Hezbollah cyberattack on Australian company is part of a growing cyber-threat emanating from Iran
Feb 17, 2021 | Oved Lobel
On February 9, the Sydney Morning Herald reported that a Hezbollah-linked hacking group dubbed Volatile Cedar had targeted servers run by the Australian-based technology giant Atlassian, as well as those from US-based Oracle, across the globe with remote access trojans (RATs). The potential security and criminal implications of the hack are significant, as Hezbollah was able to vacuum up a lot of personal data, including client call records. Troy Hunt, an independent security researcher cited in the report, asks, “If it’s a state-backed hack, are there critical infrastructure services using these products for power plants, sewage treatment, airports? Is it partly corporate espionage, people looking for trade secrets, information to gain a competitive advantage?”
Hezbollah is the Lebanese proxy of Iran’s Islamic Revolutionary Guard Corps (IRGC), making this, in essence, a state-backed hack. While Hezbollah receives significant funding from Iran, it also runs a global criminal enterprise spanning the range of criminal activities, including, it now appears, cybercrime. This provides a lucrative funding stream, especially useful now that Iran is under crushing sanctions.
Whether the information gleaned by Volatile Cedar is used for espionage or profit, it should be considered part of Iran’s international operations. Another IRGC client, the Palestinian terrorist group Hamas, also allegedly provides Iran with the data it hoovers up using facilities in Turkey in exchange for financial support. AIJAC has documented some of the cyber-capabilities of Hamas, Hezbollah and other Iranian proxies and how such activities fit into Iran’s broader strategy.
The IRGC itself has targeted Australia multiple times, including the shipbuilder Austal as well as dozens of Australian universities and research institutions, part of a global campaign to steal data and secret research worth billions of dollars.
And the IRGC’s malicious cyberactivity is only getting worse. One Iranian hacking group, dubbed Infy or Prince of Persia, which primarily targeted Iranian dissidents abroad, was thought to have become defunct in 2017 after about ten years of activity. However, cybersecurity firms Check Point and SafeBreach Labs say they’re now back and better than ever: “following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities.”
Check Point says Infy has managed to capture “over 1.5 gigabytes of personal information, documents, audio and video recordings” in 2020. While Israel was targeted by Infy in its original incarnation, the current campaign is apparently solely focussed on Iranians.
A separate group, Domestic Kitten (APT-50), is also charged with the surveillance of Iranian dissidents inside and outside Iran, and like Infy, likes to trick users into installing spyware onto their phones and computers by disguising it as something else. Check Point says there were over 600 successful infections. One of its researchers, Yaniv Balmas, explained that these groups were disturbingly resilient. “It is clear that the Iranian government is investing significant resources into cyber-operations. The operators of these Iranian cyber-espionage campaigns seem to be completely unaffected by any counter-activities done by others, even though both campaigns had been revealed and even stopped in the past. They have simply restarted.”
Iran’s disinformation operations in the US are also continuing. After masquerading as the far-right group The Proud Boys, and sending threatening emails warning everyone to vote for Donald Trump prior to the election, Iran is now said to be behind a website called Enemies of the People. According to the FBI, Iran is using the site, which mimics the activities and statements of the most violent and radical Trump supporters, to “create fear, divisions, and mistrust in the United States and undermine public confidence in the US electoral process.” This includes revealing the personal information – doxing – of US officials.
Meanwhile, a recent cyberattack against a water treatment facility in a small town in Florida aiming to poison the water supply bears a strong similarity to an IRGC cyberattack against Israeli water treatment facilities last year. While there is still no clarity concerning who conducted the cyberattack against the Florida plant, Israel has offered to aid the US investigation, with Israel’s National Cyber Directorate telling Fox News that it had “contacted its U.S. equivalents about the case.” The President and CEO of the Cyber Threat Alliance, Michael Daniel, recently testified regarding the hack that “Iran has shown itself very interested in water systems in other countries like Israel and even in the United States.”
Needless to say, this attack underlined how much more than information is at risk from Iran-linked cyberactivity. The Florida cyberattacks attempted to flood the water supply with toxic sodium hydroxide – used in small quantities in water treatment to control water acidity and to help remove heavy metals – and could potentially have made thousands ill if it had not been quickly caught by a controller.
Iranian cyber-operations are likely to get a boost from the recently signed deal on cooperation in cyberspace between Iran and Russia, the terms of which are very expansive and likely mark an escalation in the cybersphere. Already in April 2020, the US State Department warned of convergence between Iran, Russia and China in spreading disinformation regarding COVID-19, and as AIJAC previously covered, some intelligence officials suggest there’s ‘a countervailing alliance in cyberspace made up of Russia, China and Iran to oppose the “Five Eyes” – the intelligence alliance of the US, UK, Canada, Australia and New Zealand.’
Regardless of the depth of cooperation with China and Russia, Iran’s capabilities in cyberspace are clearly improving, and that will likely mean more credible disinformation operations, more sophisticated cyberattacks and improved espionage capacity, in Australia and elsewhere.