Main Logo Expert commentary on tech and security

Gaza war pushes Israel-UAE ransomware cooperation back behind closed doors

James Shires 13 March 2025
Share On:
The UAE has been a leader in normalising relations with Israel, and cybersecurity has been a key area of cooperation. However, regional backlash against the Gaza war has forced the UAE to de-emphasise shared projects.
Main Top Image
Israeli President Isaac Herzog and UAE Ambassador to Israel Mohamed Al Khaja at the opening of the UAE Embassy in Tel Aviv in 2021. Photo: Mark Neyman/Government Press Office of Israel

In mid-February, the head of the UAE Cyber Security Council implausibly claimed that all ransomware attempts in the state in 2024 were ‘successfully thwarted’ with the help of private sector partners – despite a reported 32% increase in such incidents that year. Perhaps unsurprisingly, he made this claim at a conference sponsored by said partners to publicise their latest threat intelligence, including on a malicious actor jarringly dubbed ‘Crafty Camel’.

However, the national origin of some of those private sector partners was conspicuously absent from this announcement. As well as the usual roll-call of cybersecurity companies from the US, UK, and Europe, the UAE cybersecurity sector features a range of Israeli companies offering both offensive and defensive products and services.

Israel-UAE cybersecurity cooperation has been fundamentally reshaped by Israel’s war in Gaza, one of many far wider changes in regional geopolitics. Due to the reputational risks of public cooperation, their cybersecurity relationship has returned to the quiet, back-room deals favoured by both countries before their landmark normalization five years ago.

Israel-UAE digital recognition

In 2020, the UAE played a leading role championing the Abraham Accords, a normalization agreement between Israel and several Arab states (also including Bahrain, Morocco, and Sudan). The Accords are but one step in a Israel-UAE security partnership decades in the making. 

As I argue in a recent article with Bassant Hassib, cybersecurity cooperation, along with cloud infrastructure and subsea cables, played a key role in Israel-UAE normalisation through ‘digital recognition’: the way digital technologies both pave the way for and make necessary changes in wider diplomatic relations. 

Perhaps the most notorious aspect of Israel-UAE cybersecurity cooperation is the sale of Pegasus spyware, built by Israeli company NSO Group and reportedly used by UAE royals to target domestic civil society and their families abroad

Other aspects of Israel-UAE cybersecurity cooperation are more defence-oriented. Etisalat, the company reportedly targeted by Lockbit, began receiving threat intelligence support from Israeli company Cyberint in 2023. 

A year after Israel announced its intention to build a ‘Cyber Dome’ at a 2022 ‘Cyber Week’ event, the head of the UAE Cyber Security Council, Mohamed Al Kuwaiti, said that Israel is ‘helping us to build a cyber Iron Dome or improve the existing one’. However, the Cyber Dome was still under development in October 2023, a week after the Hamas attacks.

Abraham Accords in limbo

Since the start of the Gaza war, all Arab states have faced domestic backlash for insufficiently supporting the Palestinian cause. This deficient support should be no surprise, however, given those states’ leaders’ intense dislike of Hamas and other Palestinian organizations.

The UAE in particular has experienced unusually open public criticism of its Israel policy, as well as incidents of antisemitism, including the murder of a well-known rabbi. Despite this difficult position, the UAE has sought to maintain levels of normalisation established by the Abraham Accords. It is the only Arab state not to recall its ambassador to Israel, and it has continued direct flights to Israel throughout the war.  

The Israel-UAE trade relationship has also suffered. As Israel’s GDP contracted over 20% during the war, the UAE’s commercial ties were described as a ‘lifeline’. Even so, investments and joint ventures in sectors as diverse as energy and meat production have been put on hold or discontinued. In the words of one businessman, ‘it’s still happening, [but] it’s happening less.’ 

However, as the current ceasefire hangs precariously in the balance, there are signs of a return to the pre-7 October status quo: in January 2025, the UAE state-owned defence company Edge bought a minority stake in an Israeli company that specialises in anti-drone protection.

Ransomware – a shared threat

The UAE’s recently released annual national cybersecurity report notes that – like many other countries – ransomware is one of the UAE’s top cyber threats, with 19 ransomware groups named as active in the UAE in 2024 (up from 12 the previous year). 

The UAE has also recently held its annual ‘Cyber Wargaming’ exercise. The wargame, now in its fourth iteration, focuses on protecting banking and financial services, with the original scenario in 2021 devised as a nation-state sponsored ransomware attack. 

So far, this specific scenario has not occurred in the UAE – at least according to public information. The highest profile reported incident is a disputed compromise of UAE-headquartered regional telecoms giant Etisalat (now e&) by the notorious Lockbit ransomware group, days before an international law enforcement operation disrupted the group in February 2024.

State-sponsored ransomware operations have similarly been a longstanding high priority issue for Israel. Iran-linked groups have conducted ransomware operations targeting the country at least since 2020, sometimes leaking data simply to cause disruption rather than collect payment. 

