Threat actors in Iran are increasingly relying on a tactic that Microsoft researchers call “cyber-enabled influence operations,” where they use inauthentic online personas to exaggerate unsophisticated cyberattacks, with the aim of sowing fear, stirring up unrest and achieving various geopolitical goals.
Microsoft researchers said the bulk of these operations are being executed by Iranian state actor Emennet Pasargad, which has been sanctioned by the U.S. Treasury Department and is known for its attempts to weaken the integrity of the 2020 U.S. presidential elections. However, Microsoft said it has seen several Iranian threat actors beyond Emennet Pasargad utilizing this tactic. Last year, Microsoft linked 24 influence operations to the Iranian government, a rise from the seven influence operations observed in 2021.
At the same time, researchers found a decline in ransomware and wiper attacks deployed by threat groups linked to Iran's military - a noteworthy development as Iranian groups had fully adopted these types of attacks over the past two years.
"Multiple Iranian state groups have turned to cyber-enabled IO more regularly since June 2022 to boost, exaggerate, or compensate for shortcomings in their network access or cyberattack capabilities,” said Microsoft researchers in a Tuesday post. “More fundamentally, they have combined offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives.”
The operations launched by these threat actors continue to target Israel (with 23 percent of the cyber operations observed between October 2022 and March 2023 targeting Israel, as well as the U.S., UAE and Saudi Arabia), Iranian opposition groups and Gulf state enemies of Tehran. In the past year, Iran-linked influence operations have aimed to push narratives that bolster Palestinian resistance, stir up Shi’ite unrest in Bahrain, disrupt Arab-Israeli ties and sow fear among Israelis.
For instance, on Black Friday in November 2022, an online persona under the alias BlackMagic claimed to have defaced several Israeli websites and leaked shipping and personal data from logistics companies. Researchers said the persona was likely run by an Iranian threat group. There was no evidence proving BlackMagic's claims, they said, and instead the persona appeared to be fueling a narrative that disrupted retail shipping and created panic among Israelis.
Threat actors have also adopted a number of tactics in pushing online narratives as part of these influence operations, including using SMS messaging to contact a target audience, and mimicking “victims” of purported compromises to add credibility to the claims that a cyberattack had occurred. Though many Iranian threat actors’ cyberattacks have previously lacked sophistication, that may be changing at a broader scale as the attackers are more rapidly exploiting newly reported vulnerabilities - such as the known Zoho ManageEngine remote code execution flaw (CVE-2022-47966) - and using more custom toolings, said researchers.
“Iranian cyberattacks and influence operations are likely to remain focused on retaliating against foreign cyberattacks and perceived incitement of protests inside Iran,” said researchers. “Israel, followed by the United States, is likely at highest risk for future such operations, particularly in the near term given Iran’s rapprochement with Saudi Arabia and diplomatic blitz of other Arab Gulf nations in March.”