Unit 8200 is an Israeli Intelligence Corps unit of the Israel Defense Forces responsible for collecting signal intelligence (SIGINT) and code decryption. Military publications include references to Unit 8200 as the Central Collection Unit of the Intelligence Corps, and it is sometimes referred to as Israeli SIGINT National Unit (ISNU). It is subordinate to Aman, the military intelligence directorate.
The unit is composed primarily of 18–21 year olds. As a result of the youth of the soldiers in the unit, and the shortness of their service period, the unit relies on selecting recruits with the ability for rapid adaptation and speedy learning. Afterschool programs for 16–18 year olds, teaching computer coding and hacking skills, also serve as a feeder programs for the unit. Former Unit 8200 soldiers have, after completing their military service, gone on to founding and occupying top positions in many international IT companies and in Silicon Valley.
Unit 8200 was established in 1952 using primitive surplus American military equipment. Originally, it was called the 2nd Intelligence Service Unit and then the 515th Intelligence Service Unit. In 1954, the unit moved from Jaffa to its current base at the Glilot junction.
According to Peter Roberts, the Director of Military Sciences at the Royal United Services Institute, “Unit 8200 is probably the foremost technical intelligence agency in the world and stands on a par with the NSA in everything except scale. They are highly focused on what they look at — certainly more focused than the NSA — and they conduct their operations with a degree of tenacity and passion that you don’t experience elsewhere.”
Unit 8200 is the largest unit in the Israel Defense Forces, comprising several thousand soldiers. It is comparable in its function to the United States’ National Security Agency and is a Ministry of Defense body just as the NSA is part of the United States Department of Defense.
Subordinate to Unit 8200 is Unit Hatzav (Hebrew name for Drimia, responsible for collecting OSINT intelligence. The unit monitors and collects military intelligence–related information from television, radio, newspapers, and the internet. The translation of various items accounts for part of what is termed “basic intelligence”, which is collected by the units. According to media reports, the unit provides over half of the overall intelligence information for the Israeli Intelligence Community.
The IDF’s most important signal intelligence–gathering installation is the Urim SIGINT Base, a part of Unit 8200. Urim is located in the Negev desert approximately 30 km from Beersheba. In March 2004, the Commission to investigate the intelligence network following the War in Iraq recommended turning the unit into a civilian national SIGINT agency, as is in other Western countries, but this proposal was not implemented.
Unit 8200 is staffed primarily by 18–21 year old conscripts. Selection and recruitment to the unit usually occurs at age 18 through the IDF screening process after high school. However, the unit also scouts potential younger recruits through after-school computer classes. These after-school computer classes, teaching 16–18 year olds computer coding and hacking skills, sometimes act as a feeder program for the unit, with students receiving invitation letters from the IDF.
The 18 year olds selected for the unit are primarily chosen for their ability to teach themselves and to learn very quickly as the unit will only have access to their services for a short time before their military service period ends.
On 11 September 2013, The Guardian released a leaked document provided by Edward Snowden which reveals how Unit 8200, referred to as ISNU, receives raw, unfiltered data of U.S. citizens, as part of a secret agreement with the U.S. National Security Agency.
In 2010, the French newspaper Le Monde diplomatique wrote that Unit 8200 operates a large SIGINT base in the Negev, one of the largest listening bases in the world, capable of monitoring phone calls, emails, and other communications, throughout the Middle East, Europe, Asia, and Africa, as well as tracking ships. Unit 8200 also reportedly maintains covert listening posts in Israeli embassies abroad, taps undersea cables, maintains covert listening units in the Palestinian territories, and has Gulfstream jets equipped with electronic surveillance equipment.
Ronen Bergman says in a 2009 book that a Hezbollah bomb, disguised as a cell phone, was picked up by agents, and taken for investigation to Unit 8200’s headquarters in February 1999. Inside the laboratory the cell phone exploded. Two Unit 8200 soldiers were injured.
In 2010, The New York Times cited “a former member of the United States intelligence community” alleging that this unit used a secret kill switch to deactivate Syrian air defenses during Operation Orchard.
In 2014, 43 veterans of Unit 8200 signed a protest letter decrying what they called the electronic surveillance unit’s abusive gathering of Palestinians’ private information. In response, 200 other reservists signed a counter-protest letter.
According to The New York Times, the Unit 8200’s hack of Kaspersky Lab allowed them to watch in real time as Russian government hackers searched computers around the world for American intelligence programs. Israelis who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion of US systems.
Many media reports alleged that Unit 8200 was responsible for the creation of the Stuxnet computer worm that in 2010 infected industrial computers, including Iranian nuclear facilities.
Duqu is a collection of computer malware discovered on 1 September 2011. It is alleged to be the creation of Unit 8200.
Duqu 2.0, alleged to be the most sophisticated computer virus ever developed, compromised Kaspersky Lab in 2014. Duqu 2.0 used at least three zero-day exploits. The virus remained for months on Kaspersky Lab’s systems, undetected by them. Aside from targeting Kaspersky, it was used to spy on the negotiations for the Iran Nuclear Deal, and detected only in the computers of the hotels hosting the Iran nuclear negotiations. It was unprecedented in that the code existed only in operative memory (RAM) and almost did not leave a trace. According to Kaspersky, “the philosophy and way of thinking of the ‘Duqu 2.0’ group is a generation ahead of anything seen in the advanced persistent threats world.”
Companies founded by alumni
Former soldiers of Unit 8200 have gone on to found many IT companies, among them:
- Argus Cyber Security
- Axis Security
- Check Point
- CTERA Networks
- CTS Labs
- FST Biometrics
- Hyperwise Security
- Lacoon Mobile Security
- LEVL Technologies
- NSO Group
- Palo Alto Networks
- Rosh Intelligent Systems
- Salt Security
- Yonatan Labs