Microsoft detects Iran turning to cyber-enabled influence operations for greater effect

Microsoft identified that Iran continues to be a significant threat actor, supplementing its traditional cyberattacks with a new playbook, while leveraging cyber-enabled influence operations (IO) to achieve its geopolitical aims. It also covered Iran’s attempts at conducting higher-impact cyberattacks against operational technology (OT) environments. 

“Iran is likely to continue leveraging its newfound penchant for cyber-enabled IO to keep pace with external pressure, in part to overcome shortcomings in its cyber threat capabilities relative to the attacks it has faced,” Microsoft said in a report titled ‘Iran turning to cyber-enabled influence operations for greater effect,’ released Tuesday. ”At the same time, Iranian cyber actors are likely seeking greater cyberattack capabilities to achieve the regime’s desire for proportional retaliation. In fact, there remain occasional outliers that demonstrate efforts along these lines.”

Microsoft observed that Iran’s cyber-enabled influence operations have sought to retaliate for cyberattacks or cyber-enabled IO against Iran on multiple occasions. “We assess that most of Iran’s cyber-enabled influence operations are being run by Emennet Pasargad – which we track as Cotton Sandstorm (formerly NEPTUNIUM) – an Iranian state actor sanctioned by the US Treasury Department for their attempts to undermine the integrity of the 2020 US Presidential Elections,” Clint Watts, Microsoft’s general manager at digital threat analysis center, wrote in a blog post. 

Watts identified that though Iran’s techniques may have changed, its targets have not. “These operations remain focused on Israel, prominent Iranian opposition figures and groups, and Tehran’s Gulf state adversaries. More broadly speaking, Iran directed nearly a quarter (23%) of its cyber operations against Israel between October of 2022 and March of 2023, with the United States, United Arab Emirates, and Saudi Arabia also bearing the brunt of these efforts.”

“As some Iranian threat groups have turned to cyber-enabled IO, we have detected a corresponding decline in Iran’s use of ransomware or wiper attacks, for which they had become prolific in the past two years,” according to Watts. “At the same time, the future threat of increasingly destructive Iranian cyberattacks remains, particularly against Israel and the United States, as some Iranian groups are likely seeking cyberattack capabilities against industrial control systems. Iranian cyberattacks and influence operations are likely to remain focused on retaliating against foreign cyberattacks and perceived incitement of protests inside Iran.”

Iranian cyber actors have been at the forefront of cyber-enabled IO, in which they combine offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives. The goals of its cyber-enabled IO have included seeking to bolster Palestinian resistance, fomenting unrest in Bahrain, and countering the ongoing normalization of Arab-Israeli ties, with a particular focus on sowing panic and fear among Israeli citizens.

Iran has also adopted cyber-enabled IO to undercut the momentum of nationwide protests by leaking information that aims to embarrass prominent regime opposition figures or expose their ‘corrupt’ relationships.

Most of these operations have a predictable playbook, in which Iran uses a cyber persona to publicize and exaggerate a low-sophistication cyberattack before seemingly unassociated inauthentic online personas amplify and often further hype the impact of the attacks, using the language of the target audience. New Iranian influence techniques include their use of SMS messaging and victim impersonation to enhance the effectiveness of their amplification.

In its report, Microsoft covered that early last month an Iran-linked group was most likely behind a cyberattack that disabled the water controllers of at least ten Israeli farms, replacing the image on programmable logic controllers (PLCs) with the message ‘Down with Israel.’ The image was identical to one used in a probable Iranian cyberattack against Israel Post in January 2022, days after an Iranian state broadcast was disrupted with the message ‘Down with Khamenei.’ 

In September, industrial cybersecurity company OTORIO published details of the GhostSec hacktivist group, which gained control over 55 Berghof PLCs across Israeli organizations and platforms. The firm said at the time that GhostSec, which was previously observed targeting Israeli organizations and platforms, announced on social media and its Telegram channel that the group had successfully breached the devices. By October, OTORIO said that t​he GhostSec hacktivist group turned its support to the Hijab protests in Iran.

“Prior to the most recent attack on Israel’s water system, Microsoft Threat Intelligence detected an Iranian actor conducting reconnaissance of an Israeli water company in mid-2022 and scanning the web interfaces of Israel-based industrial control systems in December 2022,” according to the report. “We do not know if that actor was involved in this latest attack.

In June, Moses Staff amplified a cyberattack that set off emergency rocket sirens in Israel using software that adjusts Audio over Internet Protocol (AoIP) networks. Microsoft assesses that an Iran-affiliated actor was also responsible for the cyberattack on the alarm system, but we do not have indications linking the group with Moses. 

The report added that “classified documents leaked by a British news outlet in July 2021 indicate that in 2020 an IRGC unit was conducting research into vulnerabilities in PLCs and methods of remotely adjusting the controls of fuel pumps at petrol stations and ballast water on cargo ships, which could disrupt a ship’s operations.”

Microsoft also identified that Iran’s integration of cyber and influence operations has accelerated since June last year. It linked 24 unique cyber-enabled influence operations to the Iranian government in 2022, including 17 since mid-June, compared to seven in 2021. “The rise in these operations, which may be partly attributable to improvements in our detection capabilities, has corresponded with a decline in ransomware or wiper attacks by groups linked to Iran’s military, notably the Islamic Revolutionary Guard Corps (IRGC),” it added. 

As we previously reported, Microsoft detected a spike in such attacks from IRGC and Ministry of Intelligence and Security (MOIS) groups from 2020 to mid-2022. The IRGC’s latest string of cyber-enabled IO in the last year has leveraged low-impact, low-sophistication cyberattacks, such as defacements, which are less time and resource intensive, while dedicating more effort to its multi-pronged amplification methods.

Last September, a transnational cybersecurity advisory (CSA) was issued that highlighted continued malicious cyber activity by advanced persistent threat (APT) hackers affiliated with the IRGC. The advisory reveals these IRGC-affiliated cyber attackers continue to exploit known vulnerabilities on unprotected networks to extort and ransom victims, including U.S. critical infrastructure organizations.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.