Fresh Air

Iran continues to demonstrate that, while it lags far behind other adversaries like Russia, China and North Korea as a cyber actor, it still has the capacity to be a major nuisance in this sphere.

In mid-March, a cyberattack briefly blocked access to several Israeli government websites. Initially described by one source as the largest cyberattack in Israeli history, it turned out to be nothing but an unsophisticated distributed denial-of-service (DDoS) attack, one which may not even have been targeting Israeli government websites specifically. Erez Tidhar, head of the Israeli cyber authority’s Computer Emergency Response Team (CERT), told Haaretz, “This was a routine attack – albeit one with serious volume – but not rare or significant.” While the attack has not been officially attributed to Iran, it is the most likely culprit given the timing, targets and lack of sophistication.

Shortly thereafter, Iranian-linked hackers published material allegedly stolen from the hacked phone, apparently old, of Mossad chief David Barnea’s wife. The group is most likely linked to “Moses Staff” which, according to cybersecurity company Cybereason, “leverages cyberespionage and sabotage to advance Iran’s geopolitical goals by inflicting damage and spreading fear.” The hacking of the old phone is not a security threat, and cybersecurity experts have been warning officials and commentators not to play up what is essentially Iranian trolling, the purpose of which is propagandistic – to make it seem like Iran is capable of effective cyberattacks against Israel. These hacks, leaks and DDoS attacks, in reality, are actually evidence that it probably is not.

The last time Iran attempted a genuine cyberattack against Israel was two years ago, when its Islamic Revolutionary Guard Corps (IRGC) launched an abortive attack against Israeli water infrastructure. There was conflicting information on the level of sophistication involved in that attack, with one official describing it as “miserable”, but nothing of that scale has been attempted since. It’s unclear whether Iran was actually deterred from further cyberattacks against Israeli civilian infrastructure by Israel’s purported response, which shut down Iran’s Shahid Rajaee port, or whether it simply doesn’t have the capability to launch serious cyberattacks.

What has been clear for quite some time is that while Israel is able to cause chaos across Iran in cyberspace, Iran is only capable of temporarily defacing websites, spreading disinformation, criminal hacks and leaks and DDoS attacks – nothing of strategic consequence, unlike Israel’s ability to shut down fuel distribution and ports.

Iran also continues to conduct large-scale cyber espionage campaigns, something AIJAC has been covering for several years. In April, Facebook parent company Meta disrupted two Iranian groups involved in such activities, one of which, while unnamed, resembled the methods of an Iranian group known as Tortoiseshell, Imperial Kitten or Threat Actor 456 (TA456) –  called among “the most determined” Iranian hacking groups by cybersecurity firm Proofpoint. According to Meta, the “previously unreported group… targeted industries like energy, telecommunications, maritime logistics, information technology, and others.” The other actor, UNC788, has been active for years. Social media companies disrupt such networks every few months, but they often pop right back up again.

These groups depend almost entirely on human error, impersonating known individuals and companies online or inventing companies and fake profiles to trick their targets into downloading malware or entering personal information via phishing, thus giving hackers access to their devices and networks. However, routine cybersecurity hygiene is enough to foil most such attempts.

Iran’s proxies, like Hamas, have also been using these methods to try and to spy on or compromise Israeli soldiers, police officers and officials. Cybereason revealed this week that a Hamas-linked cyberespionage campaign running for the past six months using the aforementioned approach – mostly involving fake “honeypot” profiles of attractive Israeli females to lure IDF soldiers and police into downloading malware – demonstrated a “new level of sophistication”.

This activity by Hamas is not new. As AIJAC wrote in May 2019:

Hamas was able to hack the phones of hundreds of IDF soldiers via malware implanted in World Cup streaming apps and dating apps, and used fake “honeypot” profiles of attractive members of the opposite sex to lure soldiers into downloading malware. It also infiltrated hundreds of Facebook groups, some closed, relating to IDF activities to monitor members and discussions, and created an online FIFA World Cup group for Israelis which caused those participating to download malware when they clicked links on the page.

However, according to one Cybereason researcher, “They set up fake accounts, but while usually such accounts are quite easy to spot, in this case they would seem very real to an untrained eye.” The company’s report added that “They were extremely active accounts, they were very well versed in Israeli politics and current events, they chatted with their victims and posted in perfect Hebrew, with none of the tell-tale signs of fake foreign accounts.” Furthermore, the malware being spread by this catfishing campaign is reportedly far more advanced than that previously utilised by Hamas.

While both Iran and its proxies might be improving the quality of their phishing and catfishing, overall, this remains an unsophisticated approach and indicates that, at least for now, Iran is probably not capable of meaningful cyberattacks against infrastructure. Then again, the easiest means to bypass cybersecurity protocols is through human negligence – all it takes is for one important security or government official to fall for these tricks, and all information thereby gleaned will be passed to Iran. As we wrote in 2019 about these catfishing campaigns by Hamas and Hezbollah over the past ten years, “[technical] sophistication is not necessarily the most useful means of measuring a threat.”