Iranian hackers are targeting US politics and infrastructure with gradually growing sophistication.
For years, Iran has been trying to influence US foreign policy through cyberattacks and disinformation campaigns.
While the country’s hackers are far less known and capable than those of other countries with state-sponsored hackers, such as North Korea, China, or Russia, they can also be a threat, and their cyber operations are becoming more sophisticated.
For example, during the past US presidential election, Iranian hackers managed to hack the campaigns of both the Republican and Democratic parties. They were responsible for the biggest hack and leak since Russia breached Clinton’s campaign in 2016.
The start of Iranian cyber offences
Historically, a significant part of the country's sponsored cyber operations focused on the Iranian population, with the country’s government spying on or attacking human rights activists and political opponents.
The catalyst for the beginning of Iran’s cyber operations was the Iranian Green movement in 2009.
After what many saw as the fraudulent presidential election of Mahmoud Ahmadinejad, the country’s opposition started protesting and coordinating their activities on the internet.
In response, pro-government hackers began surveilling their opponents. A group calling itself the Iranian Cyber Army attacked websites associated with Iran’s political opposition with distributed denial-of-service (DDoS) attacks.
While the Green Movement ended, the suppression methods learned from it were used further, according to a previous report from a Carnegie Endowment for International Peace think-tank.
Another major event that contributed to the country's cyber efforts and shifted them toward foreign countries was the deployment of Stuxnet, a worm developed and used against the country by the US and Israel around 2007.
The operation resulted in the sabotage of Iranian uranium enrichment centrifuges, while subsequent cyber offenses from the US and its allies targeted the country’s infrastructure, including the financial sector.
Iran discovered Stuxnet in 2010 and, as a result, formed the Cyber Defense Command, a new cybersecurity department to protect domestic information systems from foreign adversaries infiltrating key networks.
However, it also started directing its intelligence, security, and private industry resources to target and infiltrate adversarial networks.
Meddling in the US election
To this day, a significant portion of Iran's cyber efforts are focused on influencing Iran’s enemies – the US, Israel, and their allies.
A number of Iranian state-sponsored groups targeted last year’s presidential election campaigns and managed to hack emails from both the Democratic and Republican parties.
In September, the US charged three hackers belonging to Iran's Islamic Revolutionary Guard Corps for allegedly targeting members of President Donald Trump's electoral campaign.
According to the indictment, the hackers gained documents and communications by impersonating US government officials through spearphishing and then tried to leak them to the media.
An earlier report by Google Threat Intelligence (GTI), prior to the indictment, attributed the hacking of the US presidential campaigns to the hacking group APT42, which is associated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
APT42 is known for its targeted campaigns against high-profile individuals, including government officials, diplomats, and political campaigns, particularly those in the US and Israel.
“APT42 uses a variety of different tactics as part of their email phishing campaigns, including hosting malware, phishing pages, and malicious redirects. They generally try to abuse services like Google, Dropbox, OneDrive, and others for these purposes,” said GTI in its report.
APT 33 and other threat actors
Another prominent Iranian state-sponsored hacking group is APT33, which is also known by several other names, including Elfin, NewsBeef, Holmium, and Peach Sandstorm. Security researchers often assign different labels to threat actors based on their analyses.
Elfin has been detected operating since 2013 and mostly targets the US, Europe, and the Middle East.
In one of the recently reported attacks, Elfin used Tickler, a new custom multi-stage backdoor, to target organizations in the US and Australia's defense, space, education, and government sectors.
Elfin deploys LinkedIn profiles masquerading as students, developers, and talent acquisition managers based in the US and Western Europe, and primarily uses them to conduct intelligence gathering, a report from Microsoft claims.
Olirig, another Iranian threat group, also known as APT 34, Earth Simnavaz, and Helix Kitten, has recently ramped up their efforts targeting infrastructure in the Middle East region.
In recent years, Olirig has conducted several high-profile attacks on critical infrastructure, particularly in the energy and telecommunications sectors.
For example, in 2020, the group was linked to a major breach of an energy company in the UAE, where it deployed custom malware to gain network access, compromise sensitive data, and disrupt operations.
Heaviest users of AI
Recently, Iranian hackers have been observed actively leveraging the latest AI tools to their advantage. While it's no secret that both cybercriminals and state-sponsored hackers are using AI tools, Iran appears to be doing so with particular intensity.
In a recent report, Google warned that state-backed cybercriminals are among the heaviest users of its chatbot, Gemini. The company found that 20 countries, including North Korea, Russia, China, and Iranian state-sponsored groups, were the most frequent users of the tool.
“Their use reflected strategic Iranian interests, including research focused on defense organizations and experts, defense systems, foreign governments, individual dissidents, the Israel-Hamas conflict, and social issues in Iran,” the report said.
Overall, Google found ten state-backed hacking groups using Gemini. Over 30% of the usage was linked to APT 42, the same group that was behind the hacking of Democratic and Republican parties during the last US presidential campaigns.
“In addition to reconnaissance, APT42 used the text generation and editing capabilities of Gemini to craft material for phishing campaigns, including generating content with cybersecurity themes and tailoring the output to a US defense organization,” the report said.
Your email address will not be published. Required fields are markedmarked