Iranian Cyberwarfare History and Capabilities

State of (Cyber)War Episode 6.3

In part III of our Middle East cyberwarfare mini-series, Hugo Tarrida and John Salomon talk about probably the most complex topic yet – Iran.

Following our analysis of the broader Middle East region, and of Israeli capabilities and activities, today’s episode is an overview of Iran – the history of its online conflict capabilities, the history behind the establishment of these, and some major cyberattacks and influence campaigns attributed to the country and its various agencies and stakeholders.

Notes and Links:

As with our previous video about Israel, it’s difficult to judge the impartiality and factualness of many websites describing Iranian capabilities. We will thus stick to Wikipedia unless there’s something better – we tend to trust most US or European government agencies’ and mainstream vendors’ analysis, and certain reputable news sites unless there is a compelling reason not to do so.

We lean a lot on “the usual suspects” such as the BBC, The Guardian, the Council on Foreign Relations, and particularly, Wikipedia; yes, we know you’re not supposed to do that. As always, do your own homework and draw your own conclusions, we’re not here to push a narrative.

We have our own views and opinions of current events. This discussion is not intended to endorse or condemn any particular viewpoint.

As with Hebrew, we don’t speak a word of Farsi. Online translations tend to be even less consistent than those for Hebrew, so again, your mileage may vary.

