The Iranian regime is supplementing the cyber attack efforts of Iran threat actors with a new playbook: cyber-enabled influence operations (IO), according to a new Microsoft Threat Intelligence report.
This has allowed Iran to achieve its geopolitical aims by combining offensive cyber operations with multi-pronged influence operations.
“Multiple Iranian state groups have turned to cyber-enabled IO more regularly since June 2022 to boost, exaggerate, or compensate for shortcomings in their network access or cyberattack capabilities,” said the Microsoft Threat Intelligence report.
“More fundamentally, they have combined offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives.”
These operations have included seeking to bolster Palestinian resistance, fomenting unrest in Bahrain, countering the ongoing normalization of Arab-Israeli ties, and sowing panic and fear among Israeli citizens.
Iran threat actors: Old ways, new wins
Most of the operations of Iran threat actors have a predictable playbook, in which they use a cyber persona to publicize and exaggerate a low-sophistication cyber attack.
This is promptly followed by seemingly unassociated inauthentic online personas amplifying and often further hyping the impact of the attacks, using the language of the target audience.
While Iran’s techniques may have changed, its targets have not, noted the report.
They have also incorporated two new amplification strategies into their repertoire: using SMS messages to reach target audiences, and impersonating victim organizations or prominent figures associated with those organizations to enhance credibility.
These operations remain focused on Israel, prominent Iranian opposition figures and groups, and Tehran’s Gulf state adversaries.
Between October 2022 and March 2023, nearly a quarter of Iran’s cyber operations (23%) were directed against Israel, with the United States, United Arab Emirates, and Saudi Arabia also bearing the brunt of these efforts.
Iranian cyber actors have also adopted cyber-enabled IO to undercut the momentum of nationwide protests by leaking information that aims to embarrass prominent regime opposition figures or to expose their “corrupt” relationships.
Although some Iranian threat groups have turned to cyber-enabled IO, there has been a corresponding decline in Iran’s use of ransomware or wiper attacks, which were prolific in the past two years.
However, the future threat of increasingly destructive Iranian cyberattacks remains, particularly against Israel and the United States, as some Iranian groups are likely seeking cyberattack capabilities against industrial control systems.
Certain patterns are evolving in the attacks mounted by the Iran threat actors, the report noted.
Iran threat actors and new attack patterns
“While lagging behind their Russian and Chinese counterparts in sophistication, Iranian nation state actors have added some new tools and techniques to their arsenal,” said the Microsoft Threat Intelligence report.
“This continued advancement in sophistication will enhance their ability to acquire access to specific targets of interest and maintain persistence while avoiding detection, a challenge they likely faced in some of their cyber-enabled influence operations since 2022.”
One trend that has emerged is the rapid adoption of N-day vulnerabilities, where Iranian state actors are increasing the speed with which they are operationalizing newly reported exploits to compromise organizations.
For example, on the same day proof-of-concept code was publicly released, an Iranian group known as Mint Sandstorm began exploiting a remote code execution vulnerability in Zoho ManageEngine.
They also incorporated an exploit for a newly disclosed vulnerability only five days after it was publicly reported.
Another trend is the use of victim websites for command and control (C2). An Iranian actor known as Storm-0133 used custom malware to establish communication between an already compromised Israeli website and multiple other in-country victim networks.
This technique complicates defenders’ efforts, as geolocation data is often used to identify anomalous network activity.
Iranian state actors are also steadily using custom tooling against targets of interest, added the Microsoft Threat Intelligence report.
This shift away from publicly available tools and simple scripts towards the development and use of bespoke implants suggests that at least a subset of operators are capable of increasingly sophisticated tradecraft.
For example, Storm-0133’s campaign exclusively targeted Israeli organizations, affecting local government agencies and companies serving the defense, lodging, and healthcare sectors.