Iranian Cyberwar Grows Aggressive With Russia and Hizballah’s Help
by Maria Zuppello
May 31, 2022
Iranian cyberwar has gone global, thanks to Tehran’s strategic alliances with some of the worst geopolitical players. Analysts say that Russia has helped Iran become a cyber-power by supplying it with cyber weapons, information, and capabilities. In turn, Iran passed its expertise to its terrorist proxy Hizballah. Due to Iran’s development of cyber power, the United States, which could contain this threat for years, is now under attack.
“Ayatollah Khamenei has successfully fostered a culture in Iran centered around suspicion of the West. Westoxification has long been a concern for Iran. To blunt America’s influence in the region and around the world Iran’s soft war, from their perspective, is instrumental in their long-term rules of non-violent engagement with the United States and its allies,” said cyber security expert Charles Denyer in his upcoming book Iran’s Cyber Assault on America.
According to Israel’s National Cyber Directorate, Tehran entered “a new kind of war, all the lines have been crossed and a catastrophe could have been caused.” This revelation came after Iranian hackers attempted to launch a cyber attack in 2020 to raise chlorine to dangerous levels on an Israeli water facility.
However, Israel’s cyber-security agency was able to prevent the intrusion. The attack marked a transition in the regime’s cyberterrorism strategy from intelligence collection to sophisticated operations with the potential to do major damage. What happened in Israel might occur elsewhere, increasing the level of alertness.
And the hacking can aim to undermine American’s trust. Last October, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that Iranian hackers were “likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.”
Earlier this month, federal prosecutors indicted French-Venezuelan doctor Moises Luis Zagala Gonzalez. He is accused of selling Thanos ransomware to cybercriminals associated with the Iranian government. Thanos is a dangerous software that bypasses computer protections, steals information, and blocks the owner’s access until a ransom is paid.
“The multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran,” said Breon Peace, the U.S. Attorney for Eastern New York.
Zagala’s Iranian customer was MuddyWater, a powerful group of hackers that has been working for Iran’s Intelligence and Security Ministry (MOIS) under many aliases since at least 2015.
According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”
MuddyWater’s alleged leader is Farzin Karimi Marzeghan Chai (AKA Farzin Karimi), who reportedly is an Islamic Revolutionary Guard Corps (IRGC) cyber-threat actor.
In late February, U.S. and UK officials issued a warning that MuddyWater was waging a worldwide cyber espionage campaign in connection with the Russian invasion of Ukraine.
The group was “conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America” the CISA stated.
MuddyWater’s mission was to steal data, including passwords and internet access from other nations, using the Thanos ransomware. The stolen intelligence was subsequently handed to the Iranian government and its strategic allies, including Russia.
As virtual agents who may operate anywhere, Russian hackers have supplied Iran with cyber weapons and technical support over the years. Since the Stuxnet virus attack on Iran’s Natanz nuclear facility more than a decade ago, Iranian cyber activity have increased dramatically with Russian help.
The Natanz attack, which was credited to the United States and Israel, reportedly took out 1,000 centrifuges.
Iran has created specific agencies to deal with the cyber space, including the High Council of Cyberspace, under the orders of Ayatollah Khamenei. It also has more independent entities like the Iranian Cyber Army (ICA), an anonymous group able of hacking Twitter.
According to an April report published by The National Interest, Tehran has helped Hizballah create its cyber counterintelligence unit during the last decade. The outcome was surprising.
“After the collapse of the Islamic State caliphate, Hizballah has taken on the mantle of being the most sophisticated and influential Middle Eastern terrorist organization in cyberspace,” the report revealed.
The Hizballah unit, under the direction of the IRGC’s Quds Force, gathers information on Lebanese governmental institutions and bolsters Iran’s cyber defenses. In 2020, the group ran disinformation boot camps in Lebanon to build up the “electronic armies” for Iran around the region. It also conducts cyberattacks against Gulf gas and oil businesses. Jawad Hassan Nasrallah, the son of militia leader Hassan Nasrallah, works in this unit.
Iran is increasingly using Hizballah as a cyber-proxy to avoid retaliation from Western states. Since Hizballah is not a nation-state, its strategic assets are far less vulnerable to retaliation from a foreign government.
According to Israeli security company ClearSky Cyber Security, in 2019 and 2020, the Hizballah cyber unit known as Lebanese Cedar APT breached 250 global internet and mobile phone networks. Vodafone Egypt and several similar targets in Saudi Arabia and the United Arab Emirates were compromised. The Oklahoma Office of Management & Enterprise Service was among the affected American systems.
The United States is one of the countries most hit by Iranian and Hizballah hackers. The Iranian cyber spy group Charming Kitten has recently launched ransomware attacks against the United States, targeting critical infrastructure, such as Gilead Sciences, a biotech company developing a treatment for COVID-19 and businesses such as Microsoft. Charming Kitten actors sought to infiltrate U.S. politics in May 2020 by accessing the accounts of Trump administration officials and presidential campaign personnel. There is no evidence, however, that the hacking attempts resulted in data breaches. In addition, the group allegedly targeted strategic conference participants, such as the Munich Security Conference.
Rocket Kitten, another Iranian cyber group, repeatedly targeted U.S. defense industries, stealing data Tehran used to boost its missile and space programs. Its attacks show how Iran’s cyber-terrorism is a major threat to American security.
“Iran, much like other countries hostile to America, will continue their cyber assaults against us.” said Denyer. “After all, with such a large attack surface, America is arguably more vulnerable than any other country in the world. In that Iran simply cannot compete militarily with the United States in terms of conventional forces, naturally, their only real alternative is to turn to cyber as their great equalizer (at least in their eyes).”
National cyber regulations should require all enterprises and businesses to report all cyber incidents to coordinate response efforts and emergency measures. In addition, increased coordination between U.S. cyber agencies and its Western allies may be the most effective way to prevent Iran’s cyber attacks on civilian facilities, which might cost the lives of many innocents.
Maria Zuppello is an Italian investigative reporter based in Brazil and an expert on the crime-terror nexus. She is the author of the book Tropical Jihad.
Copyright © 2022. Investigative Project on Terrorism. All rights reserved