Iranian Kittens in Cyberspace
Nov 25, 2021 | Oved Lobel
In May 2020, Yigal Unna, head of Israel’s National Cyber Directorate, declared that “Cyber winter is coming and coming faster than even I suspected” after an Iranian cyberattack against water infrastructure in Israel; in July 2021, he announced, “Cyber winter is here.”
A report released by Microsoft claimed that Iran had increased its hacking attempts against Israel fourfold over the past year, observing “an increased focus from a growing number of Iranian groups targeting Israeli entities.” These hackers had also targeted Middle East maritime shipping firms as well as:
“defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.”
Less than a week later, Google released a report on Iranian hackers linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), known as APT35, or “Charming Kitten”, one of several IRGC-linked groups whose activities AIJAC has previously explored. Part of this Charming Kitten operation was reportedly aimed at the advocacy group United Against Nuclear Iran (UANI), which claimed, “Those responsible managed to procure data outside of the public realm, impersonated our leadership in communications with former senior officials of the US government, and attempted to harvest Gmail credentials.”
Although there have been no further reported infrastructure attacks against Israel, the hacks and leaks have substantially escalated. Most recently, Iranian hackers known as Black Shadow breached Israeli internet hosting company CyberServe, allegedly acquiring troves of personal data for which they demanded US$1 million ransom.
Black Shadow then released what it claimed was merely one percent of that data online, including data from the LGBT dating site “Atraf” as well as the detailed medical records of 290,000 patients as part of what it claimed was the full database of the Machon Mor medical institute. The head of the Israel Internet Association, Yoram Hacohen, called it “one of the most serious attacks on privacy that Israel has ever seen,” adding, “Israeli citizens are experiencing cyber terrorism.”
The group had previously breached Israel’s Shirbit insurance firm in December 2020, demanding the same ransom and, when it wasn’t paid, leaking the data.
More alarmingly, a cleaner employed by Israeli Defence Minister Benny Gantz reportedly made an offer to Black Shadow to download malware onto Gantz’s computer, allowing them to spy on the highest levels of the Israeli government, for a mere US$ 7000.
Circumstantial evidence also points to Iranian-linked hackers being behind the breach of Israeli call centre service company Voicenter in September, which reportedly netted up to 15 terabytes of data, including internal communications, phone calls and even footage from the security camera system, some of which was then leaked online.
Of course, it isn’t just Israel being targeted by Iran. In August, a report by the cybersecurity company Proofpoint explored the role of Threat Actor 456 (TA456), or “Imperial Kitten/Tortoiseshell”, which it called “the most determined” of Iran’s hacking groups, in targeting US defence contractors.
Cyberattacks against aerospace and telecom firms, mostly in the Middle East, were tied to an Iranian group called MalKamak, itself linked to APT39, or “Remix Kitten”, by the cybersecurity firm Cybereason.
It should be no surprise that Iran has also been targeting Australia. AIJAC has previously covered some of these hacking efforts, including attempts against Australian shipbuilder Austal as well as Australian universities. As we noted at the time, “Former prime minister Malcolm Turnbull specifically cited Iranian attacks in his speech announcing the opening of a national cybersecurity centre.” Such operations targeting Australian companies, among others, are also conducted by the IRGC’s Lebanese proxy, Hezbollah.
A recent joint cybersecurity advisory by the Australian Cyber Security Centre (ACSC), the UK’s National Cyber Security Centre (NCSC), and America’s FBI and Cybersecurity and Infrastructure Security Agency (CISA), stated:
The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, and ACSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.
In addition to its constant hacking, Iran’s disinformation network remains extremely active, something AIJAC has been tracking for several years. The media site Iran International recently obtained exclusive documents showing that “IRGC had prepared a detailed six-phase plan to disrupt US elections and create chaos in America.” As a result of this election interference and general disinformation, including masquerading as the American far-right group “The Proud Boys”, six Iranians and the Iranian cyber firm Emennet Pasargad – which had previously been sanctioned for facilitating IRGC cyberattacks under the name Net Peygard Samavat Company – were sanctioned by the US in November.
A recently unsealed US Department of Justice indictment targeted two of these Iranian hackers, Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, specifically, as did the US State Department’s Rewards for Justice Program, which is offering US$10 million for any information on them.
Iran’s cyber capabilities, however, are relatively unsophisticated, and it has itself suffered severe cyberattacks and embarrassing hacks recently. These include a cyberattack that crippled Iran’s fuel distribution network in October. Iran’s Mahan Air, which logistically facilitates the operations of the IRGC and its proxies, also recently suffered a cyberattack, although Iran claimed it was foiled. In July, Iran’s railroad system was brought to a halt by a cyberattack.
Embarrassing security footage from Iran’s notorious Evin Prison, where Australian academic Kylie Moore-Gilbert was held hostage for several years, was leaked by the alleged Iranian “hacktivist” group Tapandegan in August. Tapandegan has claimed several other hacks against the Iranian government since 2018.
Cybersecurity firm Check Point has attributed the fuel and railroad attacks to a small group called Indra that has been targeting Iran and its clients, including Hezbollah, since 2019, rather than to Israel, which many had pointed fingers at when they occurred. However, Check Point’s assertion that a tiny, unknown group with no resources and acting alone can shut down Iran on a consistent basis seems implausible.