فلسطين المحتلة – A Hebrew newspaper reveals details of Iran’s penetration into the heart of Israeli security research

وطن نيوز

On Monday, the Hebrew newspaper “Haaretz” published a lengthy report on the results of an investigation that it described as “dramatic,” during which it revealed details of Iran’s penetration into the heart of Israeli security research. Haaretz newspaper says that the dramatic investigation revealed that Iranian intelligence succeeded for years in penetrating INSS systems and withdrawing thousands of emails, documents and sensitive details of former senior officials of the security establishment. According to the investigation, Iranian hackers used this information for surveillance and influence operations, including attempts to target Israeli officials. At the height of the previous war with Iran in June 2025, a ballistic missile fell on the quiet green streets of Ramat Aviv, leaving widespread destruction in the neighborhood. The echo of the explosion reached the offices of the Institute for National Security Studies, where the force of the impact shattered doors and windows. The Institute’s Vice President was quick to inform the Board of Directors that no employees were harmed, but he took the opportunity to talk about another aspect of the Iranian threat that directly affected the Institute: the repeated cyber attacks targeting its employees. These attacks started at least 5 years ago, and the signs were warning that something was wrong all the time. In 2022, the head of the institute’s Iran program, Dr. Raz Zimet, reported that Iranian hackers leaked a book he had written a week before it was published. In 2024, the National Institute for Homeland Security received an official notice from Microsoft, warning that the email account of one of its researchers had been hacked by an agent operating from Tehran. These are just two cases among dozens that should have raised suspicions. Leaks published by Iranian intelligence hackers in recent months reveal the full picture. A few days after the outbreak of the last war, the hacking group known as “Handala” announced that it had penetrated the institute’s internal network and leaked more than 100,000 emails and files. For example, you can find an archive of Zimet’s messages on WhatsApp, and the private correspondence he conducted on the X platform, and this is very recent information, reaching the end of 2025. According to cybersecurity experts, the institute is located in a gray zone, an ostensibly civilian institute whose systems do not have the highest levels of protection, but it contains valuable information for a hostile intelligence service. An investigation conducted by the newspaper “Haaretz”, based on an analysis of the files, reveals that the leaks are only the tip of the iceberg. Years before “Handala” published the stolen materials, Iran used this stolen information as part of a broader intelligence operation, which included the deployment of local agents and attempts to assassinate Israeli figures, including prominent members of the institute. The investigation reveals that the institute has been, for at least six years, the focus of Iranian cyber efforts, revealing a major flaw in Israeli cyber defenses, leaving researchers and former security personnel without an adequate response. The leak also revealed valuable information about the employees of the National Institute for Cybersecurity (INSS) and the links between them and the Israeli security establishment. For example, the leaked materials show that a researcher at the institute was regularly participating in a secret forum discussing regime stability in Iran and studying various strategic scenarios. The messages show the location and dates of the forum, and the identities of some of its participants, and this information may put everyone involved in physical danger. Haaretz newspaper reported that the correspondence obtained by the Iranians includes places, dates, and identities, noting that retired Colonel Tamer Heyman, the former head of the Intelligence Directorate in the Israeli army, is the one who heads the Institute for National Security Studies and has succeeded retired Major General Amos Yadlin, the former head of the Intelligence Directorate as well. The institute studies Israeli security policy and, according to its website, aims to “develop and implement strategic action plans that assist decision-makers in planning policies.” Although it is officially an independent institute that is not affiliated with the defense establishment, its employees are in fact in close contact with the security and government institutions, and many of the researchers at the institute are former high-ranking officials in the Mossad and the defense establishment. They still participate in sensitive forums affiliated with the system, and are invited to simulations and war exercises by virtue of their positions at the institute. The Institute also holds an annual international security conference with the participation of senior security and political figures in Israel. According to cybersecurity experts who spoke to Haaretz, the institute is a body that “falls between two extremes”: an ostensibly civilian institute whose systems do not have the highest levels of protection, but which contain valuable information for a hostile intelligence service. A former senior security official says: “As far as Iran is concerned, it is not a research body, but just an arm of the intelligence service, the Shin Bet, and the Mossad.” Iranian attack on the Institute for National Security Studies – 2020 Impersonating the Institute’s director of external relations to lure Israeli security researchers – 2022 Hacking the email of the Institute’s head, Yadlin, and trying to use it to lure Livni to a fake conference abroad – 2022 Zimt: Iranian hackers leaked my book a week before its official publication – 2024 Microsoft sends a warning to the Institute for National Security Studies stating that the email account of one of the Institute’s researchers was hacked by an agent working from Tehran – 2024 Indictment against two Israelis used by Iranian intelligence to monitor a researcher at the Institute for National Security Studies A treasure trove of passwords The “Handala” group has been launching attacks on security targets in Israel for years, presenting itself as a pro-Palestinian hacker group. Last month, the United States confirmed suspicions that this is a cyber unit of the Iranian Ministry of Internal Security (Ministry of Intelligence and Security). This group is linked to “hacking and leaking” operations and in recent years has published materials seized from the phones of former Prime Minister Naftali Bennett, the head of the Prime Minister’s Office Tzachi Braverman, and the former head of the Presidential Cabinet Halevy. In the midst of the war, “Handala” published emails from the accounts of six senior officials at the National Security Institute: Raz Zimet, head of the Iran program, retired Major General Tamer Heyman, head of the institute and former head of the Israeli Military Intelligence Directorate, Sima Shin, a senior researcher and former head of the Mossad Research Department, Laura Gilinsky, deputy director of strategic partnerships, Deborah Oppenheimer, former director of external relations, and Dr. Ilan Steiner, vice president of the institute for finance and operations. The leak includes details of access