FRESH AIR

Iranian Kittens in Cyberspace

Nov 25, 2021 | Oved Lobel

(Shutterstock/ Global News Art)
(Shutterstock/ Global News Art)

In May 2020, Yigal Unna, head of Israel’s National Cyber Directorate, declared that “Cyber winter is coming and coming faster than even I suspected” after an Iranian cyberattack against water infrastructure in Israel; in July 2021, he announced, “Cyber winter is here.”

A report released by Microsoft claimed that Iran had increased its hacking attempts against Israel fourfold over the past year, observing “an increased focus from a growing number of Iranian groups targeting Israeli entities.” These hackers had also targeted Middle East maritime shipping firms as well as:

“defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.”

Less than a week later, Google released a report on Iranian hackers linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), known as APT35, or “Charming Kitten”, one of several IRGC-linked groups whose activities AIJAC has previously explored. Part of this Charming Kitten operation was reportedly aimed at the advocacy group United Against Nuclear Iran (UANI), which claimed, “Those responsible managed to procure data outside of the public realm, impersonated our leadership in communications with former senior officials of the US government, and attempted to harvest Gmail credentials.”

Although there have been no further reported infrastructure attacks against Israel, the hacks and leaks have substantially escalated. Most recently, Iranian hackers known as Black Shadow breached Israeli internet hosting company CyberServe, allegedly acquiring troves of personal data for which they demanded US$1 million ransom.

Black Shadow then released what it claimed was merely one percent of that data online, including data from the LGBT dating site “Atraf” as well as the detailed medical records of 290,000 patients as part of what it claimed was the full database of the Machon Mor medical institute. The head of the Israel Internet Association, Yoram Hacohen, called it “one of the most serious attacks on privacy that Israel has ever seen,” adding, “Israeli citizens are experiencing cyber terrorism.”

The group had previously breached Israel’s Shirbit insurance firm in December 2020, demanding the same ransom and, when it wasn’t paid, leaking the data.

More alarmingly, a cleaner employed by Israeli Defence Minister Benny Gantz reportedly made an offer to Black Shadow to download malware onto Gantz’s computer, allowing them to spy on the highest levels of the Israeli government, for a mere US$ 7000.

Circumstantial evidence also points to Iranian-linked hackers being behind the breach of Israeli call centre service company Voicenter in September, which reportedly netted up to 15 terabytes of data, including internal communications, phone calls and even footage from the security camera system, some of which was then leaked online.

Of course, it isn’t just Israel being targeted by Iran. In August, a report by the cybersecurity company Proofpoint explored the role of Threat Actor 456 (TA456), or “Imperial Kitten/Tortoiseshell”, which it called “the most determined” of Iran’s hacking groups, in targeting US defence contractors.

Cyberattacks against aerospace and telecom firms, mostly in the Middle East, were tied to an Iranian group called MalKamak, itself linked to APT39, or “Remix Kitten”, by the cybersecurity firm Cybereason.

It should be no surprise that Iran has also been targeting Australia. AIJAC has previously covered some of these hacking efforts, including attempts against Australian shipbuilder Austal as well as Australian universities. As we noted at the time, “Former prime minister Malcolm Turnbull specifically cited Iranian attacks in his speech announcing the opening of a national cybersecurity centre.” Such operations targeting Australian companies, among others, are also conducted by the IRGC’s Lebanese proxy, Hezbollah.

A recent joint cybersecurity advisory by the Australian Cyber Security Centre (ACSC), the UK’s National Cyber Security Centre (NCSC), and America’s FBI and Cybersecurity and Infrastructure Security Agency (CISA), stated:

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, and ACSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.

In addition to its constant hacking, Iran’s disinformation network remains extremely active, something AIJAC has been tracking for several years. The media site Iran International recently obtained exclusive documents showing that “IRGC had prepared a detailed six-phase plan to disrupt US elections and create chaos in America.” As a result of this election interference and general disinformation, including masquerading as the American far-right group “The Proud Boys”, six Iranians and the Iranian cyber firm Emennet Pasargad – which had previously been sanctioned for facilitating IRGC cyberattacks under the name Net Peygard Samavat Company – were sanctioned by the US in November.

