researcher at Elrom Air and Space Research Center at Tel Aviv University, and a lecturer in the MBA program at the Ono Academic College.
Sign in or Register
Please use the following structure: example@domain.com
Or Continue with
By registering you agree to the terms and conditions
Register to continue
Or Continue with
Log in to continue
Sign in or Register
I forgot my password / Send me a sign in link
Or Continue with
check your email
Check your email
We sent an email to you at .
It has a link that will sign you in.