Iranian Cybercrime Remains and Expands

Microsoft has become the latest large private company to declare war against Iranian cybercriminals working directly for or on behalf of the Islamic Revolutionary Guard Corps (IRGC) or Ministry of Intelligence. Microsoft said it had been tracking the hacking group – alternatively dubbed Phosphorus, Charming Kitten, or APT35 –  since 2013 and had seized 99 websites being utilised to spy on activists, journalists, defence officials, dissidents, and a range of others throughout the Middle East. The company sued the group in the US District Court in Washington for damages incurred by hacking their clients and computer networks.

Iran has become a steadily more prominent and dangerous actor in cyberspace. While the Australian Signals Directorate (ASD) says the investigation into the sweeping hack of Australian parliamentary systems and political parties is ongoing and won’t make an attribution, the US cybersecurity firm Resecurity claimed Iran was behind the hack, rather than China, and linked it to the Iranian cyberattack against the UK parliament in 2017, in which the email accounts of at least 90 MPs were compromised.

It is also possible that China, Russia, and Iran are all working together to target Five Eyes, the Western intelligence alliance between the US, UK, Canada, Australia and New Zealand. A recent report on the the Iranians hacking the cellphone of leading Israeli political candidate Gen. (res.) Benny Gantz alleged that Russia had given the Iranians the sophisticated technology necessary to conduct the attack. Meanwhile, there are suggestions that China and Iran cooperated to roll up and destroy CIA networks in both countries. In any case, Iran remains a sophisticated and malicious global actor in cyberspace in its own right, and has on several occasions attacked Australia, most recently attempting to steal information from the Australian shipbuilder and defence contractor Austal.

Meanwhile, Facebook announced on March 26 that it had “removed 513 Pages, Groups and accounts for engaging in coordinated inauthentic behavior as part of multiple networks tied to Iran. They operated in Egypt, India, Indonesia, Israel, Italy, Kazakhstan or broadly across the Middle East and North Africa.” These consisted of “158 Pages, 263 Facebook accounts, 35 Groups and 57 Instagram accounts.” According to Facebook, “About 1.4 million accounts followed one or more of these Pages, about 108,000 accounts joined at least one of these Groups and around 38,000 accounts followed one or more of these Instagram accounts.” Between December 2013 and February 2019, about US$15,000 was spent on ads by this Iranian network. Facebook has been one of several companies dismantling this sprawling Iranian propaganda effort since last year.

AIJAC has previously covered this expansive Iranian propaganda network, called “The International Union of Virtual Media.” In September 2018, we wrote:

In late August, Facebook, Twitter and Google announced that they had shut down dozens of accounts and pages on their respective platforms linked to an Iranian operation, which was launched at least as early as Jan. 2017, to influence public opinion in other countries. A Reuters investigation just released, confirmed by cyber-security firms ClearSky and FireEye Inc, which aided in the initial discovery, revealed that the Iranian operation was far larger than initially thought, consisting of dozens of websites, YouTube channels, and hundreds of social media accounts in multiple languages designed to amplify official Iranian and pro-Iranian, pro-Palestinian and pro-Assad regime propaganda. Google released a statement saying that “In addition to the intelligence we received from FireEye, our teams have investigated a broader range of suspicious actors linked to Iran who have engaged in this effort.” Facebook is still investigating and taking down further pages and accounts linked to the operation.’

With each passing month since then, new revelations have demonstrated the staggering reach of Iran’s disinformation campaigns and potent offensive cyber capabilities. It is unlikely the major tech companies are anywhere near uncovering, much less unravelling, the full extent of these operations.