Global | Disruptive cyber threat from Iran

Iran is highly likely to remain one of the most disruptive cyber threat actors globally over 2023.

This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 3 March 2023.

• Iran is highly likely to remain a highly disruptive and retaliatory cyber threat actor over the coming year
• Iran-state-sponsored cyber groups appear to have intensified their operations against infrastructure over the past year or so, and have widened their scope of attacks against countries globally
• We anticipate that Iran will be highly motivated to conduct data-compromising and disruptive cyber operations, including ransomware, in the coming year, particularly against Israel

Iran-state-sponsored groups have increasingly focused on compromising networks or disrupting systems of organisations and critical infrastructure in the past year or so. And they seem to have expanded the number of countries they have targeted with ransomware or hack-and-leak attacks, notably in Albania. We anticipate that these trends will continue throughout 2023. This is as Iran seeks to degrade, intimidate or retaliate against its adversaries, or entities that it perceives are working against its interests.

We also assess that Iran-state-sponsored groups will continue to be highly active in pursuing cyber espionage, online intelligence gathering and cyber influence operations globally. Iran has a well-established strategy of cyber espionage campaigns targeting critical industries and government agencies, particularly in the US and the Middle East. This will almost certainly remain a priority. It has also targeted NGOs, academic organisations and the defence sector. Some of these operations were probably designed to acquire intellectual property and enhance Iran’s technological capabilities.

Geopolitical and domestic political dynamics drive cyber operations

Iran appears to have placed an increasing focus and reliance on hostile cyber operations. In a sign of this, Microsoft’s Digital Defense Report for 2022 said that Iran and affiliated cyber groups have become ’increasingly aggressive’ since Ebrahim Raisi became president in 2021; he is much more outwardly hostile towards the West than his predecessor. Such operations have included more frequent ransomware and data deletion attacks against Israel. And the report stated that based on Microsoft data, Iranian targeting of critical infrastructure globally reached its highest levels between July 2021 and June 2022 since the same period in 2018-2019.

Iran and its affiliated groups are very likely to increase the frequency of hostile operations on adversary infrastructure in 2023 and into 2024. This is based on their current trend of targeting infrastructure in some countries for network compromise or destructive attacks; these have been most common in Israel, the US and the UAE, according to Microsoft. But this is also because of converging domestic and geopolitical dynamics. These include hardening anti-Western rhetoric by Iran, negative prospects for a deal on Iran’s nuclear programme and intensifying hostilities between the new Israeli government and Iran.

Wider scope of operations and targets

The Iranian threat of data-compromising and disruptive attacks, such as ransomware, is also highly likely to extend beyond these countries this year. Microsoft said that in 2022, Iran expanded ransomware attacks to ‘US and EU victims’. This is even though the intended motivations behind those operations have appeared broadly unchanged. These have included attempts by Iran to retaliate against countries, entities or individuals that it perceives are working against its interests, and hostile to the Islamic Republic or Islam. Recent examples include:

• In January 2023, Microsoft said that the Iranian private cyber company Emmennet Pasargad conducted a hack-and-leak operation against the French magazine, Charlie Hebdo, exposing customers’ data. It did this following the publishing of a satirical cartoon of the Iranian Supreme Leader Ali Khamenei by the outlet
• In July 2022, the Albanian government blamed Iran for a disruptive ransomware attack on its institutions, which leaked government information. This occurred ahead of, and led to the postponement of, a summit organised by the Iranian opposition MEK group in Albania in July
• In September 2022, following that incident, the Albanian prime minister blamed Iranian hackers for disrupting border control platforms in a malware attack, which caused delays at border points

Such attacks fit with Iran’s long-standing efforts to target rival states, dissidents and critics of the regime, including through physical attacks and sabotage. But cyber operations, which do not have geographical restraints, allow Iran to target states (or entities and individuals) in places where it may not have established proxies, or local groups or sympathisers. This seems to have been the case in the incidents against Charlie Hebdo in France and the Albanian government. And even though Albania cut off diplomatic relations with Iran following the July 2022 attacks, we doubt that this would diminish the intent of Iran-state-sponsored groups to pursue disruptive and retaliatory cyber operations.

Disruptive operations on critical infrastructure

The risk of direct targeting against sectors of priority focus to Tehran is likely to rise in the long term. Critical infrastructure sectors that Iran will probably continue to target in hostile cyber operations include:

• Defence
• Energy, particularly oil and gas
• Water supplies
• Transportation, including transit systems and aviation
• Government facilities

That risk is particularly heightened in well-established target countries such as Israel, Saudi Arabia and the US. For example, in 2022 an Iran-backed group hacked the computers of an Israeli logistics company, forcing it to shut down its computers and part of its operations. And Iran-backed groups have previously demonstrated their capability to effectively deploy malware to erase data on victim systems such as on Saudi Aramco in 2012.

Iran is probably highly motivated to cause prolonged downtime or loss of critical services in Israel, particularly during periods of heightened tensions. These would most likely include defence, utilities, logistics and transportation sectors, based on past incidents. But it is likely also motivated to conduct pre-positioning and reconnaissance operations on the critical infrastructure systems of priority sectors to Iran in the US, as well as European countries. This is particularly to facilitate future potential execution of disruptive ransom- or malware on sectors that Tehran has blamed Israel and the US for targeting in Iran.