Understanding this overlap in targeting intentions is a perennial issue for Iran cyber threat analysts. Israeli cybersecurity companies have described apparent ransomware operations as ‘masking destructive influence” from Iran. 

However, more recent Iran-linked activity seems to fit more to the standard ransomware ‘playbook’. A US advisory in August 2024 highlighted Iranian state-sponsored actors acting as initial access brokers and collaborators with major ransomware groups, without disclosing the groups’ nationality or location.

Crystal Ball and the CRI

The UAE and Israel’s joint approach to ransomware threats shows how their process of digital recognition has come under significant pressure since the Gaza war. One key element of Israel-UAE cybersecurity cooperation is Crystal Ball, a threat intelligence sharing platform developed by Microsoft, Israeli company Rafael Advanced Defense Systems, and UAE cybersecurity company CPX (co-author of the annual cybersecurity report above). 

Crystal Ball was first announced in June 2023 by Al Kuwaiti during Cyber Week in Tel Aviv, in a well-publicised keynote address alongside the Director General of the Israel National Cyber Directorate. In his remarks, Al Kuwaiti mentioned that the platform had already helped the two countries defend against an unspecified distributed denial of service (DDOS) attack.

In May 2024, Crystal Ball was subsumed into the Counter Ransomware Initiative (CRI), an international multistakeholder group including over 60 countries, with both the UAE and Israel as members. Crystal Ball was then promoted at the CRI annual conference in October 2024, and demonstrated to over 14 countries at a UAE cybersecurity event in November 2024. 

Publicity surrounding the incorporation of Crystal Ball into the CRI, in the midst of the Gaza war, was noticeably different in the UAE and Israel and in stark contrast to the original 2023 announcement. 

The UAE state news agency did not mention Israel in its May 2024 press release or its otherwise extensive coverage of the November 2024 demonstration. In contrast, the Israeli Tazpit News Agency led with Israel-UAE cooperation for the May 2024 incorporation, and the Israeli government gushingly praised the UAE in its account of Crystal Ball’s ‘maiden voyage’ in November.

A diplomatic retreat

This inconsistency around Crystal Ball is well explained by the wider diplomatic awkwardness between the two countries since the Gaza war began. Israel is keen to present an image of normality, with international conferences and new technology initiatives unaffected by the horrendous events in Gaza. The UAE takes a different approach: promoting its own contributions to countering ransomware while omitting Israel’s contributions.

This evolution in cooperation styles illustrates the concept of digital recognition that Hassib and I put forward in our article. We describe three main ways in which digital technologies, including cybersecurity, contribute to diplomatic relations: through lubrication, where they facilitate new contacts between politicians and tech leaders; through homogenisation, where they force states to confront similar technological challenges in the same way; and through integration, where technological infrastructure itself operates as a key link between states.

The development of Crystal Ball involves all three of these mechanisms. First, it initially lubricated diplomatic relations by giving Emirati and Israeli leaders a clear point of cooperation to demonstrate their increasing closeness. 

Ransomware then offered a relatively homogenised policy menu for states to combat this new digital threat, with better information sharing at the centre of all recommendations – including those proposed by the CRI. This homogenisation meant that Crystal Ball could easily be extended – at least in demonstration form – beyond the UAE and Israel to the other CRI members. 

Third, as the Gaza war has made the relationship publicly unpalatable, the UAE and Israel continue to be linked by the Crystal Ball platform and its underlying infrastructure, even though their public narratives around it have diverged. 

Although states may seek a diplomatic retreat from their prior technological commitments, the concept of digital recognition suggests that this is not always an easy or simple step.

Digital technologies not only tie adversaries and allies together in what some scholars have called ‘weaponised interdependence’; they can actively contribute to the development of new diplomatic relationships, harder to unmake than they are to establish.

Funding for the research presented in this article was provided to Virtual Routes by UK Research and Innovation (UKRI), as a member of the consortium for the Horizon Europe project Reigniting Multilateralism Through Technology (REMIT). REMIT research is conducted under the umbrella of the European Union’s Horizon Europe research and innovation program, grant agreement No 101094228. UKRI’s support to the project does not necessarily represent an endorsement of its findings. The views expressed in this article are those of the author.

Photo: Mark Neyman/Government Press Office of Israel. Israeli President Isaac Herzog and UAE Ambassador to Israel Mohamed Al Khaja at the opening of the UAE Embassy in Tel Aviv in 2021. 

avatar
James Shires

Related

Featured image
Binding Edge
Predatory Sparrow: cyber sabotage with a conscience?
James Shires / Max Smeets / Hannah-Sophie Weber 9 December 2024
Read more arrow
Featured image
Binding Edge
How AI can help fulfil the promises of Europe’s Cyber Resilience Act
Christopher Covino 14 February 2025
Read more arrow
Featured image
Binding Edge
Microsoft’s recent cloud security breach draws attention to new national security risks
Kamil Bojarski / Max van der Horst 19 July 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.