Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

3-Year Iranian Influence Op Preys on Divides in Israeli Society

Iran follows in Russia's disinformation footsteps but with a different, more economical, and potentially higher-impact model.

Flags of Iran and Israel
Source: Ruma Aktar via Alamy Stock Photo

A yearslong influence operation by Iran has been stoking the flames of social, cultural, and political unrest in Israel.

The scheme has had three distinct phases. The first, which began three years ago, pitted Israel's ultra-Orthodox and LGBTQ+ communities against one another. The next focused on embittered political discourse between the left and right. The third campaign, still ongoing, is focused on Israel's war with Hamas.

In its new report, Recorded Future's Insikt Group determined — based on behavioral and contextual evidence and overlaps with prior reporting from Microsoft, Israel's Shin Bet internal security service, and the newspaper Haaretz — that the operation is perpetrated by a likely Iranian state-backed advanced persistent threat (APT) it calls "Emerald Divide" (aka Storm-1364).

Three Years of Iranian Influence Ops in Israel

Like Russia and China, Iran seeks to capitalize on existing divides to foment unrest in its enemy nation.

Emerald Divide's efforts began in 2021, using generative AI and social media to impersonate rabbis. For example, the group created a YouTube channel on behalf of the well-known Rabbi Shlomo Amar, mixing real videos of the man with faked speeches about homosexuality and women over still imagery. Emerald Divide then used accounts purporting to align with the LGBT+ movement to post fake criticisms of the fake rabbi comments it itself generated. This counterfeit echo chamber purportedly inspired one individual to display an Emerald Divide poster in Tel Aviv's busy Rabin Square.

View post on X

Emerald Divide sensed an opportunity in 2023 when Israelis took to the streets by the hundreds of thousands to protest backslides for the judicial system. It shifted to focus on the political left versus right, with a campaign similar to the first —social media accounts to support both sides — save for a few additions. Notably, this operation harvested protestors' personally identifying information (PII) by directing them to fill out a Google form. "Protests are expanding and continue to grow and we need new partners! Want to cooperate for a better future of the country? Please fill out the form," the form read.

Emerald Divide's most recent, ongoing campaign, like so many other influence operations since Oct. 7, focuses on Israel's war with Hamas. It has repurposed some of the same Telegram accounts used for the first two operations, this time to sow distrust in and anger towards the government.

Iran vs. Russia: Quality vs. Quantity

Unlike Russia's armies of uncountable social media bots, Emerald Divide currently maintains what's called a coordinated inauthentic behavior (CIB) network of just more than 250 online accounts, including seven primary Telegram accounts. This isn't because of some major takedown: In its history, it has used only 16 such primary accounts.

"When it comes to overall size and scale of the operation, we wouldn't consider it small by any means," says Sean Minor, team lead for influence operations research in Insikt Group. "But it's certainly not a massive campaign like we've seen from other nation-states."

In some ways, this more focused approach has proved fruitful. One of Emerald Divide's ongoing accounts, "Tears of War," enjoys an audience of around 2,000 subscribers. And, Minor says, the fact that a follower posted one of its posters in a public square signals that this group is achieving more than most. "It's a little bit different from other campaigns we've seen, which are a bit more ephemeral — we can't really tie them to physical action by the target audience. This one seems a little different," he says.

Whether by quantity or quality, these influence operations may only grow stronger as governments and organizations struggle with real, practical steps to stop them.

"It starts with awareness and then from awareness. Governments can engage private companies to discuss what they're seeing and increase their collaboration," Minor says. "Hopefully, this broadens the aperture and provides more organizations the ability to track whether or not this network will change over time, which we assess that it will, as it has in the past."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights