Iran Online: From terrorism to cyber-threats

Iran is generally acknowledged as the foremost state-sponsor of international terrorism. What many people do not realise is that Teheran is also one of the top three state sponsors of cyber-threats in the world as well. Two recent reports, including one focussed on cyber-attacks on Australian universities, have highlighted this often under-reported reality. 

In late August, Facebook, Twitter and Google announced that they had shut down dozens of accounts and pages on their respective platforms linked to an Iranian operation, which was launched at least as early as Jan. 2017, to influence public opinion in other countries. A Reuters investigation just released, confirmed by cyber-security firms ClearSky and FireEye Inc, which aided in the initial discovery, revealed that the Iranian operation was far larger than initially thought, consisting of dozens of websites, YouTube channels, and hundreds of social media accounts in multiple languages designed to amplify official Iranian and pro-Iranian, pro-Palestinian and pro-Assad regime propaganda. Google released a statement saying that “In addition to the intelligence we received from FireEye, our teams have investigated a broader range of suspicious actors linked to Iran who have engaged in this effort.” Facebook is still investigating and taking down further pages and accounts linked to the operation. 

The operation which Reuters discovered operates under the name International Union of Virtual Media (IUVM). Its mission, according to its website, is “confronting…western governments and Zionism front activities.” IUVM recycles propaganda, from political cartoons to pro-Iranian narratives, and utilises ostensibly local “alternative” media sites to launder them as original material. It also promotes talking points in defence of the JCPOA (Joint Comprehensive Plan Of Action), the nuclear deal with Iran from which the United States recently withdrew. 

If this sounds familiar, it’s because it follows the pattern of the ongoing and more pervasive Russian influence operations throughout the world, particularly Europe and the United States, which have received far more attention and been the focus of much political debate and controversy in the US. One IUVM account with thousands of followers even changed its name to “@Berniecratss” in 2018, echoing the Russian tactic of masquerading as locals championing domestic causes. According to an assessment by the Atlantic Council’s Digital Forensic Research Lab, written before the Reuters investigation, the Iranian campaign was fairly amateurish and not particularly effective in terms of reach, but demonstrated the ease with which even an unsophisticated entity can launch wide-ranging influence operations in the West. 

An image from the cybersecurity firm FireEye shows a Tweet from a social media persona related to a group called “Liberty Front Press” using the Twitter handle “@Berniecratss”

Far more malicious and dangerous however are Iran’s offensive and espionage-related cyber capabilities. Iran operates through a nexus of nominally private hackers and proxy groups linked and overseen by Iranian Intelligence, much like the “patriotic hackers” of the Kremlin. On Aug. 31, it was revealed in the Australian Financial Review that a hacking group dubbed “Cobalt Dickens,” acting on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), has been behind recent attempts to steal secret research from several top Australian universities, part of a global operation that targeted scores of universities in 14 countries, including the US, UK and Israel. 

A similar and far more expansive operation by the Mabna Institute, an IRGC cutout for stealing academic credentials and research, targetted up to 26 Australian universities, including all of Australia’s most prestigious ones, between 2013 and 2017. The US charged nine Iranians involved in the operation, claiming they stole more than 31 terabytes of data from nearly 150 universities and dozens of companies and government agencies in the US alone, plus login credentials for thousands of academics from more than 300 academic institutions across 22 countries, as well as from the United Nations. The stolen data is valued in the billions of dollars. 

Cyber-theft for financial gain orchestrated by hackers linked to the Iranian regime can occasionally descend into absurdity. For example, Iranian national Behzad Mesri hacked HBO’s computer systems and stole credentials and data, along with unreleased scripts for “Game of Thrones.” He then threatened to release the scripts unless HBO paid him millions of dollars. 

 

According to The Soufan Group, a strategic consultancy firm, Iran began to develop and formalise its external offensive cyber-capabilities in early 2012 under the command of the IRGC. Even prior to 2012, however, IRGC-linked hackers were targeting scores of US financial institutions in massive attacks that caused tens of millions of dollars in damage, as well as trying to infiltrate dam infrastructure. Iran also launched a massive and destructive cyber-attack against Saudi oil giant Aramco in 2012, penetrated the US power grid the next year, and was likely behind a “severe cyber-attack” against Israel’s electrical grid in 2016. In 2018, Germany’s domestic intelligence agency BfV reported a sharp rise in Iranian cyber-attacks against the country, putting Iran on the same level as China and Russia as the most persistent cyber-threats. 

Iran has also been building up the offensive cyber-capacities of its allies and proxies, from Hezbollah and Hamas to groups in Syria and Yemen. On Aug. 30, Dr. James A. Lewis, Senior Vice President at the Washington-based Center for Strategic and International Studies, testified before the US Senate Judiciary Subcommittee on Crime and Terrorism that Iran, alongside Russia, was the greatest cyber-threat to US critical infrastructure. According to Lewis, “Israel is attacked by Iran and Hezbollah every week in efforts to disrupt the critical infrastructure.” An anonymous IDF major told the Times of Israel in 2015 that cyber-attacks by Iran and its proxies had noticeably increased in their quantity and sophistication. 

While Iran may be more commonly known for its sponsorship of terrorism and illegal pursuit of nuclear weapons, its additional role as one of the most potent cyber-threats to Western systems also must be addressed. “Iran’s cyber activities against the world have been the most consequential, costly and aggressive in the history of the internet, more so than Russia,” according to Norman Roule, former national intelligence manager for Iran at the US Office of the Director of National Intelligence. While the US and its allies, including Australia, debate how best to contain Iran’s nuclear ambitions, ballistic missile program and terrorism sponsorship, no one should lose sight of the destructive and increasing Iranian threat in cyberspace.