FRESH AIR

Iranian Kittens in Cyberspace

November 25, 2021 | Oved Lobel

(Shutterstock/Global News Art)
(Shutterstock/Global News Art)

In May 2020, Yigal Unna, head of Israel’s National Cyber Directorate, declared that “Cyber winter is coming and coming faster than even I suspected” after an Iranian cyberattack against water infrastructure in Israel; in July 2021, he announced, “Cyber winter is here.”

A report released by Microsoft claimed that Iran had increased its hacking attempts against Israel fourfold over the past year, observing “an increased focus from a growing number of Iranian groups targeting Israeli entities.” These hackers had also targeted Middle East maritime shipping firms as well as:

“defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.”

Less than a week later, Google released a report on Iranian hackers linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), known as APT35, or “Charming Kitten”, one of several IRGC-linked groups whose activities AIJAC has previously explored. Part of this Charming Kitten operation was reportedly aimed at the advocacy group United Against Nuclear Iran (UANI), which claimed, “Those responsible managed to procure data outside of the public realm, impersonated our leadership in communications with former senior officials of the US government, and attempted to harvest Gmail credentials.”

Although there have been no further reported infrastructure attacks against Israel, the hacks and leaks have substantially escalated. Most recently, Iranian hackers known as Black Shadow breached Israeli internet hosting company CyberServe, allegedly acquiring troves of personal data for which they demanded US$1 million ransom.

Black Shadow then released what it claimed was merely one percent of that data online, including data from the LGBT dating site “Atraf” as well as the detailed medical records of 290,000 patients as part of what it claimed was the full database of the Machon Mor medical institute. The head of the Israel Internet Association, Yoram Hacohen, called it “one of the most serious attacks on privacy that Israel has ever seen,” adding, “Israeli citizens are experiencing cyber terrorism.”

The group had previously breached Israel’s Shirbit insurance firm in December 2020, demanding the same ransom and, when it wasn’t paid, leaking the data.

More alarmingly, a cleaner employed by Israeli Defence Minister Benny Gantz reportedly made an offer to Black Shadow to download malware onto Gantz’s computer, allowing them to spy on the highest levels of the Israeli government, for a mere US$ 7000.

Circumstantial evidence also points to Iranian-linked hackers being behind the breach of Israeli call centre service company Voicenter in September, which reportedly netted up to 15 terabytes of data, including internal communications, phone calls and even footage from the security camera system, some of which was then leaked online.

Of course, it isn’t just Israel being targeted by Iran. In August, a report by the cybersecurity company Proofpoint explored the role of Threat Actor 456 (TA456), or “Imperial Kitten/Tortoiseshell”, which it called “the most determined” of Iran’s hacking groups, in targeting US defence contractors.

Cyberattacks against aerospace and telecom firms, mostly in the Middle East, were tied to an Iranian group called MalKamak, itself linked to APT39, or “Remix Kitten”, by the cybersecurity firm Cybereason.

It should be no surprise that Iran has also been targeting Australia. AIJAC has previously covered some of these hacking efforts, including attempts against Australian shipbuilder Austal as well as Australian universities. As we noted at the time, “Former prime minister Malcolm Turnbull specifically cited Iranian attacks in his speech announcing the opening of a national cybersecurity centre.” Such operations targeting Australian companies, among others, are also conducted by the IRGC’s Lebanese proxy, Hezbollah.

A recent joint cybersecurity advisory by the Australian Cyber Security Centre (ACSC), the UK’s National Cyber Security Centre (NCSC), and America’s FBI and Cybersecurity and Infrastructure Security Agency (CISA), stated:

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, and ACSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.

In addition to its constant hacking, Iran’s disinformation network remains extremely active, something AIJAC has been tracking for several years. The media site Iran International recently obtained exclusive documents showing that “IRGC had prepared a detailed six-phase plan to disrupt US elections and create chaos in America.” As a result of this election interference and general disinformation, including masquerading as the American far-right group “The Proud Boys”, six Iranians and the Iranian cyber firm Emennet Pasargad – which had previously been sanctioned for facilitating IRGC cyberattacks under the name Net Peygard Samavat Company – were sanctioned by the US in November.

A recently unsealed US Department of Justice indictment targeted two of these Iranian hackers, Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, specifically, as did the US State Department’s Rewards for Justice Program, which is offering US$10 million for any information on them.

Iran’s cyber capabilities, however, are relatively unsophisticated, and it has itself suffered severe cyberattacks and embarrassing hacks recently. These include a cyberattack that crippled Iran’s fuel distribution network in October. Iran’s Mahan Air, which logistically facilitates the operations of the IRGC and its proxies, also recently suffered a cyberattack, although Iran claimed it was foiled. In July, Iran’s railroad system was brought to a halt by a cyberattack.

