Ex-IDF cyber chief on Iran, Scattered Spider, and why social engineering worries him more than 0-day

#### [Cyber-crime](/security/cyber_crime/)Ex-IDF cyber chief on Iran, Scattered Spider, and why social engineering worries him more than 0-days=====================================================================================================Keep It Simple, Stupid———————-[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Sat 19 Jul 2025 // 08:02 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ex-IDF%20cyber%20chief%20on%20Iran%2c%20Scattered%20Spider%2c%20and%20why%20social%20engineering%20worries%20him%20more%20than%200-days) [](https://twitter.com/intent/tweet?text=Ex-IDF%20cyber%20chief%20on%20Iran%2c%20Scattered%20Spider%2c%20and%20why%20social%20engineering%20worries%20him%20more%20than%200-days&url=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ex-IDF%20cyber%20chief%20on%20Iran%2c%20Scattered%20Spider%2c%20and%20why%20social%20engineering%20worries%20him%20more%20than%200-days&summary=Keep%20It%20Simple%2c%20Stupid) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Interview Scattered Spider and Iranian government-backed cyber units have more in common than a recent uptick in hacking activity, according to Ariel Parnes, a former colonel in the Israeli Defense Forces’ cyber unit 8200.Both the financially motivated crew and Tehran’s APT groups excel at social engineering attacks, and are proof positive that cybercriminals don’t necessarily need to use zero-days to inflict damage.’One of the famous cases in Israel was with an insurance company,’ Parnes, co-founder and COO at cloud threat detection and response firm Mitiga, told *The Register*. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aHttEzHgssZaKIiPp-MDsgAAAE0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)He’s referring to an [Iranian hack-and-leak operation](https://www.nytimes.com/2021/11/27/world/middleeast/iran-israel-cyber-hack.html) in late 2020 against Israeli insurance company Shirbit, which insured employees of Israel’s Defense Ministry — although it’s worth noting that Scattered Spider also had a more recent run of [digital intrusions into American insurance firms](https://www.theregister.com/2025/06/20/aflac_scattered_spider/). ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHttEzHgssZaKIiPp-MDsgAAAE0&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHttEzHgssZaKIiPp-MDsgAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)An Iran government-backed group ‘stole data, leveraging social engineering and one day vulnerabilities,’ Parnes said. After stealing the Shirbit files, which included Israelis’ private information, the crew dumped them all online.’The power of the attack, more than anything else, was the psychological impact of it,’ Parnes continued. ‘It’s the fact that they were able to get their hands on sensitive data from citizens of Israel, some of them working in the government, and then they amplified that through social media and other tools. This is their modus operandi. It’s not just about the real impact, but rather the amplification of it.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHttEzHgssZaKIiPp-MDsgAAAE0&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)While their cyber campaigns against Israeli targets haven’t slowed in the subsequent years, Iranian groups have also used these same tactics against Western organizations and [government officials](https://www.theregister.com/2024/08/15/google_iran_apt42_campaigns/): [spear-phishing](https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/) intent on [stealing credentials](https://www.theregister.com/2024/03/01/iranian_cyberattack_charges/), [social engineering](https://www.theregister.com/2022/12/15/charming_kitten_ta453_expands_targets/) including setting up fake LinkedIn personas, breaking into [US water and fuel systems](https://www.theregister.com/2024/12/13/iran_cyberweapon_us_attacks/) and then [doing nothing with the access](https://www.theregister.com/2025/06/13/cyber_weapons_israel_iran/) — but then making it into a big deal on social media.