In November 2020, as results for the closely watched and hotly contested United States presidential and congressional elections began to emerge, hackers gained access to at least one website announcing results. They were thwarted, but it took the resources of the US military and the Department of Homeland Security to block what could have turned into another attempt to spread doubts and confusion about a vote that would eventually threaten to undermine US democracy some weeks later.
The culprit in the attack, according to US officials and tech professionals cited by The Washington Post, was a hacking group operating out of or at the direction of Iran—an increasingly powerful state actor in the world of cyber warfare.
The Islamic Republic has been steadily improving and sharpening its cyber warfare, cyber espionage, and electronic sabotage abilities, staging complex operations that, while not always successful, show what experts in the field describe as devious inventiveness.
In addition to its nuclear ambitions, its refining of missile technologies, and cultivation of armed ideologically motivated proxy paramilitary groups, Iran’s electronic warfare and intelligence operations are emerging as yet another worry about the country’s international posture.
The cyber realm fits snugly into Iran’s security arsenal. It is characterized by the asymmetricity, clandestinity, and plausible deniability that complement the proxy and shadow operations that have long been Islamic Republic’s favored tools for decades.
Iran’s most aggressive cyber realm actions are also powered by a sense of righteous grievance and resentment, emotional and ideological motivations that have long energized the clerical establishment. After all, it was US and Israeli spy agencies that, according to many experts, launched the era of cyber warfare by deploying the Stuxnet virus against the country’s controversial nuclear program in 2010, damaging hundreds of its centrifuges. Tehran is proud that its growing army of techies is catching up and, in some ways, surpassing the West at its own games.
Iran’s cyber efforts have been steadily broadening. They range from attempting to hack into defense, civil society, and private systems abroad to harassment campaigns against opponents in the diaspora. Experts closely watching Iran’s Internet and electronic warfare activities have detected an escalation of its abilities and ambitions in recent months. In early May, Microsoft issued a warning about Iran’s increasingly aggressive and sophisticated tactics.
“Iranian cyber actors have been at the forefront of cyber-enabled influence operations, in which they combine offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives,” said the report by Microsoft’s Clint Watts, a former FBI cybersecurity expert.
In particular, Iran appears to be building complex tactics that merge cyber and real world operations to lure people into kidnappings. This new form of transnational repression has alarmed security professionals and governments worldwide.
“We’re seeing an evolution over time of this actor evolving and using their techniques in ever more complex ways,” Sherrod DeGrippo, a former head of threat research and detection at the cyber security firm Proofpoint told me in January. “Iran is seen in the big four of the main actors. It is really stepping onto the stage and evolving what it’s doing.”
One particularly nefarious tactic that they are using is creating fake personas in the form of researchers who approach targets and try to glean information or lure them out into the open for suspected kidnapping practices. Through my research in Turkey, we learned that it is quite possible Iranian intelligence operatives have infiltrated the Turkish mobile phone networks and are using the data to track dissidents in the country. In one instance, a vocal dissident journalist received a message identifying a cafe near her home that she walked past every day. She was so terrified that she refused to leave her home for months and wound up obtaining asylum in a Western country.
In another instance, a dissident living in Turkey received messages with photographs of recent tourist sites he had visited on a trip to Istanbul. The speculation is that Iran had managed to purchase or surreptitiously access tracking data for their phones and use it to intimidate them.
According to a December 2022 report by ProofPoint, Iran’s cyber activities have gone beyond anonymous hacks and phishing campaigns to include made-up personas meant to lure people out into the open and in at least one alleged attempt, a kidnapping attempt. Sometimes alleged Iranian operatives use US or Western phone numbers to register WhatsApp accounts which can obscure their identities.
Last year, Israel’s domestic security service Shin Bet uncovered an alleged plot to use false identities with robust and complex legends to lure businessmen and scholars abroad in what security officials suspect were Iranian kidnapping plots. In one case, an operative pretending to be a prominent Swiss political scientist invited Israelis to a conference abroad. A number of Israelis were on the verge of traveling before the plot was exposed.
Experts are also noticing that Iran is getting better and better at creating virtual honey traps. “They’re evolving their ability to create personas,” said DeGrippo, who has since moved to Microsoft. “They’ve used these personas that are mildly attractive. They like to use women’s names, as they have learned that they get a bit more interaction and success when they use female personas.”
The US and other Western countries are well aware of the threat posed by Iranian cyber operations and have taken steps to counter them. But Iran’s state-sponsored program continues to evolve. Tehran likely believes the cyber capabilities give it leverage to yield information without the messiness of a hostage crisis, the headlines of a boat seizure, the riskiness of a human intelligence operation, or the potential retribution of a missile strike.
In January, the London cyber security firm Secureworks published a report on the emergence of a new likely Iranian hacking collective called Abraham’s Ax, which aimed to use leaks and hacks to prevent the expansion of the Abraham Accords normalizing ties between Israel and some Arab states. The collective leaked allegedly stolen from the Saudi Ministry of the Interior and a recording said to be an intercepted phone conversation between Saudi ministers.
“There are clear political motivations behind this group with information operations designed to destabilize delicate Israeli-Saudi Arabian relations,” Rafe Pilling, a researcher at Secureworks, was quoted as saying.
Less than two months later, in March, Saudi Arabia signed a deal to resume ties with Iran rather than commence them with Israel, as many in Washington and Jerusalem were expecting.
While Prime Minister Benjamin Netanyahu’s hardline government and his rightwing policies likely played a major role in Saudi’s decision to hold off on joining the Abraham Accords, Riyadh’s hopes that it could rein Iran’s diverse array of threats—including its increasing cyber warfare capabilities—likely played a role in its decision to pen the China-brokered deal with Tehran.
Iran invests in its cyber warfare program because it works.
Borzou Daragahi is an international correspondent for The Independent. He has covered the Middle East and North Africa since 2002. He is also a nonresident fellow with the Atlantic Council’s Middle East Security Initiative. Follow him on Twitter: @borzou.
Image: Flag of Iran displayed on a laptop screen and binary code displayed on a screen are seen in this multiple exposure illustration photo taken in Krakow, Poland on September 27, 2022. (Photo by Jakub Porzycki/NurPhoto)