A recently unsealed US Department of Justice indictment targeted two of these Iranian hackers, Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, specifically, as did the US State Department’s Rewards for Justice Program, which is offering US$10 million for any information on them.

Iran’s cyber capabilities, however, are relatively unsophisticated, and it has itself suffered severe cyberattacks and embarrassing hacks recently. These include a cyberattack that crippled Iran’s fuel distribution network in October. Iran’s Mahan Air, which logistically facilitates the operations of the IRGC and its proxies, also recently suffered a cyberattack, although Iran claimed it was foiled. In July, Iran’s railroad system was brought to a halt by a cyberattack.

Embarrassing security footage from Iran’s notorious Evin Prison, where Australian academic Kylie Moore-Gilbert was held hostage for several years, was leaked by the alleged Iranian “hacktivist” group Tapandegan in August. Tapandegan has claimed several other hacks against the Iranian government since 2018.

Cybersecurity firm Check Point has attributed the fuel and railroad attacks to a small group called Indra that has been targeting Iran and its clients, including Hezbollah, since 2019, rather than to Israel, which many had pointed fingers at when they occurred. However, Check Point’s assertion that a tiny, unknown group with no resources and acting alone can shut down Iran on a consistent basis seems implausible.

RELATED ARTICLES


Image Credit: Allexxandar, Shutterstock

Is Iran “breaking out slowly” towards a bomb?

Dec 2, 2021 | Featured, Fresh AIR
Screen Shot 2021 11 26 At 4.13.13 Pm

Greens miss the mark with antisemitism policy

Nov 26, 2021 | Featured, Fresh AIR
Bennett

Bennett-Lapid Gov’t passes budget, boosts Arab and Druze sectors

Nov 5, 2021 | Featured, Fresh AIR
Israel's Supreme Court offers a compromise on August 2, 2021 which was ultimately rejected.

PA apparently seeks to get Palestinian residents evicted in Sheikh Jarrah

Nov 4, 2021 | Featured, Fresh AIR
The six designated NGOs (L to R, top to bottom): the Union of Palestinian Women’s Committees (UPWC); Addameer Prisoner Support Association; Defense for Children International–Palestine (DCI-P); the Union of Agriculture Work Committees (UAWC); the Bisan Centre for Research and Development; al-Haq

There is ample evidence banned Palestinian NGOs are PFLP-affiliated

Oct 26, 2021 | Featured, Fresh AIR
YctJvFtV 400x400

Some points everyone should understand about John Lyons’ new booklet, “Dateline Jerusalem: Journalism’s Toughest Assignment”

Oct 25, 2021 | Featured, Fresh AIR

SIGN UP FOR AIJAC EMAILS

RECENT POSTS

Image Credit: Allexxandar, Shutterstock

Is Iran “breaking out slowly” towards a bomb?

Screen Shot 2021 11 26 At 4.13.13 Pm

Greens miss the mark with antisemitism policy

Reason to smile: Despite his crimes, Syrian dictator Bashar al-Assad is now being welcomed back into the Arab fold (Source: Wikimedia Commons)

The road back to Damascus

Iraqi PM Mustafa al-Kadhimi has been a
repeated target of attacks by Iranian-sponsored militias – and has become even more of a target in the wake of Iraq’s elections on Oct. 10 (Source: Wikimedia Commons)

The Harrowing of Mustafa Kadhimi

(Source: Wikimedia Commons)

Deconstruction Zone: Sheikh Jarrah shows why Palestinians remain stateless

Image Credit: Allexxandar, Shutterstock

Is Iran “breaking out slowly” towards a bomb?

Screen Shot 2021 11 26 At 4.13.13 Pm

Greens miss the mark with antisemitism policy

Reason to smile: Despite his crimes, Syrian dictator Bashar al-Assad is now being welcomed back into the Arab fold (Source: Wikimedia Commons)

The road back to Damascus

Iraqi PM Mustafa al-Kadhimi has been a
repeated target of attacks by Iranian-sponsored militias – and has become even more of a target in the wake of Iraq’s elections on Oct. 10 (Source: Wikimedia Commons)

The Harrowing of Mustafa Kadhimi

(Source: Wikimedia Commons)

Deconstruction Zone: Sheikh Jarrah shows why Palestinians remain stateless

SORT BY TOPICS