FRESH AIR

Iranian Kittens in Cyberspace

Nov 25, 2021 | Oved Lobel

(Shutterstock/Global News Art)
(Shutterstock/Global News Art)

In May 2020, Yigal Unna, head of Israel’s National Cyber Directorate, declared that “Cyber winter is coming and coming faster than even I suspected” after an Iranian cyberattack against water infrastructure in Israel; in July 2021, he announced, “Cyber winter is here.”

A report released by Microsoft claimed that Iran had increased its hacking attempts against Israel fourfold over the past year, observing “an increased focus from a growing number of Iranian groups targeting Israeli entities.” These hackers had also targeted Middle East maritime shipping firms as well as:

“defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.”

Less than a week later, Google released a report on Iranian hackers linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), known as APT35, or “Charming Kitten”, one of several IRGC-linked groups whose activities AIJAC has previously explored. Part of this Charming Kitten operation was reportedly aimed at the advocacy group United Against Nuclear Iran (UANI), which claimed, “Those responsible managed to procure data outside of the public realm, impersonated our leadership in communications with former senior officials of the US government, and attempted to harvest Gmail credentials.”

Although there have been no further reported infrastructure attacks against Israel, the hacks and leaks have substantially escalated. Most recently, Iranian hackers known as Black Shadow breached Israeli internet hosting company CyberServe, allegedly acquiring troves of personal data for which they demanded US$1 million ransom.

Black Shadow then released what it claimed was merely one percent of that data online, including data from the LGBT dating site “Atraf” as well as the detailed medical records of 290,000 patients as part of what it claimed was the full database of the Machon Mor medical institute. The head of the Israel Internet Association, Yoram Hacohen, called it “one of the most serious attacks on privacy that Israel has ever seen,” adding, “Israeli citizens are experiencing cyber terrorism.”

The group had previously breached Israel’s Shirbit insurance firm in December 2020, demanding the same ransom and, when it wasn’t paid, leaking the data.

More alarmingly, a cleaner employed by Israeli Defence Minister Benny Gantz reportedly made an offer to Black Shadow to download malware onto Gantz’s computer, allowing them to spy on the highest levels of the Israeli government, for a mere US$ 7000.

Circumstantial evidence also points to Iranian-linked hackers being behind the breach of Israeli call centre service company Voicenter in September, which reportedly netted up to 15 terabytes of data, including internal communications, phone calls and even footage from the security camera system, some of which was then leaked online.

Of course, it isn’t just Israel being targeted by Iran. In August, a report by the cybersecurity company Proofpoint explored the role of Threat Actor 456 (TA456), or “Imperial Kitten/Tortoiseshell”, which it called “the most determined” of Iran’s hacking groups, in targeting US defence contractors.

Cyberattacks against aerospace and telecom firms, mostly in the Middle East, were tied to an Iranian group called MalKamak, itself linked to APT39, or “Remix Kitten”, by the cybersecurity firm Cybereason.

It should be no surprise that Iran has also been targeting Australia. AIJAC has previously covered some of these hacking efforts, including attempts against Australian shipbuilder Austal as well as Australian universities. As we noted at the time, “Former prime minister Malcolm Turnbull specifically cited Iranian attacks in his speech announcing the opening of a national cybersecurity centre.” Such operations targeting Australian companies, among others, are also conducted by the IRGC’s Lebanese proxy, Hezbollah.

A recent joint cybersecurity advisory by the Australian Cyber Security Centre (ACSC), the UK’s National Cyber Security Centre (NCSC), and America’s FBI and Cybersecurity and Infrastructure Security Agency (CISA), stated:

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, and ACSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.

In addition to its constant hacking, Iran’s disinformation network remains extremely active, something AIJAC has been tracking for several years. The media site Iran International recently obtained exclusive documents showing that “IRGC had prepared a detailed six-phase plan to disrupt US elections and create chaos in America.” As a result of this election interference and general disinformation, including masquerading as the American far-right group “The Proud Boys”, six Iranians and the Iranian cyber firm Emennet Pasargad – which had previously been sanctioned for facilitating IRGC cyberattacks under the name Net Peygard Samavat Company – were sanctioned by the US in November.

