Threat-hunter says Iran is stepping up the sophistication of its cyberattacks

Gil Messing: When have we not? Our mode of operation is that we monitor hundreds of millions of logs every second all over the internet. So, we’re not just monitoring Iran — we’re monitoring any cyberattack that happens anywhere. And when it comes to specific markets in the Middle East, such as Israel, Iran is probably the most prominent cyber-offensive player in the region and one of the biggest in the world.

Yes, first of all, they’re very focused on specific targets. You could see them mostly in government agencies or ministries. You could see them in companies that host large amounts of data. And what we’ve seen in recent years is that most of these attacks are gradual. They would start by infecting the entity or the target they’re looking for. They could stay inside the network for anything from weeks to months. They’re becoming much more evasive and sophisticated. And I think that the resources they’re putting into this are much more significant. There are at least two government ministries in Iran, the Revolutionary Guards and the Ministry of Intelligence, that have heavily invested in cyberattacks.

It’s all of the above, actually. Let’s take a real-life example. Many of the attacks that Iran has carried out against targets in the Middle East started off with social engineering — a direct message on LinkedIn, a phishing email, etc. If we go back three years, you will see that they’re always trying to use the local language or English. And their translation was flawed. You could see grammar mistakes [and] spelling mistakes. Now it’s flawless.

Yes, in the past, you could spot [Iranian hackers] easily. Now, I have seen very, very, very high-profile entities with great cybersecurity, in which the malware was undetected for months because it was super invasive. This is not a capability they used to have a year ago. And this is [what] we know. You could just imagine things that we don’t know.

In retrospect, we could see very interesting attacks that started before Oct. 7, which I can’t officially link them to Hamas or to, specifically, the war. But you could see how the same actors were prominent before Oct. 7 and right after Oct. 7. I can’t say I have proof it’s linked, but it’s definitely interesting in retrospect. Oct. 7 wasn’t a turning point for us. We had our guards up and our sense [was] that something was happening a bit before. I want to tell you one specific story that I personally handled. On Friday evening, the day before the attack, one of our researchers called me and said, “Look, there’s a group that says that it’s responsible for electricity shutdowns in a city in the south of Israel. They’ve just published a video claiming responsibility for these attacks.” They said that they’d attacked the electricity company, which was later found to be false. But I know this municipality pretty well, and I reached out and [asked] them about the electricity shutdowns: “Did you have any of those?” [The municipality] said, “Thank you for letting us know. We did have electricity shutdowns in the month before that, [but] we can’t say any system was infiltrated.” Thirty minutes later, I got a text message from the mayor showing me a screenshot of a text he got on his personal phone from the group saying, “Mr. Mayor, we are the ones attacking your city because of the atrocity of your government, and we will attack you more.” Now, this is a municipality. It wasn’t directly targeted on Saturday morning, but it’s around 30 kilometers from the border itself and definitely feels the war quite intensively now. In retrospect, I can’t connect the dots. It might connect, it might not connect. But it definitely happened. If you look at the whole broad sense of attacks happening in Israel, you wouldn’t sense there’s something special going on. But if you look at the more sophisticated ones, you could definitely see — a week or 10 days into the war — a very dramatic increase. It started with 18%. Now it’s over 20% of attacks compared to the time before that. And if you look specifically at the government sector, the military, the defense forces, it’s more than 50% in the time before that. So, this is a very, very, very dramatic increase.

The attack started around 6:00 in the morning. I think that by 9:00 or 10:00, our situation room, so to speak, was already open, and we were already in plans of what exactly we were going to do with all of the entities here that we know will be attacked in a war. And [also] how we make sure they’re utilizing all of their cyber capabilities and get their guards up as soon as possible because cyberwarfare is doomed to be part of this war. And again, we’re a very big company with thousands of people in Israel. So, on the one hand, we have our cybersecurity responsibility. On the other hand, we have our professional responsibilities. Thousands of employees — we need to make sure where they are. We have employees who are living in the vicinity or exactly where the attack is taking place. How do we evacuate them? And since Oct. 7, it feels like one very, very, very long day.

There’s about 150 groups that we are monitoring. Out of these 150 groups, there’s between 20 to 30 dominant groups that are carrying out such attacks. And within these 20 to 30 groups, you could see the dramatic entrance of the Iranian-backed, state-sponsored hacking groups — what we call APT [advanced persistent threat] groups. We’re now over 10 groups that we’re monitoring that are creating much more significant cyberattacks in Israel, much more significant data breaches. And now they’re definitely dominating the cyberattacks here in Israel.

It depends on the time. Now, the most prominent one is called Cyber Toufan. MuddyWater is a known group that’s very prominent in the cyber landscape. They also go by the name of Scarred Manticore. They’re government-sponsored, and the Iranians are mimicking many of the tactics they see from Russian hackers — anything from the spread of disinformation, creating real attacks but exaggerating with them, creating hacktivist groups and creating channels to direct these hacktivist groups. It’s imitating the Russian methodology, but on a smaller scale.

