SNAPSHOT: Blast outside Tehran likely caused by Israeli cyberattack

SNAPSHOT: Blast outside tehran likely caused by israeli cyberattack


  • A report in the English language Arab News on Sunday (28 June) quoted a US-based security expert as attributing a large explosion that struck just outside Tehran last week to an Israeli cyberattack.
  • Israeli media has also speculated that the blast was caused by a cyberattack or sabotage.
  • The explosion occurred in the early morning hours of Friday, 26 June at the Khojir military site in the Parchin defence industries area in the Alborz Mountains, some 20km east of downtown Tehran.
  • The facility was used for weapons manufacturing. Many Western analysts believe the site consists of a vast underground tunnel complex for testing and producing artillery rockets and ballistic and cruise missiles. The site has also been linked to Iran's nuclear project.
  • The Iranian Defense Ministry said the blast was caused by an explosion in an industrial gas tank in a civilian area of Parchin. Defense Ministry spokesman Davood Abdi blamed the blast on a leaking gas and said there were no casualties.
  • Satellite photos of the site showed hundreds of meters of charred and blackened scrubland and suggests the explosion hit a facility for the Shahid Bakeri Industrial Group, which makes solid-propellant rockets.


  • The incident comes amid an ongoing cyberwar between Iran and Israel, with an uptick in reported cyberattacks occurring in recent months.
  • On 24 April, Iran targeted Israeli water systems with a malware attack that temporarily afflicted but caused no substantial damage to central Israel’s water and sewage facilities in the city of Sharon.
  • Israel responded with a cyberattack on Iran’s busiest hub for maritime trade, the Shahid Rajaei Port near the Strait of Hormuz, on 10 May. The attack reportedly crippled the port and created kilometres-long line-ups of vehicles and vessels stuck in the harbour.
  • On 21 May, thousands of Israeli websites, some belonging to large companies, were defaced to show an anti-Israeli message and with malicious code seeking permission to access visitors' webcams. The attackers allegedly exploited a WordPress plug-in weakness used by the defaced websites, which were hosted by uPress. The attack was claimed by a group called Hackers_of_Saviour, which emerged on Facebook in April. Though there is no evidence to suggest the attack was orchestrated by Iranian nation state operators, some reports suggested the hackers were Iranian nationals and noted the presence of Iranian flags and symbols during the attack.
  • As tensions between Iran on one side and Israel and the US on the other continue to grow, the threat of additional cyberattacks will continue. Iran in particular will probably focus on cyberattacks in retaliation for what appears to be an increase in Israel Defense Forces (IDF) attacks on Iranian interests in Syria. Indeed, probable Israeli airstrikes hit Iran-backed militia positions in eastern Syria on 27 and 28 June, killing 15 fighters. Israeli strikes are aimed at keeping pressure on Iran and degrading the capabilities of the Islamic Revolutionary Guard Corps (IRGC) and its proxies, including by targeting convoys carrying weapons and new military technology to Lebanon-based Hezbollah.
  • It is highly likely that Iran or its proxies will retaliate for these latest airstrikes as well as the alleged Israeli cyberattack on 26 June. With Iran’s naval and military capabilities inferior to those of the United States and Israel, the cyber domain is an attractive option where the playing field is considerably more level for Iran’s asymmetric warfare efforts.
  • Iran’s cyber capabilities are considered more rudimentary than countries with the most sophisticated capabilities, such as China, Russia, the US, the UK, and Israel. Nonetheless, Tehran is likely to be more successful in waging a cyberattack than a conventional military attack.


  • It is likely that additional cyberattacks involving Iran, Israel and the US will occur in the coming one to three-month period amid the ongoing geopolitical tensions.
  • Cyberattacks aimed at causing damage to infrastructure are highly probable; thus far, such attacks that have been attributed to Iran have not caused significant or irreversible damage.
  • The 26 June attack that allegedly caused a blast in Tehran highlights the potential for infrastructural damage to occur during such attacks.
  • Other attacks that Iran might pursue include those for espionage reasons to get a competitive advantage, including gaining insight into different technologies or military capacities. Iran has also been linked to fake news websites that spread misinformation and disinformation about their targets, primarily in the Middle East and Asia, aimed at advancing Tehran’s ideological and geopolitical interests.
  • Companies should regularly review existing cybersecurity measures and assess their threat profile in light of the growing risk. Use active and updated security products and do not allow unconfirmed or suspicious websites access to cameras. Use reputable data centres for storing data, including website data, that offer protection against similar incidents.