A recently unsealed US Department of Justice indictment targeted two of these Iranian hackers, Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, specifically, as did the US State Department’s Rewards for Justice Program, which is offering US$10 million for any information on them.

Iran’s cyber capabilities, however, are relatively unsophisticated, and it has itself suffered severe cyberattacks and embarrassing hacks recently. These include a cyberattack that crippled Iran’s fuel distribution network in October. Iran’s Mahan Air, which logistically facilitates the operations of the IRGC and its proxies, also recently suffered a cyberattack, although Iran claimed it was foiled. In July, Iran’s railroad system was brought to a halt by a cyberattack.

Embarrassing security footage from Iran’s notorious Evin Prison, where Australian academic Kylie Moore-Gilbert was held hostage for several years, was leaked by the alleged Iranian “hacktivist” group Tapandegan in August. Tapandegan has claimed several other hacks against the Iranian government since 2018.

Cybersecurity firm Check Point has attributed the fuel and railroad attacks to a small group called Indra that has been targeting Iran and its clients, including Hezbollah, since 2019, rather than to Israel, which many had pointed fingers at when they occurred. However, Check Point’s assertion that a tiny, unknown group with no resources and acting alone can shut down Iran on a consistent basis seems implausible.

RELATED ARTICLES


An IDF bulldozer checks for explosive charges beneath roads approaching the Nur Shams camp near Tulkarem (Screenshot)

IDF, Shin Bet launch major operation in northern West Bank

Aug 28, 2024 | Featured, Fresh AIR
Image: United Nations/ X

The UN continues to ignore Israeli victims of terrorism

Aug 28, 2024 | Featured, Fresh AIR
The aftermath of the violent settler attack upon the West Bank town of Jit (Image: X/ Twitter)

Jewish community condemnation of settler violence is not new

Aug 27, 2024 | Featured, Fresh AIR
Iran Hackers

Iran steps up election interference in the US

Aug 23, 2024 | Featured, Fresh AIR
At rallies across the world, it’s not unusual to see the former Iranian flag being waved proudly alongside Israeli flags (Image: X/ Twitter)

The many Iranians who support Israel and Israelis

Jul 25, 2024 | Featured, Fresh AIR
Screenshot 2024 07 19 At 1.21.58 PM

Defying expectations: Silent settlement freeze and outpost demolitions

Jul 19, 2024 | Featured, Fresh AIR

RECENT POSTS

Screenshot 2024 09 06 At 11.20.57 AM

Eylon Levy, former Israeli Government spokesperson, in conversation with AIJAC’s Rebecca Davis

Image: Shutterstock

The UN continues to ignore Israeli victims of terrorism

Mass protest in Tel Aviv (Image: X/ Twitter screenshot)

Heartbreak has turned to rage in Israel: Can Benjamin Netanyahu survive the biggest challenge to his rule?

Screenshot

Mass protests in Israel: Ran Porat on ABC Triple J radio

Marwan Barghouti in court, 2004 (Image: Isranet)

Letter: Nothing Like Mandela

Screenshot 2024 09 06 At 11.20.57 AM

Eylon Levy, former Israeli Government spokesperson, in conversation with AIJAC’s Rebecca Davis

Image: Shutterstock

The UN continues to ignore Israeli victims of terrorism

Mass protest in Tel Aviv (Image: X/ Twitter screenshot)

Heartbreak has turned to rage in Israel: Can Benjamin Netanyahu survive the biggest challenge to his rule?

Screenshot

Mass protests in Israel: Ran Porat on ABC Triple J radio

Marwan Barghouti in court, 2004 (Image: Isranet)

Letter: Nothing Like Mandela

SORT BY TOPICS