Iran’s continuing cyber-mischief during the coronavirus crisis 

 

Iranian hackers and propaganda networks have been working overtime during the novel coronavirus pandemic. In the first week of May, Israel’s ClearSky cybersecurity reportedly discovered the attempted and possibly successful hack of American biopharmaceutical company Gilead Sciences, the producer of one of the most promising potential COVID-19 treatments, the antiviral drug Remdesivir. According to ClearSky’s Ohad Zaidenberg, “they are acting against the infrastructure of the American research institute Gilead, and we determined that they are trying to hurt other research bodies that are dealing with coronavirus, including in Israel.”  

Iran has vigorously denied its involvement, with UN envoy Alirez Miryousefi declaring, “The Iranian government does not engage in cyber warfare. Cyber activities Iran engages in are purely defensive and to protect against further attacks on Iranian infrastructure.” 

Earlier in May, the UK reported that Iran was among a small group of hostile states, including Russia and potentially China, trying to hack British universities and scientific facilities researching COVID-19. This followed reports in April that Iran-linked hackers had tried to break into the email accounts of World Health Organisation (WHO) staff, which Iran also loudly denied, saying the reports were “sheer lies to put more pressure on Iran.”   

All of these cyber-espionage campaigns are reportedly the work of an Iranian hacking group dubbed “Charming Kitten.” As AIJAC covered in its February overview of Iranian cyber-activity, “Charming Kitten” members posed as journalists and set up non-existent events or bogus interviews for the targets of their activity, who were mostly Iranian expats and Israeli researchers. ClearSky and two other firms, Certfa and SecureWorks, linked several incidents to the group “which has masqueraded as well-known Wall Street JournalCNNIran International and Deutsche Welle journalists as well as inventing some of its own.” 

Perhaps even more serious than the espionage are the cyberattacks. Fox News first reported that Iran was behind an attempted cyberattack on Israel’s Water Authority in late April. The Washington Post, citing two foreign government officials, reported that “The hackers sought to cripple computers that control water flow and wastewater treatment for a pair of rural districts in Israel,” and that they’d routed the attacks through both the US and Europe. Sources did not describe the attack as sophisticated, and it was quickly detected and thwarted. Although the US Director of National Intelligence assessed Iran to have the same capabilities as Russia, China and North Korea when it comes to intruding into industrial control systems, it has yet to demonstrate the capability.  

While Israel has not officially confirmed Iran’s involvement, Israel’s Channel 13 reported that a high-level security cabinet meeting discussed the hack, with an unnamed official quoted as saying, “This is an attack that goes against all the codes of war. Even from the Iranians we didn’t expect something like this.” True to form, Iran’s UN envoy denied Iranian culpability, once again implausibly claiming that “The Iranian government does not engage in cyberwarfare.” 

On the propaganda front, Iran’s International Union of Virtual Media (IUVM), a global multilingual network of social media accounts and ostensibly local news websites first uncovered in 2018, has reportedly been very active in pushing coronavirus-related disinformation. True to its mission of “confronting…western governments and Zionism front activities,” the IUVM’s focus has been on blaming the US for the virus, mocking the US response and defending both Iran’s as well as China’s handling of the pandemic, according to an in-depth report by network analysis company Graphika A US State Department report in April warned of the convergence of  the coronavirus-related disinformation campaigns from Iran, Russia and China.  

Interestingly, much of the IUVM’s new accounts, websites, and pages seem to be focused on Africa, including “Ethiopianow,” “Durban Daily,” “@AfricaTruth1,” “AFtruth.com” and the likely related French-language page “Realite Afrique.” 

Facebook, meanwhile, took down a part of the Iranian social media propaganda network in May, as it does every few months, saying some of the accounts were linked to the Islamic Republic of Iran Broadcasting Corporation (IRIB). IRIB and IUVM run essentially like an echo chamber, with IRIB reports and cartoons rebroadcast under IUVM accounts and vice versa. According to Graphika’s chief innovation officer Camille Francois, “We do see these successive waves of takedowns across platforms being effective: While this operator continues to use social media for its campaigns, the scale is smaller every time we see them come back, and takedowns happen increasingly rapidly. That’s likely why we see this Iranian operator make heavier use of websites, and having a harder time promoting their campaigns on social media accounts.”  

The latest IUVM cluster taken down by Facebook had only about 5000 followers across all platforms. As the Graphika report noted, “The IUVM operation is significant and manned by a well-resourced and persistent actor, but its effectiveness should not be overstated.”