Donation infiltration: How Iranian spies infiltrate IDF donation networks to target Israel

'Soldiers need helmets, vests, socks, boots, drones....”

Upon investigating, she realized that many of the donation groups online may have inadvertently let in Iranian operatives, bringing them one step closer to surveilling, analyzing whereabouts and possibly harming Israeli soldiers on the battlefield, or even at home.

How can purchasing socks turn out to be harmful to a soldier?

After October 7, as the word got out that soldiers needed things like boots, socks, drones, ceramic vests and helmets, well-meaning individuals donated money, both through Friends of the IDF and other large groups, but, per the Defense Ministry, these groups were limited in the scope of what they could provide. Other individuals with the ability to send items and gear through private channels got involved.

“You’re the mother of a soldier, desperately reaching out to others on Facebook mommy chats or Jewish women’s groups. Another mother approaches you; she says her son went to school with yours. ‘Where is your son stationed?’ she asks innocently. Maybe she says she knows someone stationed in the vicinity and is sending a care package. You answer, not realizing that some of the information you’re giving is not benign. ‘His platoon needs 120 pairs of socks’ means his platoon has 120 soldiers. ‘They really can use a donation to buy ceramic plate vests’ means they are currently inadequately protected. Unknowingly, you may be alerting Iran to the platoon’s whereabouts and needs and hurting your son and his entire platoon.”

Nili Einat, head of the Information Security Department in the Security Division at Ben-Gurion Airport, has been working to raise awareness about information security among the division’s employees.

She says the Iranians have been working the Israeli public for a long time; but with AI helping them to identify groups and individuals who can be easily compromised, the threat has intensified lately.

“It doesn’t matter if you’re an IT professional or an ordinary person – anyone can be vulnerable to manipulation,” explains Einat. “They’re playing the long game. A cyberattack is often a prolonged process, and the real strategy is to hit the backup systems first before attacking the primary infrastructure – like what happened in the ransomware attack at Hillel Yaffe Medical Center. Cybersecurity must be reviewed and updated every three months.

“Being aware is not being paranoid,” she explains. “Bezek did a communication, telecom, and social media communications survey and found that 85% of people are not aware of the difference between fake and real news. It doesn’t matter if you are working in IT or just an ordinary person. Social engineering has become the bon ton manner of hacking. Information security companies are doing well. The computers are very secure, but the people not so secure.”

“You can’t regulate the groups,” explains Zandani. “You are reaching out for donors, and people go out of their way to win your confidence. Facebook mom groups seeking “place for a bag for soldiers” if someone is traveling to Israel can be completely fictitious people. Well-meaning people send Chinese drones, electronics, things that may be embedded with spyware that are then given to [soldiers]. Some even send ITAR items – ballistics, scopes, etc. Most concerned Jews want to do whatever is needed to get our soldiers home.”

People like Zandani and Daniel Mael stepped in initially because they saw soldiers going to the battlefield without the proper protection.

“They say that they have a deal with the Defense Ministry not to supply equipment, but instead bring the soldiers sweets,” he says. “Why spend a single dollar on Mentos? That is not a responsible use of money. Buying Mentos and showing up with a yahrzeit candle and box of cookies when a grieving widow sits shiva is not supporting soldiers on the front lines.”

A clothing manufacturer with a New York office by trade, Mael calls his organization Unit 11741. He says groups like his are doing a job that the IDF isn’t doing, and he started his organization because he couldn’t believe the army was missing vital protective gear.

“I asked a contact from the United States armed services, a high-ranking officer: What is the efficacy of a helmet from 1978? I did my own ballistic tests at the shooting range. Discarded IDF helmets before year 2000 – all failed. The warranty given to Israel had expired on all these items. The Defense Ministry was sending people into battle with faulty equipment.

“The IDF logistics people should be punished for not procuring the proper equipment,” he says. “It’s criminally negligent. Dozens of soldiers were severely injured and some killed because of bad equipment. They don’t have the courage to admit this happened.”

He says that he personally stays off of the groups, but that hundreds, possibly thousands of groups have been going strong since October 7, 2023. The equipment procurers join the groups to receive group discounts. At times it’s helpful for procurement to go on the groups.

He says he hasn’t had anyone who appeared “shady on the donor end,” and he is careful not to disclose any military information in a way that’s revealing.

But Zandani says the soldiers themselves, when going on these groups to request things and identifying themselves, their platoon and their commanders, may unwittingly be releasing information. The Iranians can collect specific information, even metadata and geolocations of soldiers who request supplies from, or send photos and videos to, these well-meaning groups.

