In cyber attacks, Iran is showing signs of improved hacking capabilities
Iranian hackers are waging a sophisticated espionage campaign targeting the country’s rivals in the Middle East as well as key defense and intelligence agencies, according to a leading Israeli-American cybersecurity firm. This is a sign of how Iran’s rapidly improving cyber attacks have become a new, important part of a shadow war.
Over the past year, the hackers have attacked countries including Israel, Saudi Arabia and Jordan in a months-long campaign linked to Iran’s Ministry of Intelligence and Security, according to a new report from the company, Check Point.
The Iranian hackers appeared to access emails from a range of targets, including government employees, military, telecommunications companies and financial organizations, the report said.
The malware used to infiltrate the computers also appeared to map the networks the hackers broke into, giving Iran a blueprint of foreign cyber infrastructure that could be useful in planning and executing future attacks.
“The primary objective of this operation is espionage,” Check Point security experts wrote in the report, adding that the approach was “significantly more sophisticated compared to previous activities” that Check Point had linked to Iran.
Iran’s mission to the United Nations did not respond Monday to an investigation into the hack. But Iranian Defense Minister Brig. General Mohammad Reza Ashtiani, speaking to his country’s defense officials last week, said that given the current complex security situation in the Middle East, Iran had to redefine its national defense beyond its geographical borders.
He said this meant deploying new war strategies to defend Iran, including the use of space, cyberspace and other means. “Our enemies know that if they make one mistake, the Islamic Republic of Iran will respond with force,” General Ashtiani said, according to Iranian media.
While the report did not specify what data, if any, Iran had collected, Check Point said the hacking campaign successfully broke into computers linked to the Saudi Arabian Ministry of Defense, as well as agencies, banks and telecom companies in several other Central African countries. East, including Jordan. , Kuwait and Oman. The report also did not specify which Israeli systems had been hacked.
A senior Israeli official dealing with cyber issues has confirmed that an attack by a group known as LionTail against local and national government agencies and various institutions in Israel has been underway in recent months. The official said the attacks are being identified and handled by Shin Bet, Israel’s domestic security agency, and Israel’s National Cyber Directorate.
Another official said LionTail is one of 15 groups affiliated directly or as a proxy with Iran’s Revolutionary Guards or Iran’s Ministry of Intelligence.
The second Israeli official added that in recent months there have been attempts by Iranian cyber groups or those belonging to Hamas or Hezbollah to hack cameras in Israel, including private cameras near the border with Lebanon, and that the National Cyber Directorate has issued an order urgent warning to the public with instructions on how to better secure the cameras.
The Saudi government’s Center for International Communications, which handles media inquiries, did not immediately respond to a request for comment on Monday. Jordan’s information minister did not immediately respond to a similar request.
The cyber attacks mark a new phase in a digital conflict between Iran and its rivals. The widespread and surprisingly sophisticated hacks underscored how Iran has found ways to strike back in an arena where it has been outgunned, according to Check Point.
“This is the most sophisticated and stealthy Iranian cyberattack we have ever seen,” said Sergey Shykevich, who oversees threat intelligence at Check Point and led research for the report. “There is a clear common denominator among the victims we have seen in the Middle East: whether they come from the government, financial or NGO sectors – they are all a top priority for the Iranian government.”
The campaign follows a series of other Iranian cyberattacks over the past two years, experts said, including one targeting critical U.S. infrastructure and another that attempted to impersonate a nuclear expert at a U.S. research institute.
Microsoft researchers said earlier this year that Iran was performing more advanced operations which aimed to undermine warming ties between Israel and Saudi Arabia and foment unrest in Bahrain. According to the Check Point report, Iran’s latest attack may be its most successful yet as it helped the country gain potentially critical information and knowledge that could aid in future cyber attacks.
“The attackers were able to undetected large amounts of data over a long period of time, from days to months, obtaining potentially important and sensitive data that could serve them for a variety of purposes,” Mr. Shykevich said.
“Some of the information obtained by Iran from previous cyber attacks in the past was used by them long after the attack took place,” he added. “This may indicate that this particular campaign, with its breadth and sophistication, could be useful to Iran for years to come.”
The quiet but persistent campaign amounts to a kind of Iranian counter-offensive in a digital shadow war that has been raging against countries like Israel for more than a decade, and in which Tehran is at a disadvantage. It underlines Iran’s rapidly improving capabilities and its determination to break into the networks of regional rivals at a time when tensions in the Middle East have spiraled into war.
For years, Israel and Iran have been engaged in a secret war, by land, sea, air and computer, but the targets have usually been military or government-related. Two years ago, cyberwar expanded and targeted civilians on a large scale. Suddenly, millions of ordinary people in Iran and Israel found themselves in the crossfire of a cyberwar between their countries.
Iran has accused Israel of a hack that shut down some of the country’s gas stations in 2021, leaving motorists without fuel. In Israel, hundreds of thousands of people panicked when they learned their private information had been stolen from an LGBTQ dating site and uploaded to social media, one of a series of attacks by cyber groups linked to Iran.
The latest cyber attacks, according to Check Point, are notable for the way Iranians have redesigned the malware they had once used to openly steal data into a less detectable way to collect vast amounts of secret government data, similar to wiretapping.
The code bore striking similarities to a program used to attack the Albanian government last year, Check Point said. That hack, in which a large amount of sensitive police data was collected and posted online, prompted Albania to sever diplomatic ties with Iran, which officially denied responsibility.
The malware exploits a known vulnerability in outdated versions of Microsoft Windows servers. After infecting a vulnerable computer, the program burrows deep into the network, in some cases for months, where it silently collects data and sends it back to Iran. Check Point noted that the attackers were able to customize the malware for any network, exposing the growing extent of Iran’s cyber capabilities.
When the world was introduced to the powers of hacking, Iran was initially perhaps the best-known victim of the real-world impact of digital weapons. In 2010, centrifuges from an Iranian nuclear power plant were hijacked by a cyberweapon built and used by the United States and Israel. Over the course of a year, the cyber weapon called Stuxnet was used to manipulate Iranian nuclear equipment and later destroy some of its facilities.
At the time, experts in the United States said Iran’s hacking capabilities were clumsy and elementary. But Stuxnet “was a big wake-up call,” said Adam Meyers, senior vice president of Counter Adversary Operations at the cybersecurity firm CrowdStrike. “What we saw after Stuxnet was that Iranian threat actors started to professionalize.”
Mr. Meyers also noted an increase in regional cyber activity after the Iran nuclear deal came into effect in late 2015. “Iranian threat actors stopped attacking the West” and focused their energies on regional targets, he said.
In recent years, cybersecurity groups have warned about Iran’s rapidly evolving capabilities as it has narrowed the gap with other U.S. rivals such as Russia and China. In particular, officials have said that a new burst of cyberattacks began in 2018 after President Donald J. Trump withdrew from the Iran nuclear deal.
By 2019, Iran had targeted more than half a dozen U.S. government agencies with hacks that exploited underlying weaknesses in the internet’s backbone and made it harder to detect.
Vivian Nereim contributed reporting from Riyadh, Saudi Arabia, and Farnaz Fassihi From New York.