Microsoft says Iranian hackers combine influence ops with hacking for maximum impact

Iranian state-aligned hackers are increasingly deploying information operations to amplify cyberattacks and gain maximum exposure for their efforts to support the regime’s agenda in the Middle East and against Western targets, Microsoft’s Digital Threats Analysis Center said Tuesday.

Researchers linked 24 unique cyber-enabled influence operations, which combine offensive computer network operations with online messaging and amplification, to the Iranian government in 2022 compared to just seven in 2021, according to the report. Seventeen of the operations have taken place since June of 2022, the researchers found.

While it’s possible that Microsoft’s ability to detect the operations is improving, the trend coincides with a marked decrease in ransomware and wiper attacks linked to the Iranian military, the researchers said, particularly the Islamic Revolutionary Guard Corps. “The IRGC’s latest string of cyber-enabled IO in the last year has leveraged low-impact, low-sophistication cyberattacks, such as defacements, which are less time and resource intensive, while dedicating more effort to its multi-pronged amplification methods,” the researchers wrote.

The shift in tactics coincides with increased speed in adopting newly reported vulnerabilities, the use of compromised websites for command and control to better obfuscate the source of attacks and, in a subset of cases, more bespoke tooling and sophisticated tradecraft, the researchers said. Taken together, the developments demonstrate that even if Iranians lag behind their Russian and Chinese counterparts in technical sophistication, Iranian threat groups are enhancing “their ability to acquire access to specific targets of interest and maintain persistence while avoiding detection.”

The influence operations, which have mostly target Israel followed by the U.S., United Arab Emirates and Saudi Arabia, have sought to support Palestinian resistance, push unrest in Bahrain, sour ongoing normalization efforts between Israel and Arab states, terrorize Israeli citizens and undercut domestic protests in Iran by painting regime critics as “corrupt,” the researchers said.

Most of the cyber-enabled influence operations are likely the work of Emennet Pasargad, an Iranian cybersecurity company sanctioned by the U.S. government in November 2021 for its alleged role in a sprawling 2020 election interference operation. Two Iranian nationals associated with the company were indicted for their role in the operation. A separate Iranian-linked operation by a likely Iran-based contractor known as Pioneer Kitten saw state-aligned hackers breach an unnamed local government’s website that was set to report 2020 election results, but were stopped before they could do anything, officials revealed last week at the RSA security conference in San Francisco.

The operations occur through a variety of persona fronts the researchers and others have linked to various parts of the Iranian government, and can include espionage operations, destructive malware attacks, or a combination of the two, along with follow up amplification via persona channels and sock puppet social media accounts.

A group calling itself Homeland Justice, for instance, attacked the government of Albania in July 2022 with both destructive malware and hack-and-leak campaigns because the Albanian government allows a prominent Iranian-resistance group to operate in Albania. The Albanian government blamed the Iranian government for the attack and cut diplomatic ties, and the U.S. government followed shortly with sanctions against Iran’s Ministry of Intelligence and Security (MOIS) and the Iranian Minister of Intelligence.

In a more recent example, in February, a previously unknown group calling itself “DarkBit” executed a ransomware attack on a prominent Israeli university. The message posted to announce the attack said the university deserved it for its role in “an apartheid regime,” and also referenced Palestinians. The Israeli government later linked the attack to an Iranian group tracked by Microsoft as Mango Sandstorm but more widely as MuddyWater, which has been linked to the MOIS. An April 7 Microsoft analysis concluded that the DarkBit persona worked in partnership with the MOIS.

That Iranian-aligned groups are turning more toward information operations as part of an overall cyber strategy could be attempts at proportionate response to a flurry of attacks on Iranian targets by entities the Iranians say are Israeli or American, the researchers note. Black Magic, for example, which Microsoft assesses as working in support of the IRGC, launched a series of ransomware attacks on Israeli targets that seemed to mimic the attacks of Predatory Sparrow, an unaffiliated hacking group that has pulled off a series of top-tier cyberattacks on Iranian targets that some have linked to the Israeli government.

Iranian-linked cyberattacks and information operations are likely to continue along this pattern, the researchers said, which can usually characterized as a response to perceived attacks or provocations against the Iranian government, including anything related to the ongoing protests within Iran in response to the murder of Mahsa Amini.

“In October, Supreme Leader Khamenei and Iran’s intelligence agencies blamed Israel and the United States for inciting protests in Iran, while other key regime figures have blamed Israel and the United States for major cyberattacks against Iran,” the researchers wrote. NATO countries are also at risk, as the attack on Albania and a separate operation against the French magazine Charlie Hebdo in February shows that Iranian-linked hacking efforts are not deterred by NATO membership status.