How a string of hacks embarrassed cyber powerhouse Israel

Israel requires a high standard of cybersecurity for critical infrastructure, such as its electric utility, but not for less important bodies and institutions such as hospitals, which have fallen victim to some of the attacks linked to Iran. Some current and former Israeli cyber officials and experts say Israel could better protect itself if the Knesset, the Israeli parliament, passed a cyber law that would expand the rules beyond critical infrastructure.

The attacks have largely focused on leaking documents through publicly known vulnerabilities that can be exploited by scanning computer networks for weaknesses or by launching classic phishing attacks, analysts said. The simple attacks are repeated in large numbers, which helps increase the chances of success.

Over the past two years, Iranian-linked hacking groups have leaked hundreds of thousands of internal emails and documents from government bodies. Some particularly embarrassing incidents included a data leak from Israel’s National Defense College, in which hackers posted online the passport information of Israeli generals and officials from countries such as the U.S. and India. Other leaks include more than 15 years of internal Ministry of Justice documents and emails, and gun-license applications from Israel’s Ministry of National Security, including applicants’ military records.

Such attacks have been embarrassing to some in a country known for cutting-edge cyberwarfare, including Stuxnet, a high-profile sabotage project developed by Israel and the U.S. that infiltrated an Iranian nuclear enrichment facility in 2010. Israel and the U.S. haven’t publicly commented on their roles in the attack.

Israeli companies also export cyber weapons such as NSO’s Pegasus, which allows clients to take control over smartphones remotely to spy on targets. The military’s vaunted 8200 unit is also known for its cyber capabilities.

In June, during the war between Israel and Iran, Tehran’s largest cryptocurrency exchange was hacked and drained of more than $90 million, with a pro-Israel hacking group claiming responsibility. Israeli founders have built cybersecurity companies such as Checkpoint and Wiz, which Google recently acquired for $32 billion, which helps bolster Israel’s international reputation as a cyber power.

The recent attacks that struck Israel are known in the cybersecurity industry as “hack and leak," in which a bad actor breaches a target’s system, steals data and releases it online to cause reputational damage.

“For the most part, they are exploiting known vulnerabilities," said Ari Ben Am, an adjunct fellow at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a Washington think tank. “The Iranians don’t have the ability to uncover totally new vulnerabilities, or zero day vulnerabilities at scale," he said, referring to previously unknown security flaws in software, hardware or firmware.

Last week, the Iranian-linked group Handala leaked sensitive personal data belonging to former Israeli Prime Minister Naftali Bennett, including his contact list and Telegram messages. Ben Am said the hack of Bennett’s phone probably wasn’t overly sophisticated. The hackers likely executed a “SIM swap," tricking a mobile provider into transferring a phone number to a SIM card the hackers control. A spokesperson for Bennett didn’t respond to a request for comment.

Israel has legislation that requires cybersecurity measures aimed at protecting infrastructure deemed critical to state security, but hasn’t passed a comprehensive cyber law that would require other important bodies to adopt cyber protections and clearly define who is responsible for oversight. Such a law could have helped prevent Iranian-linked attacks against targets including Israeli hospitals, current and former Israeli officials and cyber experts said.

“There is a gap between the technological abilities of Israel as a cyber nation and the regulatory framework that is supposed to protect Israel’s civil arena from cyberattacks," said Tehilla Shwartz Altshuler, a senior fellow who specializes in technology law and policy at the Israel Democracy Institute, a Jerusalem-based think tank.

Israel designates dozens of bodies as critical infrastructure, and they are relatively well protected. However, organizations such as hospitals aren’t legally required to adopt cyber protections, and under current law there is no way to punish them if they fail to do so.

Several Israeli hospitals saw their data leaked online during the war in Gaza, including the Ziv Medical Center in northern Israel, which treated soldiers. Analysts said that leaks of personal data in attacks during the war have been used to put publicly identifiable information of Israelis online.

In an attack with more military value, Iranian hackers infiltrated CCTV cameras in June during the war between Israel and Iran, providing them with real-time visual intelligence on targets, according to a recent report by Amazon Threat Intelligence, a unit of Amazon that releases reports on cyber threats. Analysts said Iranian-linked groups likely took advantage of previously known vulnerabilities to carry out such attacks. The head of Israel’s National Cyber Directorate said this month that Iran infiltrated security cameras to document the impact of a missile strike against a leading Israeli scientific research center.

Iran is an actor in global cyberwarfare, and the country has been investing in improving its technological capabilities and quality of its personnel with specialized training, Ben Am said. Iranian-linked groups span almost the entire spectrum of cyber activity, relying on internet scanning to find vulnerable targets and developing custom malware, he said.

Israel has been targeted by many countries in the cyber realm since the start of the war in Gaza, said Adam Meyers, head of counter adversary operations at CrowdStrike, a cybersecurity company. "Given the sheer volume it’s hard to be right 100% of the time," he said.

Write to Anat Peled at anat.peled@wsj.com