Geopolitical & Security Insights
This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 3 March 2023.
Iran-state-sponsored groups have increasingly focused on compromising networks or disrupting systems of organisations and critical infrastructure in the past year or so. And they seem to have expanded the number of countries they have targeted with ransomware or hack-and-leak attacks, notably in Albania. We anticipate that these trends will continue throughout 2023. This is as Iran seeks to degrade, intimidate or retaliate against its adversaries, or entities that it perceives are working against its interests.
We also assess that Iran-state-sponsored groups will continue to be highly active in pursuing cyber espionage, online intelligence gathering and cyber influence operations globally. Iran has a well-established strategy of cyber espionage campaigns targeting critical industries and government agencies, particularly in the US and the Middle East. This will almost certainly remain a priority. It has also targeted NGOs, academic organisations and the defence sector. Some of these operations were probably designed to acquire intellectual property and enhance Iran’s technological capabilities.
Iran appears to have placed an increasing focus and reliance on hostile cyber operations. In a sign of this, Microsoft’s Digital Defense Report for 2022 said that Iran and affiliated cyber groups have become ’increasingly aggressive’ since Ebrahim Raisi became president in 2021; he is much more outwardly hostile towards the West than his predecessor. Such operations have included more frequent ransomware and data deletion attacks against Israel. And the report stated that based on Microsoft data, Iranian targeting of critical infrastructure globally reached its highest levels between July 2021 and June 2022 since the same period in 2018-2019.
Iran and its affiliated groups are very likely to increase the frequency of hostile operations on adversary infrastructure in 2023 and into 2024. This is based on their current trend of targeting infrastructure in some countries for network compromise or destructive attacks; these have been most common in Israel, the US and the UAE, according to Microsoft. But this is also because of converging domestic and geopolitical dynamics. These include hardening anti-Western rhetoric by Iran, negative prospects for a deal on Iran’s nuclear programme and intensifying hostilities between the new Israeli government and Iran.
The Iranian threat of data-compromising and disruptive attacks, such as ransomware, is also highly likely to extend beyond these countries this year. Microsoft said that in 2022, Iran expanded ransomware attacks to ‘US and EU victims’. This is even though the intended motivations behind those operations have appeared broadly unchanged. These have included attempts by Iran to retaliate against countries, entities or individuals that it perceives are working against its interests, and hostile to the Islamic Republic or Islam. Recent examples include:
Such attacks fit with Iran’s long-standing efforts to target rival states, dissidents and critics of the regime, including through physical attacks and sabotage. But cyber operations, which do not have geographical restraints, allow Iran to target states (or entities and individuals) in places where it may not have established proxies, or local groups or sympathisers. This seems to have been the case in the incidents against Charlie Hebdo in France and the Albanian government. And even though Albania cut off diplomatic relations with Iran following the July 2022 attacks, we doubt that this would diminish the intent of Iran-state-sponsored groups to pursue disruptive and retaliatory cyber operations.
The risk of direct targeting against sectors of priority focus to Tehran is likely to rise in the long term. Critical infrastructure sectors that Iran will probably continue to target in hostile cyber operations include:
That risk is particularly heightened in well-established target countries such as Israel, Saudi Arabia and the US. For example, in 2022 an Iran-backed group hacked the computers of an Israeli logistics company, forcing it to shut down its computers and part of its operations. And Iran-backed groups have previously demonstrated their capability to effectively deploy malware to erase data on victim systems such as on Saudi Aramco in 2012.
Iran is probably highly motivated to cause prolonged downtime or loss of critical services in Israel, particularly during periods of heightened tensions. These would most likely include defence, utilities, logistics and transportation sectors, based on past incidents. But it is likely also motivated to conduct pre-positioning and reconnaissance operations on the critical infrastructure systems of priority sectors to Iran in the US, as well as European countries. This is particularly to facilitate future potential execution of disruptive ransom- or malware on sectors that Tehran has blamed Israel and the US for targeting in Iran.
Image: Iran’s President, Ebrahim Raisi, speaks during a rally outside the former US embassy in the capital Tehran, Iran, on 4 November 2022. Photo by Contributor #072019/Getty Images.
Be the first to receive our articles, news and insight on global risk, industry trends and what's new at Dragonfly