to the National Security Institute’s security surveillance cameras, Wi-Fi passwords, and the Zoom program used in the conference room. The digital diaries revealed that they gave Iranians the access code to the building where the institute’s offices were located. Handala described the National Security Institute as “the research arm of the Mossad,” announcing that it had obtained more than 400,000 secret files. In fact, an investigation by Haaretz revealed about 99,000 email files (about 33 gigabytes), and its review and analysis showed that most of them were genuine. Although the files contain mostly administrative material, they contain details that can easily be converted into real intelligence. The leak includes passwords for the institute, such as passwords for surveillance cameras, the Wi-Fi network, and the Zoom program used in the conference room. An invitation sent to a guest via the institute’s digital notebook also allowed hackers to obtain the building’s access code. The same notebook also reveals the identities of military personnel from units such as 8200, as well as diplomats and senior NATO officials. The head of the National Cybersecurity Directorate, Yossi Karadi, recently explained the danger of revealing this type of information, noting that the Iranians’ efforts in the digital field serve the physical front of the war. According to him, the Iranians are trying to hack surveillance cameras to increase the accuracy of missile strikes, and are using information collected from cyberattacks to carry out assassination attempts on Israeli figures, including security personnel, academics, and scientists. Infection chain How the Iranians were able to hack into the computers of the National Institute for Cybersecurity (INSS) has been documented in leaked materials. In October 2019, the institute’s IT director warned, during a conversation with researchers and staff, that “the institute is constantly exposed to cyberattacks and attempts to penetrate your email inboxes.” In November 2020, hackers impersonated then-Director of Foreign Relations Deborah Oppenheimer and sent emails to Iranian researchers at other institutes, such as the ALMA Center, which works on the northern border and focuses on Hezbollah. The emails contained a pretext of a report stolen from the National Security Institute before it was published, prompting the recipients to open it. In this way, the email accounts of employees inside and outside the institute were hacked. It was not clear which of the institute’s senior officials had its account hacked first, but by the end of 2021, Iran had already gained access to the email account of the institute’s then-head and former head of the Intelligence Directorate, Amos Yadlin. The hackers also gained access to Yadlin’s email account to send a fake invitation to former Foreign Minister Tzipi Livni to attend a conference abroad. The wording of the message raised her suspicions, so she contacted Yadlin, and the two also contacted the information security company Check Point, which examined the email and discovered that it was sent as part of an operation carried out by the Iranians, during which they also seized the email accounts of other senior Israeli officials. The operation was revealed in June 2022, a few weeks after the Iranian General Security Agency (Shin Bet) announced that it had thwarted an Iranian plot to lure high-ranking Israeli officials to travel abroad with the aim of kidnapping them. In December 2024, Zimet and another researcher at the institute, Brigadier General Udi Dekel, received a fake email that claimed to be from the head of a prestigious research institute in the Emirates. Dekel realized the danger, but the leaked materials show that in the following months the Iranians were able to hack Zimet’s accounts. In 2025, Iranian hackers impersonated Professor Meir Litvak, a historian of Middle Eastern affairs and head of the Center for Iranian Studies at Tel Aviv University. One of the leaked files is correspondence from a group on the WhatsApp application, in which Litvak testifies that a “bad person” sent emails in his name to dozens of researchers. In that group, more than twenty Israeli researchers specializing in Iranian affairs, from the Institute for National Security (INSS) and other institutions, shared suspicious requests they had received, and members of the cybersecurity company ClearSky used their expertise. According to the same source, leaked materials show that the Institute for National Security (INSS) has contracted over the years with private cyber companies, and even received free assistance from Israeli companies such as Check Point and ClearSky, in addition to the National Cybersecurity Command. According to information at the disposal of Haaretz, no official security official participated in the defense efforts. A year ago, the cybersecurity company Volexity warned the Institute for International Social Studies (INSS) that a government entity had hacked the email account of one of its researchers and was using it to try to deceive victims at research institutes in the United States. “They infiltrate organizations and then send phishing messages directly from the compromised email accounts,” the company warned. In response, the institute’s cybersecurity officer disconnected all devices connected to the researcher’s account. In September 2025, Steiner, the institute’s executive director of operations, received a warning from Google about suspicious activity in his personal Gmail account, a warning that was sent to his work email at the institute, and then later leaked with the rest of the materials in the mailbox. When the Institute was fully aware of the unprecedented scale of cyber attacks, it became clear that the cyber threat had transformed into a physical threat. On October 31, a letter circulated by the Iranian General Security Agency (Shin Bet) arrived in a WhatsApp group for researchers, stating that a man and a woman from the city of Lod were accused of carrying out tasks for Iranian intelligence over a period of three years, including photographing locations including the Mossad headquarters. What most concerned the group members was the surveillance of a researcher at the Iranian Institute for Security and Study (INSS) whom Iran was seeking to target. The man was accused of registering the researcher’s car and home for several days, and the Shin Bet statement stated that the agent who activated the two men asked them to search for a possible killer. A few days before the Shin Bet statement, the deputy director of the Iranian Institute for Security and Study informed employees that one of the institute’s female researchers was under surveillance. His letter and other internal correspondence recently leaked by the Iranians complement and explicitly identify details that the Shin Bet did not disclose. Influence vs. Influence The leaked materials reveal multiple branches of Iran’s National Security Institute’s activity, including projects and relationships that were supposed to remain secret. The identities of several donors to the institute were also revealed, including an Iranian-American businessman who works against the nuclear program. The materials also show the institute’s involvement in Israeli propaganda efforts, and its agreement to use its research databases to train a pro-Israel chatbot designed specifically for American universities. Source: Haaretz