The Islamic Republic has accelerated its intelligence operations in Israel, with at least five spy rings uncovered by Israel in October alone. Between October 14 and 31, authorities arrested some 20 individuals who were operating on behalf of Iran in different raids.
Led by the Islamic Revolutionary Guard Corps (IRGC) and Iran’s Ministry of Intelligence (MOI), Tehran’s multifaceted espionage strategy in Israel employs cyberwarfare and direct human intelligence engagement. Iran preys on Jewish migrants facing financial struggles, as well as Palestinians and Israeli Arabs motivated by ideology, with the goal of collecting intelligence and carrying out assassinations.
Using cyberspace for recruitment and intelligence collection
According to Israel’s internal security agency, the Shin Bet, Iranian intelligence services were behind online job postings that offered high salaries in exchange for carrying out operations at Tehran’s behest. The tasks included intelligence-collection missions, such as photographing various sites and verifying addresses, and even assassinating Israeli officials. In some cases, Iran has successfully recruited operatives it contacted via social media. In September, authorities arrested an Israeli man who had covertly traveled to Iran to presumably receive training and funds to carry out attacks inside Israel.
The Shin Bet has highlighted Iran’s adept use of social media platforms for phishing and intelligence gathering, often without victims realizing they are engaging with operatives acting on Iran’s behalf. Iran’s intelligence units have contacted Israelis on various platforms, including X, LinkedIn, Telegram, WhatsApp, Facebook, and Instagram, under false pretexts with the goal of collecting information on individuals and sensitive military sites. The operatives often pose as people requesting photoshoots or individuals seeking a private investigator to obtain information on Israeli officials. In other incidents, Iran’s phishing campaigns posted surveys asking Israelis to enter their personal information.
Operative recruitment criteria: financial incentives and ideology
In the realm of operative recruitment, the patterns reflect Tehran’s strategic approach. Iran’s recruitment efforts primarily target two key demographics: individuals facing financial hardship and those motivated by ideological convictions.
Israeli authorities foiled an Iran-led operation on October 31, in which an Israeli couple were surveilling sensitive security sites, including Mossad headquarters. The joint statement released by the Shin Bet and Israel’s police said that the couple were recruited by an Iranian intelligence network that specifically focuses on Jewish immigrants to Israel from the “Caucasus region,” as they were initially approached by an Israeli national with Azerbaijani origins. The indictment added that the suspects allegedly received $600 per day for gathering information on potential targets. In a similar incident a week prior, authorities arrested seven Jewish Israelis of Azerbaijani background on charges of spying for Iran in exchange for funds.
Tehran’s outreach extends beyond Jewish Israelis; on October 22, a seven-member spy ring comprised of Arab residents from East Jerusalem was uncovered. Authorities revealed that the group plotted to assassinate an Israeli nuclear scientist and the mayor of a major city. Iran’s longstanding history of exploiting the Palestinian cause to advance its agenda is well-documented, and espionage is a notable facet of this strategy.
The thorough and organized instructions Iranian handlers issued to operatives outline the regime’s efforts to establish a conventional intelligence network. For instance, the East Jerusalem team operated as a well-structured cell, with a defined role for each member. Additionally, Iran did not demand assassinations as initial operations, instead seeking to gradually build the network by assigning tasks like surveillance and vandalism. Thereafter, the tasks would escalate to acts of sabotage, arson, and, eventually, targeted assassination plots.
Iranian intelligence organizations collaborate on external operations
The intricate structure of the Islamic Republic’s regime consists of numerous institutions with overlapping responsibilities. At the forefront of the regime’s intelligence and security apparatus are two principal entities: the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence (MOI). This dynamic creates a landscape where both organizations compete for dominance while collaborating to further Tehran’s operations abroad.
For instance, The Washington Post reported in September that the IRGC and MOI jointly cultivated connections to criminal networks in Europe that plotted assassinations against Israelis across the continent.
While the Quds Force Division (IRGC-QF) is the IRGC’s external wing that operates around the world, the IRGC Intelligence Organization is tasked with collection and analysis and the Cyber Electronic Command of the Guards (IRGC-CEC) oversees the cyber component of various missions. In August, Google’s Threat Analysis Group identified APT42 as an IRGC-backed hacking group that “consistently targets high-profile users in Israel.”
Meanwhile, a phishing campaign that targeted Israelis in early August was linked to “Muddywater,” a group affiliated with the MOI. Sanctioned by the US in 2022, Muddywater has increased its phishing attacks against targets in Israel since last year.
These cyber operations by IRGC-CEC and Muddywater, alongside IRGC-QF’s activities in Azerbaijan and the collaborative missions of the IRGC and MOI, underscore the extent of cooperation within the regime’s intelligence apparatus concerning Israel. For Tehran to successfully execute an intelligence mission in Israel, at least three IRGC Divisions and two MOI units must be in harmony.
