Iranian nation-state threat actors are being accused of targeting entities based in the U.S. and Israel, according to a report by Google published on Tuesday. The report states that Iran has aggressively targeted Israel and the United States in the years leading up to the ongoing Israel-Hamas war that began in October, and has continued to do so in the months since. The cyberwarfare has involved destructive malware, intelligence collection activities, and public influence campaigns against Israeli individuals and organizations, as well as entities in the U.S.
Google identified several Iranian state-sponsored actors involved in the malicious activity, such as APT42, “Dustycave,” and “Dune.” Additionally, the report mentioned the November cyberattack against the Municipal Water Authority of Aliquippa in Pennsylvania, where a threat actor known as “Cyber Av3ngers” claimed responsibility. According to the report, the threat actor compromised a machine that regulated water pressure at the facility, which contained components developed or created by an Israeli-owned company.
This heightened concerns about threats to critical infrastructure, leading the Cybersecurity and Infrastructure Security Agency (CISA) to publish an incident response guide for organizations in the water and wastewater utility sector. During a press briefing, Sandra Joyce, vice president of Mandiant at Google Cloud, noted that Iran’s hacking efforts against the U.S. and Israel have had mixed results. She mentioned the Cyber Av3ngers’ attack as an example, where the group claimed to have full access to water facilities in the U.S. and leaked internal documents to make it appear as though that were true. Joyce added that Iran used influence operations to make it seem as though its activities had a greater impact than they did.
Google also highlighted phishing activity conducted by Iranian state-sponsored group APT42, which was believed to be particularly interested in Israeli and U.S. decision-making related to the conflict. The campaign targeted nongovernmental organizations, media, and policy work associated with higher education. For example, Google researchers mentioned an information operations group referred to as “Marnanbridge,” which conducted hack-and-leak campaigns targeting Israel and was likely connected to the Iranian company Emennet Pasargad, which the U.S. government previously sanctioned for attempting to influence the 2020 presidential election.
During the briefing, Joyce referenced the threat actors, mentioning that they have been active during major global election years. Despite the mixed results of these Iranian cyberattacks, Google and Mandiant officials emphasized that Iran has committed significant resources to its state-sponsored hacking efforts. Shane Huntley, senior director of Google’s Threat Analysis Group, said that the threat groups have demonstrated that they can deploy cyberattack capabilities very quickly.
“We see this as a tool of first resort. We don’t see cyber as something that comes later,” Huntley said during the press conference. “It’s something that comes early, and something that can exist with kinetic attacks or without.”
The ongoing cyberwarfare and malicious activities conducted by Iranian state-sponsored actors against the U.S. and Israel underscore the increased risks posed by nation-state threat actors in the digital realm. The targeting of critical infrastructure, government entities, and organizations indicates the need for heightened cybersecurity measures to mitigate these threats. The consequences of a successful cyberattack on sensitive infrastructure could have serious implications for national security and public safety. The continuous efforts by groups such as APT42, “Dustycave,” and “Dune” emphasize the evolving nature of cyber threats and the need for enhanced collaboration between government agencies, private sector entities, and cybersecurity experts to defend against these persistent threats.