When the war between Israel and Hamas began on October 7, 2023, Iranian cyber groups immediately activated to provide support to Hamas. These Iranian-backed and Iranian-affiliated actors have combined influence campaigns with disruptive hacks—a method Microsoft calls “cyber-enabled influence operations”—which has become Iran’s method. starting strategy.
While the initial activity appeared reactive and opportunistic, these efforts have become more sophisticated and complex as the conflict continues. Actions taken by individual groups have become more coordinated and the scope of these activities has expanded internationally, increasing confusion and lack of trust in information from the region.
To achieve their objectives, Iranian groups use four key influence tactics, techniques and procedures (TTPs). How and when they use each approach offers insight into the strategies in use. Understanding this mindset can help advocates prepare and adapt to the ongoing onslaught of misleading information.
TTPs guide Iran’s strategy
Iran’s approach to influence operations is designed to achieve multiple objectives of intimidation, destabilization and retaliation, as well as undermining international support for Israel. Its TTPs include impersonation, target audience activation; text messages and emails; and use state media to increase its influence. Looking at these activities individually reveals how they also work together to strengthen the campaign.
Representation
Iran has developed an increasingly convincing set of personas used in these online operations. Using these false identities, Iran-backed and Iranian-adjacent groups spread misleading stories and threats on social media, emails and texts. These impersonations are becoming more and more convincing over time, which allows groups to create fake activist personas on both sides of the political spectrum. What is not entirely clear, however, is whether they work directly with Hamas or strictly for their own purposes.
Target audience activation
A repeated motif for Iranian groups is to recruit targeted individuals to help spread false messages. This lends a veneer of truth to the campaign, as friends and neighbors now see people they know promoting the falsehoods as legitimate.
Text and email amplification
While social media is critical to spreading groups’ propaganda and false information, mass texting and emailing are becoming increasingly central to their efforts. An Iranian group, Cotton Sandstorm, has been using this technique since 2022, honing its skills over time. The messages often take credit for cyberattacks that didn’t actually happen or falsely warn recipients of physical incursions by Hamas fighters. In addition to false identities, in at least one case they used a compromised account to increase the authenticity of the messages.
Exploit state media
When Iran-affiliated groups make false statements about cyberattacks and war updates, media affiliated with the Islamic Revolutionary Guard Corps (IRGC) sometimes further spread and exaggerate these stories. They will often cite non-existent news sources to support the claim. Other Iranian and Iran-aligned media outlets further amplify the story, making it seem more plausible despite the lack of evidence.
Microsoft Threat Intelligence has identified another concern emerging since the start of hostilities in October: the use of artificial intelligence (AI). AI-generated images and videos spread fake news or create negative images targeting key public figures. This tactic is expected to continue to gain prominence as Iran’s cyber influence operations expand.
Extend the global reach of influence efforts
We began to see collaboration between Iran-affiliated groups early in the war. This allows each group to contribute existing capabilities and eliminates the need for a single group to develop a full spectrum of tools or business activities.
By mid-November, Iran’s war-related cyber influence operations expanded beyond Israel to countries and organizations that Iran considers supporters of Israel, including Bahrain, the United Arab Emirates, and the United States. A attack against Israeli-built programmable logic controllers (PLCs) in Pennsylvania knocked a water authority offline in November. In December, a person Microsoft Threat Intelligence believes to be an Iranian-affiliated group said data had been leaked from two American companies. The group took credit for data deletion attacks against these companies a month earlier.
Iranian groups use a variety of cyber-enabled influence methods to achieve their goals. Microsoft Threat Intelligence observed that the IRGC group called Cotton Sandstorm used up to 10 online users to execute multiple methods in the last half of 2023, often following more than one of these paths at once:
Computer methods:
-
Distributed Denial of Service
Methods of influence:
-
Sockpuppets (fake online characters)
As long as the conflict continues, Iran’s cyber-enabled influence operations will likely not only grow, but also become more cooperative and destructive. While these groups will continue to exploit opportunities, their tactics will become increasingly calculated and coordinated. A thorough understanding of these techniques, supported by comprehensive threat intelligence, can give defenders an advantage in identifying and mitigating these attacks wherever they appear.
– Light “Iran steps up cyber-enabled influence operations in support of Hamas” and get insights from Microsoft Threat Intelligence experts at Microsoft threat intelligence podcast.