Nation-state cyber warfare has evolved beyond simple data theft into a complex threat that can paralyze critical infrastructure. For over a decade, Israel and Iran have engaged in a series of cyber confrontations, turning cyberspace into a battlefield as intense as any physical conflict. Notable incidents—such as Stuxnet, which disabled Iran’s nuclear facilities, and cyberattacks targeting Israel’s water infrastructure—represent only a fraction of this ongoing digital confrontation.
In this post, we leverage Criminal IP’s threat intelligence data to analyze the cyberattack surface of both nations. We uncover the external exposure status of national systems across industrial, educational, and public digital infrastructures—including misconfigured servers and unsecured assets—and provide practical methods to respond to emerging cyber threats.
Israel and Iran: Cyberattack Surfaces of the Middle East’s Leading Cyber Powers
Israel and Iran stand as two of the most prominent cyber nations in the Middle East, both as aggressors and as victims. Since the 2010 Stuxnet attack, both nations have intensified cyber operations aimed at strategic infrastructure. The common focuses include externally exposed infrastructures, such as military and government networks, SCADA/ICS systems, and public institutions with poor security practices. Many of these systems lack authentication or use expired certificates, making them vulnerable to attack. Exposed RDP, webmail, and VPN services offer multiple attack vectors, enabling automated and targeted intrusions at scale.
SCADA/ICS Detection Query
Criminal IP Search Query: tag: “SCADA” country: IL OR country: IR
Criminal IP identified 16 exposed SCADA/ICS systems across Israel and Iran. Some scored “Critical” on the Inbound Risk Score due to open ports and vulnerabilities. One Confluence instance appears to be connected to a SCADA/ICS system, showing 233 CVEs—including many with publicly available attack proof-of-concepts (PoCs) on GitHub—making it a high-value target for cyberattacks.
Educational Infrastructure Detection Query
Criminal IP Search Query: “.ac.” country: IL OR country: IR NOT @
Criminal IP detected 2,605 exposed assets in Iran and 653 in Israel associated with educational infrastructures. While most appeared low-risk and safe for external exposure, several systems exhibited critical security flaws. The example below shows infrastructure from a major Israeli university, where 14 vulnerabilities were detected, including 3 with publicly available PoCs, placing the system in a vulnerable state.
Wi-Fi System Detection Query
Criminal IP Search Query: tag: “Wifi” country: IL OR country: IR
Externally exposed Wi-Fi devices serve not only as wireless communication hubs but also as entry points into internal networks. For instance, they can be exploited through various attack vectors such as configuration changes via the administrator web UI, firmware manipulation, or backdoor installation. In particular, devices without encryption settings are highly vulnerable to packet sniffing and traffic redirection. The screenshot below shows an IP address interfere as viewed via Criminal IP Asset Search. It displays the login page of a Linksys Wi-Fi device. Since default passwords are often left unchanged, the external exposure of such login pages can become a direct access point to the Wi-Fi network.
Externally exposed infrastructure controlling critical systems in industrial, educational, and public sectors can pose serious national security risks. Wi-Fi systems in public institutions are often exploited for cyber reconnaissance and initial access, requiring strict security policies and access controls to prevent data leaks and session hijacking.
Digital Battlefield Analysis Using Criminal IP: CTI-Based Cyber Attack Surface Detection
Having examined the exposure status of key institutions and public infrastructure, we next explore externally exposed assets along common attack vectors. Using the “SSL VPN” tag in Criminal IP, we can identify remotely accessible VPN infrastructure, which often serves as a primary entry point for threat actors.
SSL VPN Infrastructure Detection Query
Criminal IP Search Query: tag: “SSL VPN” country: IL OR country: IR
Criminal IP identified 5,753 exposed SSL VPN assets in Israel and 188 in Iran. Notably, Israeli infrastructure shows a reliance on Check Point VPN solutions.
A closer look at vulnerable assets revealed that many SSL VPN systems remained unpatched against recent OpenSSH vulnerabilities, with some still operating under CVEs dating back to 2016. Given that SSL VPNs can provide direct access to internal networks with only single-factor authentication, a single vulnerability can result in widespread compromise.
Admin Server Detection Query
Criminal IP Search Query: tag: “Admin” country: IL OR country: IR
Criminal IP identified 11,832 web-accessible admin panels across both nations. These portals provide high-privilege access to databases, system configurations, and user management. Many of these were also tagged with PBX (telephony systems) and network switches, some of which had open ports and unpatched vulnerabilities, making them prime targets for brute-force and exploit-based attacks.
In particular, these servers often have open ports and known vulnerabilities, making them highly susceptible to initial exploitation by threat actors.
Expired Certificate Detection Query
Criminal IP Search Query: ssl_expired: true country: IL OR country: IR
Using the “ssl_expired: true” filter, Criminal IP identified over 119,000 expired SSL certificates in Iran and more than 50,000 in Israel. Expired SSL certificates can disrupt HTTPS connections, break the trust chain, and compromise secure file transfers and email communications. These conditions also increase the risk of man-in-the-middle (MITM) attacks, credential theft, and session hijacking.
FAQ
Q1. How do cyber threats between Israel and Iran typically manifest?
Both nations have numerous publicly exposed digital assets—ranging from SCADA systems to admin interfaces, SSL VPNs, and Wi-Fi networks—many of which are vulnerable due to CVEs, default credentials, or expired certificates. Unpatched SCADA and VPN systems with publicly available PoCs enable attackers to gain initial access and move laterally within the network. Criminal IP’s threat intelligence confirms that these exposed assets present real-world attack paths, making continuous monitoring and timely remediation essential for protecting national infrastructure.
Q2. How can nations strengthen the security of their critical infrastructure?
To prevent critical outcomes, a comprehensive and proactive approach is necessary. Key recommendations include:
- Regular asset scanning and exposure monitoring using CTI-based detection solutions like Criminal IP.
- Network segmentation and redundancy, particularly in SCADA and other critical infrastructure environments.
- Enforcement of strong authentication controls, including Multi-Factor Authentication (MFA) on RDP, VPNs, and email systems.
- Stricter supply chain security policies by requiring the same cybersecurity standards for research institutions and subcontractors.
- Implementation of ASM-based continuous monitoring to detect and manage external exposures, especially for sensitive assets used in defense and strategic research.
Conclusion
The cyber conflict between Israel and Iran has evolved beyond a simple offense-defense dynamic into a full-scale digital war targeting national infrastructure across all sectors. This is not an isolated issue—it underscores the urgent need for all nations to reassess and reinforce their cybersecurity foundations. Critical infrastructure requires regular security checks, minimized external exposure, and physical network isolation where needed. High-risk assets—like SCADA systems, VPNs, and admin servers—must be patched and secured with strong authentication. Even basic controls—such as valid SSL certificates, encryption, and access restrictions—can effectively block early-stage cyberattacks.
In today’s complex threat landscape, proactive defense requires automated asset monitoring and threat detection through CTI and ASM platforms like Criminal IP. An effective future response requires timeline-based attack tracking, supply chain vulnerability management, and global CTI sharing.
In relation to this, you can refer to Malicious IP Identification in Hacking Attacks: Criminal IP’s Advanced Infrastructure Detection Technology.
Source: Criminal IP (https://www.criminalip.io/)
Related article: