Iran-linked hackers target Israel emergency alert systems

Claroty has published research on Iran-linked attacks targeting emergency warning and public address systems in Israel, focusing on activity claimed by the CyberAv3ngers group.

The group claimed to have silenced emergency sirens during a missile attack in what Claroty described as an attempt to undermine public trust in government protection systems. The report says the incidents mark a shift toward cyber operations aimed not only at disrupting connected infrastructure, but also at weakening civilian morale.

According to the report, the attackers said they had gained unauthorised access to legacy broadcast equipment used for emergency alerts and public announcements. Claroty linked the activity to Iran-affiliated actors associated with the Islamic Revolutionary Guard Corps and the Ministry of Intelligence of the Islamic Republic of Iran.

The episode highlights the risks posed by older technology still used in critical infrastructure. Claroty identified legacy Barix devices as a point of concern, arguing that such systems can remain vulnerable for long periods because updates often require manual installation.

Psychological focus

Claroty's assessment centres on the idea that the practical technical impact of these intrusions may be smaller than their perceived social effect. By targeting warning systems civilians rely on during attacks, threat actors can create confusion and erode confidence in official communications without carrying out a more destructive cyberattack.

The report says the attackers sought to project a level of domestic reach greater than the complexity of the underlying intrusion. In this way, insecure public-facing devices become tools for psychological pressure during a wider military conflict.

The findings come amid broader concern among security agencies and infrastructure operators about cyber campaigns against essential services. Critical sectors including energy, communications and healthcare have faced repeated warnings about attacks that combine espionage, disruption and influence tactics.

Earlier this year, Iranian hackers claimed responsibility for a cyberattack on medtech company Stryker, an incident that put hospitals in Australia on alert. The latest research places emergency communications technology within the same broader discussion about national resilience and risks to civilian-facing systems.

Legacy exposure

Claroty said insecurely connected operational technology and internet of things devices remain easy to find online. Low-skilled groups can enumerate exposed assets and gain access through weak or default credentials, while older industrial and broadcast protocols often lack authentication and other basic protections.

That combination can leave organisations with large numbers of reachable devices, especially where visibility across operational environments is limited. In warning and announcement systems, the concern is not only service interruption but also the manipulation of messages used in emergencies.

The report says the vulnerable Barix technology has been updated by the vendor, but warns that many devices may still be running older firmware. Because patching in cyber-physical environments is often manual, operators can struggle to apply fixes consistently across dispersed infrastructure.

Wider campaign

CyberAv3ngers has featured in previous investigations into attacks on operational technology and connected devices. Claroty said the group has played a prominent role in Iran's offensive cyber activity and has focused on systems used in civilian infrastructure.

Claroty also pointed to the group's custom malware framework, IOCONTROL, which it said has been used against Linux-based supervisory control and operational technology devices. The malware's modular design allows it to run across equipment from different vendors.

Devices previously targeted by the group include routers, programmable logic controllers, human-machine interfaces, firewalls and other Linux-based platforms. Claroty also linked CyberAv3ngers to attacks on Unitronics integrated PLC and HMI devices in the United States and Israel, where screens were defaced with threats of further action.

Those incidents showed that attackers could gain access to industrial control devices, creating the potential for more disruptive follow-on activity. In the latest case, Claroty said the use of emergency warning systems shows how connected legacy devices can be drawn into both the physical and psychological dimensions of conflict.

The report says the online reachability of legacy technology presents a major problem for critical infrastructure operators, particularly when internet-facing assets are poorly secured and visible to both low-skilled and advanced attackers.