In recent months, Iranian state actors have unveiled a new weapon in their cyber warfare arsenal: cyber-enabled influence operations (IO). These operations combine offensive computer network operations with messaging and amplification in a coordinated and manipulative fashion. The goal of these operations is to alter the perceptions, behaviors, and decisions of their targets in order to advance Iran’s geopolitical objectives.
Iran has turned to cyber-enabled IO as a means of compensating for its shortcomings in cyberattack capabilities. Unable to match the sophistication of past cyberattacks against the regime, Iran has instead opted for low-impact and low-sophistication cyberattacks, such as defacements. These types of attacks require fewer resources and can be executed more quickly, allowing Iran to dedicate more effort to amplification methods.
Last year, Microsoft identified 24 unique cyber-enabled IO linked to the Iranian government, with 17 occurring since June 2022. This represents a significant increase compared to just seven cyber-enabled IO in 2021, highlighting Iran’s growing reliance on this technique. The rise of cyber-enabled IO has coincided with a decline in ransomware and wiper attacks by Iranian military affiliates, particularly the Islamic Revolutionary Guard Corps (IRGC).
Three examples of cyber-enabled IO conducted by Iran demonstrate the breadth and impact of these operations. In February 2022, a group known as Storm-1084 conducted destructive cyberattacks while encouraging resistance against Israel’s policies towards Palestinians. The attack was disguised as ransomware, with a ransom note referring to Israel as an “apartheid regime” and calling for accountability for its actions against Palestinians.
In the same month, a cyber persona known as Al-Toufan defaced multiple Bahraini and Israeli websites, coinciding with the anniversary of anti-government protests in Bahrain. The defacements aimed to incite unrest among Bahrain’s Shi’ite majority by drawing attention to issues of poverty and inflation. The group also utilized sockpuppet social media accounts to amplify the impact of the defacements.
In December 2022, a cyber persona identified as Atlas Group (believed to be associated with Cotton Sandstorm) hijacked an Israeli sports website. The group posted a message expressing hostility towards Israelis and amplifying Arab-Israeli animosity. The timing of this operation during the World Cup quarterfinals, following the establishment of direct flights between Israel and Qatar, further underscored its significance.
These examples of cyber-enabled IO demonstrate Iran’s determination to bolster its cyber and influence capabilities in order to retaliate against perceived threats and match the sophistication of its adversaries’ cyberattacks. As Iran continues to refine and develop new influence techniques, it is crucial for the broader cybersecurity community to have reliable and comprehensive threat intelligence. NATO member nations and European countries may be particularly at risk, with Israel being the most targeted country by Iranian attacks, followed by the United States and the United Arab Emirates.
By closely monitoring Iranian attack trends, potential target groups can better fortify their own cybersecurity defenses. The rise of cyber-enabled IO serves as a reminder of the evolving nature of cyber warfare and the need for proactive measures to counter such tactics. As cyber threats continue to evolve, reliable threat intelligence and robust cybersecurity measures will remain crucial in defending against state-sponsored cyberattacks.