Embarrassing security footage from Iran’s notorious Evin Prison, where Australian academic Kylie Moore-Gilbert was held hostage for several years, was leaked by the alleged Iranian “hacktivist” group Tapandegan in August. Tapandegan has claimed several other hacks against the Iranian government since 2018.

Cybersecurity firm Check Point has attributed the fuel and railroad attacks to a small group called Indra that has been targeting Iran and its clients, including Hezbollah, since 2019, rather than to Israel, which many had pointed fingers at when they occurred. However, Check Point’s assertion that a tiny, unknown group with no resources and acting alone can shut down Iran on a consistent basis seems implausible.

RELATED ARTICLES

(image: Shutterstock/Svet Foto)

Military strikes alone won’t stop the Houthis without direct pressure on Iran

Mar 20, 2025 | Featured, Fresh AIR
Image: X

Pay-for-Slay is likely still Pay-for-Slay

Mar 7, 2025 | Fresh AIR
Image: X

The missing pieces of the Thai hostages story

Feb 21, 2025 | Fresh AIR
Damaged section of Kamal Adwan Hospital (image: World Health Organisation)

The latest IDF raid on the Kamal Adwan Hospital debunks absurd UN report

Jan 9, 2025 | Featured, Fresh AIR
Iran's Supreme Leader Ali Khamenei (left), the late Hezbollah Secretary-General Hassan Nasrallah and the late commander of the IRGC's Qods Force Qassem Soleimani

The Axis of Resistance is not dead yet

Dec 19, 2024 | Featured, Fresh AIR
Iranian women being ushered into a van by "Morality police" (Image: X)

Iranian human rights have significantly worsened since the “Woman, Life, Freedom” protests

Dec 18, 2024 | Featured, Fresh AIR
D11a774c 2a47 C987 F4ce 2d642e6d9c8d

Bibi in DC, the Houthi threat and the politicised ICJ opinion

Jul 26, 2024 | Update
Image: Shutterstock

Nine months after Oct. 7: Where Israel stands now

Jul 10, 2024 | Update
Palestinian Red Crescent workers from Al-Najjar Hospital in the city of Rafah, south of the Gaza Strip (Image: Shutterstock)

Hamas’ impossible casualty figures

Mar 28, 2024 | Update
455daec3 C2a8 8752 C215 B7bd062c6bbc

After the Israel-Hamas ceasefire for hostages deal

Nov 29, 2023 | Update
Screenshot of Hamas bodycam footage as terrorists approach an Israeli vehicle during the terror organisation's October 7, 2023 attack in southern Israel, released by the IDF and GPO (Screenshot)

Horror on Video / International Law and the Hamas War

Oct 31, 2023 | Update
Sderot, Israel. 7th Oct, 2023. Bodies of dead Israelis lie on the ground following the attacks of Hamas (Image: Ilia Yefimovich/dpa/Alamy Live News)

Israel’s Sept. 11, only worse

Oct 11, 2023 | Update
Screenshot 2025 03 28 At 11.35.48 AM

The day after the end of the Gaza war – and the new opportunities it presents: Ehud Yaari at the Sydney Institute

Mar 28, 2025 | Featured, Video
Screenshot

Jonathan Conricus in conversation with Joel Burnie

Feb 24, 2025 | Featured, Video
Sydney, January 2025 (Image: X)

Reacting to the latest antisemitic attacks: Colin Rubenstein on SBS Hebrew radio

Feb 3, 2025 | Video
Screenshot

Antisemitic bomb plot “a massive escalation”: Colin Rubenstein on Sky News

Jan 30, 2025 | Featured, Video
(Image: screenshot)

Antisemitism database “first step of many more that need to be taken”: Dr Colin Rubenstein on ABC TV

Jan 22, 2025 | Featured, Video
Screenshot 2024 12 20 At 12.44.43 PM

AIJAC speaks out against hate… Will you join us?

Dec 20, 2024 | Featured, Video

RECENT POSTS

Anti-Hamas protests in Gaza (Image: Reddit)

Gaza protests: A turning point or a moment of desperation?

A “deep well of hatred” in segments of the Muslim community contributed to the recent outburst  of extremism and antisemitism in Australia (Image: Diana Zavaleta/ Shutterstock)

Essay: The Politics of Hatred

Iranian President Masoud Pezeshkian (left) may hint at agreeing to nuclear negotiations, but it is Supreme Leader Ali Khamenei (right) who will ultimately make the decision (Image: Khamenei.ir)

Iran: Moving beyond diplomatic delusions

A statue of Moses holding the Ten Commandments (Image: Shutterstock)

The Last Word: One Story

Israeli PM Netanyahu controversially announces he needs to fire Shit Bet chief Ronen Bar (Screenshot)

Marching toward controversy and division

SORT BY TOPICS