> You don’t need to be a superpower, you don’t need to be the NSA with zero days, you just need to have the skills to understand how the organization that you’re targeting operates’And now generative AI introduces capabilities in being able to master social engineering, both in quality and quantity,’ Parnes said. ‘If you’re an attacker and you have your target, let’s say, a bank in the US, you need to do reconnaissance, gather intelligence on the target, and then build an attack that is relevant to the audience. Generative AI saves years of investment in the reconnaissance phase.’AI-based systems can generate complete reports about targeted individuals, their interests, memberships in personal and professional organizations, colleagues and friends — all from scraping potential victims’ social media pages, he opined.’And that allows me to be significantly more effective in this first step than if I needed to do all of that manually,’ Parnes said.Plus, AI makes it much easier to craft phishing emails, phony documents, and even spoofed websites that look and sound real. ‘So it makes this attack significantly more scalable — Google said [Iranian threat actors were using Gemini](https://www.theregister.com/2025/01/31/state_spies_google_gemini/) for these purposes,’ he added. ‘This is what worries me more than zero-days.”You don’t need to be a superpower, you don’t need to be the NSA with zero days, you just need to have the skills to understand how the organization that you’re targeting operates, who the actors are, what processes and procedures understand people, understand language, understand culture, and this is it.’* [Google to Iran: Yes, we see you using Gemini for phishing and scripting. We’re onto you](https://www.theregister.com/2025/01/31/state_spies_google_gemini/)* [Iranian ransomware crew reemerges, promises big bucks for attacks on US or Israel](https://www.theregister.com/2025/07/09/iranian_ransomware_crew_reemerges/)* [That WhatsApp from an Israeli infosec expert could be a Iranian phish](https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/)* [Ex-NSA bad-guy hunter listened to Scattered Spider’s fake help-desk calls: ‘Those guys are good’](https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/)Scattered Spider, perhaps even more so than Iranian spies, has [mastered social engineering](https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/) and they’ve got a built-in advantage when it comes to attacking American and British orgs because they are native speakers, who know the language and the culture.’Scattered Spider is an example of how powerful social engineering can be,’ Parnes said, adding that he wouldn’t be surprised to see some level of collaboration between the financially motivated gang and Tehran’s state-sponsored crews along the lines of Iran’s [Pioneer Kitten working with ALPHV/BlackCat](https://www.theregister.com/2024/08/28/iran_pioneer_kitten/) and other ransomware-as-a-service gangs.Plus, there are already indications that state-linked attackers are adding ransomware to their toolkits.’Scattered Spider harvests identities, and they sell them to whoever wants to buy them, so Iran threat actors could use them in their campaigns,’ Parnes said. ‘It all ends up in Iranians being able to do much more with their rather rudimentary capabilities.’Neither Iran nor Scattered Spider ‘have the most advanced cyber weapons,’ he added. ‘But maybe they don’t need it.’ ® [Sponsored: Is your password ecosystem ready for the regulators?](https://go.theregister.com/tl/3211/shttps://www.theregister.com/2025/07/08/password_ecosystem_regulators/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ex-IDF%20cyber%20chief%20on%20Iran%2c%20Scattered%20Spider%2c%20and%20why%20social%20engineering%20worries%20him%20more%20than%200-days) [](https://twitter.com/intent/tweet?text=Ex-IDF%20cyber%20chief%20on%20Iran%2c%20Scattered%20Spider%2c%20and%20why%20social%20engineering%20worries%20him%20more%20than%200-days&url=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ex-IDF%20cyber%20chief%20on%20Iran%2c%20Scattered%20Spider%2c%20and%20why%20social%20engineering%20worries%20him%20more%20than%200-days&summary=Keep%20It%20Simple%2c%20Stupid) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybercrime](/Tag/Cybercrime/)* [Iran](/Tag/Iran/)* [Security](/Tag/Security/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Iran](/Tag/Iran/