Google reports on Iran’s cyber operations targeting Israel, American critical infrastructure

New research by Google’s Threat Analysis Group (TAG) and Mandiant Intelligence disclosed that Iran extensively employed cyber operations to gather information and cause disruption in the years before the attack and continues to do so after the attack. Disruptive operations focused on Israel, where Iran has long conducted cyber attacks against key Israeli organizations but also affected American critical infrastructure. Google data also pointed out that Iran’s espionage operations likewise focused on Israel and the U.S. but also impacted other countries in the region.

The report titled ‘Tool of First Resort – Israel-Hamas War in Cyber’ said that Hamas-linked groups were active with typical operations through September 2023, “with no observable increase in activity leading up to October 7, and we have not observed significant activity since then. Activity prior to the conflict included mass phishing campaigns targeting Palestine and its regional neighbors and persistent efforts to target Israeli entities with a variety of custom and open-source cyber capabilities, including Android malware. These campaigns were in line with historic cyber activity by Hamas-linked actors,” it added.

A noteworthy detail from Google was the targeting of Iranian critical infrastructure with disruptive attacks, which were later claimed by the persona ‘Gonjeshke Darande’ (Predatory Sparrow). The report mentioned that the gas stations were disrupted following public warnings from the same persona, an incident Iran has attributed to Israel. Additionally, the report noted that this actor, tied to prior attacks in Iran, claimed responsibility for disrupting Iranian critical infrastructure in response to the October 7 attacks.

“In December 2023, Gonjeshke Darande claimed another major attack, saying that they had taken a majority of gas stations in Iran offline. Iran’s Oil Minister, who blamed Israel and the US for the attacks, confirmed the impact,” Google reported. “In the posts claiming these attacks, Gonjeshke Darande said, ‘This cyber-attack comes in response to the aggression of the Islamic Republic and its proxies in the region.’ The hacking group has claimed restraint, emphasizing that their operations were designed to disrupt and demonstrate capability, rather than cause lasting damage. Iran has stated that it believes Israel is behind the Gonjeshke Darande attacks.” 

The report added that “We do not have sufficient evidence to evaluate claims of attribution for Gonjeshke Darande activity.”

“Since our 2023 report of the Russian war in Ukraine, we’ve seen several of our assessments play out,” Sandra Joyce, vice president at Mandiant Intelligence – Google Cloud, and Shane Huntley, senior director for Threat Analysis Group, wrote in a Wednesday blog post. “This included Russian government-backed attackers continuing their cyber attacks against Ukraine and NATO partners, and Russian-government backed attackers continuing to target multiple sectors in Ukraine and regionally, including high profile individuals in NGOs, former intelligence and military officials and NATO governments.” 

They added that during the lead-up to Ukraine’s counteroffensive in June 2023, “we also saw an increase in the frequency and scope of APT29 phishing operations, including an intensification of operations centered on foreign embassies in Ukraine and later, a spike in destructive attacks against Kyivstar and Parkovy. Moscow also continues to pair cyber attacks with kinetic activity.”

The post also outlined that cyber activity surrounding the Israel-Hamas war, however, is very different from the war in Ukraine. “Unlike the attack on Ukraine, we did not observe a spike in cyber operations against Israeli targets before the attack, and have no indication that cyber activity was integrated into Hamas battlefield operations, or used to enable kinetic events.”

The Google report pointed out that after October 7, “we’ve seen a focused effort to undercut support for the war among both the Israeli public and the broader global populace, including hack-and-leak and information operations to demoralize Israeli citizens, erode their trust in national organizations, and cast Israel’s actions in a negative light. These operations are consistent with longstanding Iranian efforts to target Western organizations across sectors, including recent attempts to compromise US critical infrastructure.”

Over the past several years, Google outlined that Iran has committed significant resources to digital influence efforts, including hack-and-leak and information operations. Hack-and-leak operations involve a two-step process to compromise potential victims and subsequently release extracted data with the intent to influence. Iranian actors have typically followed a common template: conduct intrusion activity against a target; announce the hack using a fictitious persona; and use sock puppet accounts on social media to amplify the leak or defacement. 

Recent operations have used personas including Cyber Aveng3rs, Soldiers of Solomon, Abnaa Al-Saada, Karma, Malek Team, Cyber Flood, and CyberToufan. Recent pro-Iran hack-and-leak groups have made claims — largely exaggerated and misleading — of hacks against Israeli critical infrastructure, including energy infrastructure. These groups publicized their claims on social media and via email, citing evidence demonstrating their alleged access to security cameras and other webcams in Israel. 

Google notes that the claims of attack are likely intended as much to shape the information environment and create the perception of weakness in Israeli defenses, as for any tangible physical effect. 

On the Cyber Aveng3rs hacker persona likely backed by Iran’s Islamic Revolutionary Guard Corps (IRGC), Google said that the group claimed credit for the attack, and took over a control panel’s digital display screen to make it read: ‘Every equipment ‘Made in Israel’ is Cyber Av3ngers legal target.’ 

“The Cyber Aveng3rs persona was created in 2020, but it was mostly inactive from July 2020 to July 2023. It has previously targeted critical infrastructure, oil and gas, transportation, and technology companies through distributed denial-of-service (DDoS) attacks, hack-and-leak operations, data destruction, and other disruptive activities,” Google reported. “Despite multiple broad claims of activity against significant targets, we have not observed significant impact associated with these claims, and we judge that the persona has likely overstated or fabricated its attacks. As with other pro-Iran hacktivist personas, these activities are likely intended primarily to create the perception that Israel is endangered or besieged, rather than cause significant physical impact.”

The observations in the Google report point to several broader forward-looking assessments for the security community in 2024. 

• Iran-linked groups are likely to continue to conduct destructive cyber attacks, particularly in the event of any perceived escalation to the conflict, to include kinetic activity against Iranian proxy groups in various countries, such as Lebanon and Yemen.
• Hack-and-leak operations and IO will remain a key component in these efforts to telegraph intent and capability throughout the war, both to Iran’s adversaries and to other audiences that they seek to influence.
• While the outlook for future cyber operations by Hamas-linked actors is uncertain in the near term, we anticipate Hamas cyber activity will eventually resume, with a focus on espionage for intelligence gathering on intra-Palestine affairs, Israel, the US, Europe, and other regional players in the Middle East.

The report also points out that it is clear that cyber will play a prominent role in major armed conflicts going forward. 

Earlier this month, Microsoft disclosed that there has been a noticeable increase in cyberattacks and influence operations carried out by Iranian government-aligned actors following the October 2023 attack by Hamas on Israel. The objective of these activities is to support Hamas and undermine Israel, as well as its political allies and business partners. While some of Iran’s initial operations were disorganized and rushed, suggesting a lack of coordination with Hamas, they have nonetheless experienced growing success.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.