Iran’s cyber conflict with Israel has reached global proportions, with cyberattacks against companies and government agencies on other continents likely causing as much ruckus as those in Israel itself.
It’s a classic case of cyber imitation of life. While US military bases and international shipping lanes are peppered with its proxy terrorist groups – most recently the Houthi terrorist groups in particular – Iran’s cyber threat cloud has spread its attacks across the US and Europe, targeting targets perceived as aligned with his bête noire.
In a report released this weekMicrosoft has labeled this global proliferation as “Phase 3” in Iran’s Jewish cyber offensive.
“It is very likely that this is part of the Iranian government’s strategic pressure campaign,” says a threat intelligence analyst from Recorded Future’s Insikt group, who chose not to be named for this story. “Tehran hopes to influence governments directly and indirectly [get] directly involved in the conflict through the ability to impact economies. It is very likely that they aim to influence business communities to pressure their governments to support the cessation of Israeli military activities in the Gaza Strip.”
Among the latest victims of this Phase 3 pressure offensive: an Albanian government organization and the Iranian military guard itself.
The latest in Iran’s global cyber offensive
The most recent known case occurred on February 1. Institute of Statistics of Albania (INSTAT) disclosed on Facebook that a cyber attack “aimed at damaging INSTAT data caused the interruption of the Internet services of the official website and e-mail”.
In an official statementthe country’s National Authority for Electronic Certification and Cyber Security (AKCESK) clarified that the affected INSTATE systems are “not currently classified as critical or important information infrastructure.”
On Telegram, the Iranian APT commonly known as “Homeland Justice” told a slightly different story. Claiming the attack for himself, he described the event as more of an extortion than a denial of service (DoS), with more than 100 terabytes of demographic and geographic information system data copied and then deleted from the organization’s servers. .
As Microsoft noted in its report, Homeland Justice has already targeted Albania, along with other countries perceived as supporting Israel. In a series of posts on Telegram, the group framed the stolen data in the broader context of Albania’s support for “terrorists,” including Mojahedin-e-Khalq (MEK), an Iranian dissident group with ties with the Israeli secret services.
Meanwhile, not even a day after Albania’s statistical mess, Iran’s cyberattack network once again reached US shores, as the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned six officials of the Cyber Electronic Command of the Iranian Islamic Revolutionary Guard Corps (IRGC-CEC).
The action follows a December intrusion into Vision series programmable logic controllers (PLCs).developed by the Israeli-American company Unitronics and used in critical infrastructures of both countries.
“U.S. authorities took remarkably swift action to sanction several Iranian cyber officials associated with these attacks,” says Scott Small, director of threat intelligence at Tidal Cyber. “This may provide limited deterrence against future attacks, but we also know that Iranian cyber actors are consistently intent on attacking U.S.-based targets, particularly government entities.”
In fact, like OFAC noted in its press releasethe latest from the IRGC-CEC high-profile industrial attacks they were not the first or the only ones against the United States, Israel and Europe.
While it might at first seem short-sighted for Iran to needlessly drag the United States into a cyber conflict, the Insikt analyst suggests it could be a well-calculated risk.
“Iran has sought to de-escalate tensions to minimize the risk of US retaliation against its territory. It is possible that more aggressive and comprehensive cyber operations will allow them to mitigate that risk while continuing to contribute to counter-terrorism “. – Israeli agenda,” they suggest.
The three phases of the conflict
According to Microsoft, Iran’s pseudo-cyber war against Israel can be divided into three distinct phases.
Phase 1, during the first days following the October 7 Hamas terror attack, was rather amateurish, the report claims. The groups from the Iran nexus performed light opportunistic attacksexploited pre-existing access to claim attacks against Israeli organizations and repackaged old, publicly available data as new “leaks.”
Phase 2, which began in mid-to-late October, increased volume. The number of groups actively working against Israel has increased from nine to at least fourteen. In that month alone, Iran conducted ten cyber-enabled influence operations, along with more coordinated and destructive campaigns. However, much of the winnings from the most successful campaigns have been overstated.
In Phase 3 the attacks became even more refined, using more advanced tactics, techniques and procedures (TTP)addressing the most significant companies and critical infrastructure operatorsand weaving together more effective messages aimed at undermining Israeli morale and putting pressure on Israel’s allies.
“This concern will only increase as election season approaches, as we know that Iran has regularly attempted to interfere with previous U.S. votes,” Small warns.
Judging by the last few months, we won’t know until it happens what the next Iranian cyberattack will look like.
“Recent cases demonstrate that the full range of attack methods are considered fair game for these cyber operations, including web app exploits, credential harvesting, and even ransomware and cryptomining. This creates a wide range of potential disruptions to critical operations , as well as potential fuel to influence operations whether or not attacks cause significant material impact,” Small says.