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [EMEA](/Tag/EMEA/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ex-IDF%20cyber%20chief%20on%20Iran%2c%20Scattered%20Spider%2c%20and%20why%20social%20engineering%20worries%20him%20more%20than%200-days) [](https://twitter.com/intent/tweet?text=Ex-IDF%20cyber%20chief%20on%20Iran%2c%20Scattered%20Spider%2c%20and%20why%20social%20engineering%20worries%20him%20more%20than%200-days&url=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ex-IDF%20cyber%20chief%20on%20Iran%2c%20Scattered%20Spider%2c%20and%20why%20social%20engineering%20worries%20him%20more%20than%200-days&summary=Keep%20It%20Simple%2c%20Stupid) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) POST A COMMENT #### More about* [Cybercrime](/Tag/Cybercrime/)* [Iran](/Tag/Iran/)* [Security](/Tag/Security/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Iran](/Tag/Iran/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [EMEA](/Tag/EMEA/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Iranian ransomware crew reemerges, promises big bucks for attacks on US or IsraelTells would-be affiliates they don’t need to worry because cyberattacks don’t violate a cease fireSecurity10 days -| 7](/2025/07/09/iranian_ransomware_crew_reemerges/?td=keepreading) [#### You have a fake North Korean IT worker problem — here’s how to stop itThick resumes with thin LinkedIn connections are one sign. Refusing an in-person interview is anotherCyber-crime6 days -| 112](/2025/07/13/fake_it_worker_problem/?td=keepreading) [#### Iran seeks at least three cloud providers to power its governmentDespite loathing the USA, Iran wants providers who match NIST’s definition of cloud computingPublic Sector5 days -| 9](/2025/07/14/iran_cloud_panel_evaluation/?td=keepreading) [#### How homegrown AI cuts through the hype to deliver real resultsNutanix leverages customer interactions to develop GenAI infra solution and the AI tools to support itSponsored feature](/2025/05/15/nutanix_homegrown_ai/?td=keepreading) [#### Crims hijacking fully patched SonicWall VPNs to deploy stealthy backdoor and rootkitUpdated Someone’s OVERSTEPing the markResearch3 days -| 3](/2025/07/16/sonicwall_vpn_hijack/?td=keepreading) [#### Now everybody but Citrix agrees that CitrixBleed 2 is under exploitUpdated Add CISA to the listPatches8 days -| 3](/2025/07/10/cisa_citrixbleed_kev/?td=keepreading) [#### Massive browser hijacking campaign infects 2.3M Chrome, Edge usersupdated These extensions weren’t malware-laced from the start, researcher saysResearch11 days -| 39](/2025/07/08/browser_hijacking_campaign/?td=keepreading) [#### CitrixBleed 2 exploits are on the loose as security researchers yell and wave their handsNetScaler vendor issued a patch but otherwise, stony silencePatches12 days -| 6](/2025/07/07/citrixbleed_2_exploits/?td=keepreading) [#### US sanctions alleged North Korean IT sweatshop leaderTurns out outsourcing coders to bankroll Kim’s nukes doesn’t jibe with Uncle SamCyber-crime10 days -| 4](/2025/07/09/us_sanctions_north_korean_it/?td=keepreading) [#### Ukrainian hackers claim to have destroyed major Russian drone maker’s entire network’Deeply penetrated’ Gaskar ‘to the very tonsils of demilitarization’Security3 days -| 98](/2025/07/16/ukrainian_drone_attack/?td=keepreading) [#### Operation Eastwood shutters 100+ servers used to DDoS websites supporting UkraineTwo Russian suspects in cuffs, seven warrants outCyber-crime3 days -| 12](/2025/07/16/russian_hacktivist_bust/?td=keepreading) [#### Ex-US soldier who Googled ‘can hacking be treason’ pleads guilty to extortionFile this one under what not to search if you’ve committed a crimeCyber-crime3 days -| 17](/2025/07/15/solider_hacking_guilty/?td=keepreading)

Related Tags:
Lemon Sandstorm

Storm-0875

Octo Tempest

NAICS: 524 – Insurance Carriers And Related Activities

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 517 – Telecommunications

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 52 – Finance And Insurance

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

Associated Indicators:

Threat Intel Solutions

Ex-IDF cyber chief on Iran, Scattered Spider, and why social engineering worries him more than 0-day

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us