Iranian cyberattacks may increase in the wake of Soleimani’s assassination

Following the targeted killing of Qassem Soleimani, chief of the Iran’s Islamic Revolutionary Guard Corps-Quds Force (IRGC-QF), in Iraq on January 3, the US braced itself for Iranian cyberattacks. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warned on January 6 of “disruptive and destructive cyber operations” by Iran, as well as espionage and disinformation campaigns. The following day, Texas Governor Greg Abbott declared that state agencies had been “probed” about 10,000 times per minute over the preceding 48 hours by Iran, with the Texas Department of Agriculture and other websites defaced, some with images of Soleimani.

However, Iran’s malicious activity against the US and its allies did not begin with Soleimani’s assassination. AIJAC has covered Iran’s sprawling disinformation campaigns and cyberattacks across the world, including Australia, where IRGC-linked hackers have attempted to steal sensitive research from dozens of Australian universities and were reportedly behind the hack of defence contractor Austal.

Since then, Iran’s activities have only increased, as have details of these activities. For instance, CNN recently reported that the ostensibly independent American Herald Tribune, established in 2015, is likely linked to Iran’s disinformation network and that Iran is actually paying Americans to write their propaganda. On February 5, a Reuters investigation revealed that an Iran-linked hacking group dubbed “Charming Kitten” had been posing as journalists and inviting potential victims to non-existent events and trying to set up bogus interviews. Three cybersecurity firms – Certfa, ClearSky and SecureWorks – linked multiple incidents primarily targeting Israeli researchers and Iranian expats back to Charming Kitten, which has masqueraded as well-known Wall Street Journal, CNN, Iran International and Deutsche Welle journalists as well as inventing some of its own. While the attempts were described as “sloppy,” the second-order effects of making sources afraid to respond to journalists could still be damaging.

On New Year’s Day, a website spoofing that of the Foreign Policy Research Institute (FPRI) published a fake article meant to stoke tensions between the US and Iraq. The article spread across the internet, prompting confusion among those who read FPRI analysis and even a statement denying the article by the Iraqi Prime Minister. FPRI pointed the finger at Iran:

“The timing of the fake article’s publication appears to have been part of a disinformation campaign launched following the strike on KH targets. Following the article’s release, the Iraqi President’s office denied that the article reflected reality, but the fact that a statement had to be issued suggested that this piece of disinformation had become widespread. The spoofed site took users to real FPRI articles and pages upon further clicking—suggesting that the post was legitimate. The website has been taken down, but the removal of the site is less important than the outcome of the initial intent: To use FPRI as a vehicle to provide legitimacy for the disinformation.” 

A hack of Kuwait’s State-Run news agency KUNA on January 8, also almost certainly by Iran, spread the lie that US troops were withdrawing from the region, causing brief international consternation. Previously, Iranian disinformation has resulted in implicit threats of nuclear war against Israel by a former Pakistani Defence Minister. While the impact of disinformation is often exaggerated, the FPRI and Kuwait incidents are a more dangerous and effective form of political disruption.

Iran’s ability to target critical infrastructure is even more dangerous. On January 9, ZDnet reported that the Bahrain Petroleum Company, Bapco, had been hit by data-wiping malware deployed by an Iran-backed hacking group on December 29. The attack, according to ZDnet sources, only knocked out a portion of Bapco’s computers and did not disrupt the company’s operations. Iran has previously attacked Gulf oil infrastructure, including a devastating attack on Saudi Aramco as well as Qatar’s RasGas in 2012.

The US Director of National Intelligence rates the Iranian capability as high as that of Russia and China when it comes to attacks against industrial control systems and physical infrastructure. According to Israeli reports, Iran was one of the countries behind as many as 800 cyberattacks against planes and airports as foreign leaders flew into Israel to attend the World Holocaust Forum on January 23.

Researchers at cybersecurity firm Recorded Future also suspect Iran-backed hackers in a cyberintrusion into a European energy company, likely for espionage purposes. According to the firm, the IRGC cyber division doesn’t conduct its cyberattacks directly, but contracts them out to dozens of independent groups via intermediaries. As Dorothy Denning, Emeritus Distinguished Professor of Defense Analysis at the Naval Postgraduate School, summarised Recorded Future’s findings:

“The Islamic Revolutionary Guard Corps uses trusted intermediaries to manage contracts with independent groups. These intermediaries are loyal to the regime, but separate from it. They translate the Iranian military’s priorities into discrete tasks, which are then auctioned off to independent contractors. Recorded Future estimates that as many as 50 organizations compete for these contracts. Several contractors may be involved in a single operation.”

Although Iran targets Australia regardless of what Australia does, tension has increased recently over the plight of British-Australian academic Kylie Moore-Gilbert, arrested by Iran in 2018 on bogus charges and held under inhumane conditions. As a result, cyberattacks against Australian financial and industrial infrastructure could become more serious in coming weeks and months.