Rightfully so. Cyber Toufan started their operations around mid-November, a long time into the war. And what was unique about them is [that] as soon as they rose above the noise, so to speak, they issued a press release with a very detailed agenda of who they are, what they want to do. And their target explicitly was to cripple Israel’s economy, and they linked it to specific actions in the war in Gaza. The other thing that they did [was] what I called a wave of echoed attacks, which is basically one attack that was very successful, echoed by a large [number] of victims whose information was leaked on a very clear and consistent pattern, twice a day: once in the morning, once in the evening. They managed to use one of their malware to attack a server and website hosting company in Israel called Signature-IT. And what they did was that they managed to infiltrate their servers, wipe a lot of their servers and exfiltrate data. Cyber Toufan said they have information on over 40 companies, and they chose high-profile ones and started to leak their data from the websites that were hosted on the servers of Signature-IT. This caused the shutdown of websites. Think of an Israeli version of Home Depot that, for over a weekend, didn’t have a website for online shopping and also had millions of customer records being leaked over this Telegram group. Each of these leaks was linked with a description of this company with a bit of exaggeration, why it’s so important to Israel, and also to link it to specific actions that happened in the war. And what was also very interesting: As soon as the ceasefire was announced [in November], they also said, “We’re obliging ourselves to the ceasefire.” From a public awareness perspective, this is probably the group that is engaging most with the public.

So, this malware was seen a few years ago, I think it was 2016 or 2017, [and it came from] a threat actor from Gaza, which ultimately means Hamas. It had certain possibilities of espionage. And then we didn’t see them for a few years. [In late 2023], we saw the development of this malware that is used in the same pattern but in a more sophisticated way. Hamas has very significant cyber capabilities, not on the scale of Iran, but still not one you would think of as an organization of this size. They have people working for them from all over the Middle East and, more specifically, in Turkey, but they also have hackers working for them from the Gaza Strip. I think an interesting point to mention is that in the physical warfare that’s happening in Gaza, you could see an effect on Hamas’s cyber capabilities. You would see them as less effective, less prominent. So, you could see how physical warfare affects their capabilities on the ground. But the real-life cyberwarfare, which is happening in parallel or in the midst of actual wars, there’s not too many of them happening in the world, thankfully. And the ones that do are a very strong greenhouse for more ideas, more capabilities and more knowledge for the hackers.

One of the attacks was actually targeting the families of kidnapped children, mothers and fathers. They sent them a designated text message saying, “Hi, Mister or Miss, with a specific name, we have captured your son or daughter.” It was all tailor-made. “If you want to communicate with them, press this link.” The link led to a web page, and it had a description saying in very good English, “This is a platform for you to communicate with your loved ones. Write here your name, your email, and the message you want to send them, and click here.” And hopefully, families thought they were suspicious and they didn’t click it. But if you would click it, then you could see that this was another way to basically exfiltrate information by injecting a virus or malware from the people who were victims of this attack.

About a month. They took time to do it. Again, this attack was not successful. And again, as experts in cybersecurity, this is not the most advanced cyberattack we’ve seen. But on a human level, it’s pretty harsh.

One is the Russia-Ukraine war. The same trends we saw in cyberwarfare in [Ukraine], we see here. Anything from the wave of hacktivist groups to state-sponsored attacks, wipers, ransomware, and whatnot. It’s a very wide range [of targets], from critical infrastructure and high-profile targets all the way to the ordinary citizens who will be intimidated by direct cyberattacks, like scams and phishing or even getting text messages alerting you that we’re coming to kill you. We can definitely see similarities, but I think that the phenomena are more distinct here. So, you could see the roots of it in the Russia-Ukraine war, but now you can see a development of this. It’s not necessarily a technological development. Let’s take DDoS attacks. There’s a lot of DDoS attacks against Russia, against Ukraine, against countries supporting Russia or Ukraine. So, if it took us a couple of weeks to get there in Ukraine, here it took days. At the same time, the magnitude is now [double]. And also in terms of terrorizing people and alarming them, if you could see some examples that happened also in Russia or Ukraine, specifically more in Ukraine, now you could see more of those happening here.

I think it goes back to the attacks that I’ve talked about that happened before the war. Some of the data dumps that were leaked by hackers on Israeli targets before the war, you could see that information [from] these data breaches was used by hackers to create the attacks they’re doing now. So, if a hacker had a phone number, a name and an email from a previous attack on a specific company, now you would see the hackers using the exact same email, name and phone number to create a more designated attack against the person they were targeting. The recycling of previous hacks is the basis of new attacks. Also, whatever happens in one war is being imitated and, to some extent, improved in a different war. And I’m sure that in the next war, somebody else will learn from the lessons of this war and try to be better and greater.