Iran's Covert Influence: Recruiting Dissidents to Target Israel
TL;DR
Israel Recruits Iranian Dissidents for Attacks Inside Iran
Operations in the secret war between Iran and Israel have shifted from Mossad field agents to Iranian dissidents and individuals from neighboring countries.
In June, a commando team, led by an Iranian national identified as S.T., targeted an anti-aircraft battery near Tehran. According to Israeli intelligence officials, the recruits' motives varied from seeking revenge against the Iranian regime to financial incentives.
The Mossad planned the attack for over a year. The operation involved approximately 70 commandos attacking anti-aircraft batteries and ballistic missile launchers. The New York Times reported that a previous Mossad operation crippled Hezbollah by detonating explosives in pagers, resulting in casualties.
Details of the Covert Operations
Israeli officials stated that the commando attacks facilitated airstrikes, which allowed the Israeli air force to bomb nuclear facilities and destroy missiles. Additionally, Israeli cyberwarriors reportedly sent a false message to Iranian military leaders, leading to a precision strike on an underground bunker.
In 2018, Israeli-trained operatives broke into a Tehran warehouse, extracting nuclear program documents. Two years later, the Mossad assassinated a top Iranian physicist using AI-enhanced facial recognition and a remote-controlled machine gun, as reported by The New York Times.
The agents involved in these operations were primarily Iranians or third-country citizens, reflecting a strategic shift by the Mossad.
Recruitment and Training
S.T., an Iranian student, was recruited after being arrested and tortured by the Basij militia. He was later contacted by an Israeli spy and agreed to work against Iran in exchange for protection for his family.
He underwent months of training outside Iran by Israeli weapons specialists before returning to participate in the operation.
Origins of the Secret War
The Mossad prioritized Iran in 1993 after the Oslo Accords.
!Israeli Foreign Minister Shimon Peres, center-right — flanked by, from left, Israeli Prime Minister Yitzhak Rabin, Israeli negotiator Joel Singer, President Bill Clinton and Yasser Arafat, chairman of the Palestine Liberation Organization — signs the Oslo Accords in 1993.
Israel views Iran's nuclear ambitions as a threat to its regional nuclear monopoly. Menachem Begin stated that Israel has the right to prevent neighboring countries from developing nuclear weapons.
In the 1990s, Iran began nuclear weapons research with assistance from Pakistani engineer Abdul Qadeer Khan.
Shabtai Shavit, former Mossad director, said that if they had understood Khan's role earlier, they would have taken action to eliminate him. The Mossad discovered a secret enrichment plant near Natanz in 2000, which was later revealed publicly by an Iranian dissident group.
Dagan's Leadership and Covert Operations
In 2001, Ariel Sharon appointed Meir Dagan as director of the Mossad who prioritized stopping Iran’s nuclear program.
Under Dagan, the Mossad carried out covert operations, including assassinations of Iranian nuclear scientists.
The Art of Recruitment
Dagan emphasized recruiting Iranians and others for covert operations within Iran, leveraging the country's ethnic diversity.
Recruits were divided into those gathering intelligence and those willing to carry out violent operations. Mossad officers used gradual erosion, starting with minor requests and escalating to more significant tasks. Trust was crucial in the agent-handler relationship.
Motivations for spying included financial reward, hatred, revenge, and tangible benefits such as medical treatment or higher education. The Mossad uses medical care and educational opportunities as incentives for recruitment.
Candidates undergo psychological evaluations, polygraph tests, and extensive training. Agents receive detailed instructions on their appearance, behavior, and finances to avoid suspicion.
Iran's Cyber Infiltration Tactics
The Handala hacking group, named after a Palestinian refugee child character, is an aggressive arm of Iran’s digital warfare.
Unlike groups seeking financial gain, Handala focuses on reputational and psychological damage. Cyberint and Check Point have noted its evolution from hacktivism to state-sponsored activity.
Targeting Decision-Makers
Handala's recent operations target Israel’s decision-making echelon through a "second-circle attack" strategy.
Instead of directly attacking secure devices, they target personal devices of assistants, advisers, and family members, focusing on backup environments like cloud services and private computers.
Disinformation Campaigns
Handala also engages in disinformation campaigns, fabricating content to generate headlines. An example includes publishing false information about internal disputes within the Shin Bet.
Hod Ben Nun, co-founder of MIND, stated that Handala operates under the Revolutionary Guards as part of a planned influence campaign. The group exploits access to large pools of civilian data, presenting it as an achievement to influence Israeli public consciousness.
Undermining Security
In January 2025, Handala penetrated Maagar-Tec, activating air raid sirens and broadcasting threatening messages in kindergartens to undermine public security.
Other activities include:
- Breaching Israel Police systems, claiming to steal 2.1 terabytes of data.
- Making nuclear threats, claiming to have penetrated servers linked to the Soreq Nuclear Research Center.
- Distributing wiper malware disguised as security updates.
False Flag Operations
Handala's use of the child figure is a message, aligning with false flag operations.
The group adopts the name and logo of a Palestinian symbol to construct a narrative of hacktivism, complicating justification for military response and creating emotional identification across the Arab world. This tactic helps Iran avoid direct attribution for its cyber attacks.
Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, providing solutions to protect against sophisticated threats like those described. Our platform converges networking and security across devices, apps, and environments, utilizing peer-to-peer encrypted tunnels and quantum-resistant cryptography.
Explore how Gopher Security can safeguard your organization against advanced cyber threats. Visit Gopher Security to learn more.