The Iranians are playing the long game, Einat explains. The cyber hacks, of which the major ones come from Iran, can get embedded in computers and take a while to learn the system, first embedding in the backup system so there is no way to get rid of them. She says every three months cybersecurity must be reassessed to stay ahead of the game.

“On LinkedIn,” she adds, “20%-30% of the profiles are fake. Many people who want to advance, even from army intelligence, may send a résumé without knowing who is on the other end. WhatsApp has so much confidential information. Names are not hidden, nor are phone numbers, and you can get added to groups without your consent. There are Army Friend groups, and it is an ongoing source of confidential information.

“There is no privacy anymore,” she says. “Adding a photograph of yourself, of a soldier friend or relative on any form of social media can share metadata and the geolocation within 50 meters of where you took that selfie as you were lounging in your pajamas and drinking hot cocoa.

“Potential donation platforms must know that if you have a son who is a soldier, both you and your son are targets,” she continues. “You need to consider exactly what you are willing to share with the world and what are the consequences of what you share on any platform. Any detail that you share can help the enemy produce something to harm you or the country.”

“Iran is a country that encourages academic education,” explains Einat. “The proportion of IT students in Iran per capita is the highest in the world. They are an intelligent enemy that must not be underestimated. They are looking for Iranian mothers because their children, likely Persian-speakers, may be in army intelligence units. They want researchers, professors, recent soldiers, people who worked in the military, parents of soldiers. They analyze your online comments and recruit accordingly.”

She says they frequently target people from the former Soviet Union. They look for people who are not particularly patriotic or Zionistic. They even recruit ultra-Orthodox who may be opposed to the government.

“In 2016 Hamas went looking for soldiers who were talking about Operation Protective Edge,” she recalls. “They created fake profiles of girls with Israeli names. More than 1,200 soldiers friended them on Facebook. It was so easy.

“If you ask people to describe a fake profile, they may say they don’t have a lot of friends, it was recently opened. But if Hamas opened a profile in 2023, it was a well-established profile, with many pictures. A history and pictures can all be added by AI,” she continues. “Fake people even produce videos. Which is why it is so difficult to differentiate between what is fake and what is real online.”

Einat referenced the Facebook-Cambridge Analytica data scandal, which came to public attention in 2018 after Cambridge Analytica psychographically profiled up to 87 million Facebook users, harvesting their personal data and analyzing their user behavior – done without their consent. Comments, “likes,” and social interactions were analyzed to predict and target “persuadable” voters with messages designed to align with their psychological traits.

Now, with AI and using bots, psychographic modeling can be done on a much wider scale to identify people who are easily influenced or unstable, who make good prospects to send information to Iran inadvertently, or could be recruited as agents.

“The enemy knows all the systems,” Einat says. “They may present themselves as donation representatives and could give you things to check in at the airport. They profile people coming from the US who have volunteered online to bring things in.

“Ideally, donations must be controlled by a central body in the IDF,” she explains, “not given to one division or one department. The army should give donors the protocols for screening, and they should not accept everything. Drones, for instance, can carry malware. The situation at hand here is ‘too many chefs spoil the broth.’”

“People who want to donate drones or electronics should be dealing with nonprofits that only purchase Israeli-made hardware,” adds Zandani. “No Chinese parts or anything electronic, even 3D printers, should be used. If you plug in a Chinese printer like Bamboo, which is owned by DJI, you are opening up a window to the Chinese government, and possibly introducing malware that can cause the army harm. Plus, buying Israeli is just another way to support Israel and Israeli businesses.”

Einat’s advice: don’t give any personal or confidential information – bank accounts, credit cards, etc. – on WhatsApp. “It’s a platform that everyone works with – banks, schools. Don’t put any vulnerable information, even information that someone can use to shame you. If you wouldn’t publish this in the news, do not put it on WhatsApp.

“You can be recruited and you can be manipulated. Always ask yourself if somebody might be getting benefit from your presence. Social media has a lot of benefits, but you need to know the mal things that can happen to you using this media. If you don’t know someone, don’t ‘friend’ them. If you are added to a group, research the members of the group. Don’t be afraid to use the phone and call people to vet them. Don’t be paranoid. Be aware.”

And she adds, “If you see something suspicious, do not be afraid to bring it to us at security. We will decide whether or not it is a security concern.”