01:24 Because someone will inevitably get mad, and we don’t want that.
02:13 Islamic Republic of Iran Armed Forces: https://en.wikipedia.org/wiki/Islamic_Republic_of_Iran_Armed_Forces (or if you prefer the official website: https://www.president.ir/en/76724)
02:02 IRGC: https://www.cfr.org/backgrounder/irans-revolutionary-guards
02:18 IRGC, aka “Sepah” (in Iran, according to Wikipedia): https://www.cfr.org/backgrounder/irans-revolutionary-guards – a very cursory search didn’t yield an official website. Possibly they have some SEO work to do.
02:29 Quds Force: https://en.wikipedia.org/wiki/Quds_Force
02:34 Hezbollah: https://en.wikipedia.org/wiki/Hezbollah
02:35 Houthis: https://en.wikipedia.org/wiki/Houthi_movement
02:58 We may have gotten confused here – the US government has multiple pages listing sanctions on the “IRGC-CEC”, but outside of these, and news articles covering these sanctions, we can’t really find anything on this organization. There is, however, the IRGC Cyber Defense Command: https://www.globalsecurity.org/intell/world/iran/irgc-cyber.htm
03:50 A lot of information comes from either US government sanctions (see above), Iranian anti-government activist groups, and vendors/CSIRTs providing threat actor information – it is surprisingly difficult to find objective, well-researched information on IRGC and regular armed forces cyber actors. The language barrier is probably a major issue.
03:45 Information on the Supreme Council of Cyberspace (BBC: Supreme Council of Virtual Space) is slim, for example https://wilmap.stanford.edu/entries/regulatory-entity-supreme-council-cyberspace or Wikipedia´s page at https://en.wikipedia.org/wiki/Supreme_Council_of_Cyberspace_(Iran) – the official website has a lot of photos of guys in hats meeting and looking serious.
05:07 National Information Network: https://en.wikipedia.org/wiki/National_Information_Network
05:17 Great Firewall of China: https://cs.stanford.edu/people/eroberts/cs181/projects/2010-11/FreeExpressionVsSocialCohesion/china_policy.html – this comparison may be a bit of a stretch, although by some accounts we’ve read, Iran’s domestic Internet offers pretty high speeds as well as content filtering/surveillance, so maybe it’s not a terrible analogy.
06:20 Al Jazeera article on the topic: https://www.aljazeera.com/news/2024/2/24/iran-unveils-plan-for-tighter-internet-rules-to-promote-local-platforms
07:20 https://www.hackread.com/iran-biggest-cyber-army-israel/ – includes a link to INSS report on the topic (the mentioned Israeli think tank)
07:51 Honker Union: https://www.moderninsurgent.org/post/honker-union
07:57 2010, sorry. Article: https://www.zdnet.com/article/baidu-dns-records-hijacked-by-iranian-cyber-army/
08:25 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
08:32 https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran
08:44 For example: https://www.zdnet.com/article/mrbminer-crypto-mining-operation-linked-to-iranian-software-firm/ and https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a – that said, we may have gotten things a bit mixed up since there are also a lot of non-malware (of the massive-pile-of-FPGA type) Iranian cryptominers – a bunch of which were shut down in 2019 after power usage concerns: https://www.bbc.com/news/technology-48799155
09:16 Russian government entities may not be big ransomware actors, but Russian state-affiliated and state-tolerated actors are sure a different story…
09:40 A 2022 indictment of Iranian ransomware actors came alongside OFAC sanctions of IRGC-affiliated ransomware attacks around the same time: https://www.bleepingcomputer.com/news/security/us-govt-sanctions-ten-iranians-linked-to-ransomware-attacks/
10:51 https://www.bbc.com/news/world-europe-62821757
11:12 OilRig / Helix Kitten: https://attack.mitre.org/groups/G0049/
12:42 https://www.cfr.org/cyber-operations/
13:20 https://www.darkreading.com/cyberattacks-data-breaches/iran-dupes-military-contractors-govt-agencies-cybercampaign
13:52 Shamoon: https://en.wikipedia.org/wiki/Shamoon
14:00 Sony Pictures hack: https://en.wikipedia.org/wiki/2014_Sony_Pictures_hack
14:55 Operation Ababil: https://en.wikipedia.org/wiki/Operation_Ababil
15:24 Nope, not gonna link it
15:35 https://krebsonsecurity.com/tag/izz-ad-din-al-qassam-cyber-fighters/
16:37 Edalat-e Ali: https://malpedia.caad.fkie.fraunhofer.de/actor/edalat-e_ali – note that a lot of sites discussing this group seem to have a decidedly anti-regime view. Not that that’s a bad thing, but we’re really trying to keep it factual
17:11 https://www.darkreading.com/threat-intelligence/iranian-apts-dress-up-as-hacktivists-for-disruption-influence-ops
18:18 Islamic Republic of Iran Broadcasting: +https://www.abu.org.my/portfolio-item/islamic-republic-of-iran-broadcasting/ – again, the Iranian government is really not great at (at least English language/international) SEO for their own websites
18:57 https://en.wikipedia.org/wiki/Mahsa_Amini_protests
20:57 https://en.wikipedia.org/wiki/Censorship_in_Iran
21:30 https://www.techradar.com/news/using-a-vpn-may-be-a-crime-under-strict-new-iran-internet-law – according to a Persian language website linked to in the above Wikipedia article, Khamenei ordered the Supreme Council of Cyberspace to ban VPNs outright in February 2024.
23:04 AnonGhost; https://cybernews.com/cyber-war/israel-redalert-breached-anonghost-hamas/ – a lot of sites associate it with #OpIsrael, for example https://www.hackread.com/opisrael-anonghost-claims-leaking-hundreds-of-israeli-facebook-account-credentials/ – but given Anonymous’ decentralized and fluid nature, who knows (a case study on JSTOR (pdf) that makes only passing reference to #OpIsrael refers to “Anon” as a group which it most certainly is not…)|
28:18 https://www.reuters.com/fact-check/us-document-approving-8bn-military-aid-israel-is-fake-2023-10-09/
31:14 https://en.wikipedia.org/wiki/2024_Iranian_strikes_in_Israel
31:44 https://www.japantimes.co.jp/news/2024/04/17/world/politics/digital-misinformation-iran-strike
33:02 https://archive.nytimes.com/thelede.blogs.nytimes.com/2008/07/10/in-an-iranian-image-a-missile-too-many/
34:54 Press TV: https://www.presstv.ir/ – Wikipedia: https://en.wikipedia.org/wiki/Press_TV
38:06 Also check out our episode on Chinese disinformation activities, including the 50 Cent Party: https://youtu.be/xBAJ2rBKrMc

Bonus links about Iranian disinformation activities:

Natto Thoughts always has some good resources on disinformation: https://nattothoughts.substack.com/p/mideast-crisis-and-russia-cyberspace
New York Times – “From Opposite Sides of War, a Hunt for Elusive Facts”: https://www.nytimes.com/2024/01/25/business/media/misinformation-fact-checking
Israel-Hamas armed conflict resource hub: https://www.disinfo.eu/israel-hamas-resource-hub/
How Longstanding Iranian Disinformation Tactics Target Protests – https://www.washingtoninstitute.org/policy-analysis/how-longstanding-iranian-disinformationtactics-target-protests
Israel-Hamas armed conflict resource hub – https://www.disinfo.eu/israel-hamas-resource-hub/

You can find CyAN’s Secure-in-Mind YouTube channel at https://youtube.com/@cybersecadvisors – and of course, our videos about cyber conflict on the State of (Cyber)War playlist here. All of our episodes are also available in audio format on Apple iTunes, Amazon Audible, Podcast Republic, Spotify, and Libsyn – links on our Media page.