Iran continues to be a significant threat actor, and it is now supplementing its traditional cyberattacks with a new playbook, leveraging cyber-enabled influence operations (IO) to achieve its geopolitical aims.
Microsoft has detected these efforts rapidly accelerating since June 2022. We attributed 24 unique cyber-enabled influence operations to the Iranian government last year – including 17 from June to December – compared to just seven in 2021. We assess that most of Iran’s cyber-enabled influence operations are being run by Emennet Pasargad – which we track as Cotton Sandstorm (formerly NEPTUNIUM) – an Iranian state actor sanctioned by the US Treasury Department for their attempts to undermine the integrity of the 2020 US Presidential Elections.
Though Iran’s techniques may have changed, its targets have not. These operations remain focused on Israel, prominent Iranian opposition figures and groups, and Tehran’s Gulf state adversaries. More broadly speaking, Iran directed nearly a quarter (23%) of its cyber operations against Israel between October of 2022 and March of 2023, with the United States, United Arab Emirates, and Saudi Arabia also bearing the brunt of these efforts.
Iranian cyber actors have been at the forefront of cyber-enabled IO, in which they combine offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives. The goals of its cyber-enabled IO have included seeking to bolster Palestinian resistance, fomenting unrest in Bahrain, and countering the ongoing normalization of Arab-Israeli ties, with a particular focus on sowing panic and fear among Israeli citizens.
Iran has also adopted cyber-enabled IO to undercut the momentum of nationwide protests by leaking information that aims to embarrass prominent regime opposition figures or to expose their “corrupt” relationships.
Most of these operations have a predictable playbook, in which Iran uses a cyber persona to publicize and exaggerate a low-sophistication cyberattack before seemingly unassociated inauthentic online personas amplify and often further hype the impact of the attacks, using the language of the target audience. New Iranian influence techniques include their use of SMS messaging and victim impersonation to enhance the effectiveness of their amplification.
These are a few of the insights in a new Microsoft Threat Intelligence report on Iranian cyber-enabled IO. The report highlights how Iran is leveraging these operations to retaliate against external and internal threats more effectively. It also looks at what actions we might see them take in the months ahead, including the increased speed with which they are operationalizing newly reported exploits.
As some Iranian threat groups have turned to cyber-enabled IO, we have detected a corresponding decline in Iran’s use of ransomware or wiper attacks, for which for which they had become prolific in the past two years.
At the same time, the future threat of increasingly destructive Iranian cyberattacks remains, particularly against Israel and the United States, as some Iranian groups are likely seeking cyberattack capabilities against industrial control systems. Iranian cyberattacks and influence operations are likely to remain focused on retaliating against foreign cyberattacks and perceived incitement of protests inside Iran.
Microsoft invests in tracking and sharing information on Iranian cyber-enabled IO so that customers and democracies around the world can protect themselves from attacks. We will publish semi-annual updates on these and other nation-state actors to warn our customers and the global community of the threat posed by such operations, identifying specific sectors and regions at heightened risk.