The joint US-Israeli attack on Iran already has spurred a cyber response from multiple corners, including a barrage of distributed denial of service (DDoS) hits, critical infrastructure attacks, and network compromises that aim to do significant physical, reputational, and financial damage, according to security researchers.
On Saturday, the US and Israel launched a broad military action in Iran, killing the country’s Supreme Leader Ayatollah Ali Khamenei, as well as dozens of other government officials. Iran has retaliated with both military action and cyber warfare — the latter a realm where it has more leverage against its adversaries than on the physical battlefield.
The US said it expects a significant cyber response from the prolific array of pro-Iranian cyber actors already working in cyber espionage and cyber sabotage, both in the immediate wake of the initial attacks and for the foreseeable future. The attacks will come from groups linked to Iranian state entities such as the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as hacktivist groups sympathetic to Iran’s cause.
A coalition of pro-Iranian and pro-Russian cyber actors already has launched the “#OpIsrael” campaign, focusing on critical infrastructure and data exfiltration, while other hacktivists have struck out against individual targets in protest of the military action and as a counter to the Islamic Republic’s military losses, according to research from Check Point Research, Flashpoint, Palo Alto Networks’ Unit 42, Cisco Talos, and others.
Meanwhile, the IRGC has targeted the energy sector with a cyberattack on Saudi Arabia’s Aramco facility at Ras Tanura, and an Amazon Web Services (AWS) data center in the United Arab Emirates, both countries where the US have military installations, according to a report by Flashpoint emailed to Dark Reading.
Indeed, Iran’s intent appears to be to inflict maximum global economic pain and infrastructure disruption via cyber means as a counter-pressure to its military losses, in “a shift to severe economic warfare and a higher risk for global energy supply,” according to Flashpoint.
“This ecosystem supports a broad set of objectives: espionage to gain intelligence and footholds; disruption and destructive activity, including DDoS attacks, pseudo-ransomware, and data wipers to impose costs; and information operations that pair destructive activity or data leaks with coordinated online amplification,” Check Point Research wrote in its analysis of the activity, noting it expects the targeting to intensify and broaden across the US and its allied countries.
Specific Cyberattacks from Various Groups
Researchers from Check Point, Flashpoint, and Unit 42 have revealed a laundry list of specific attacks and activity from Iran-linked or pro-Iranian groups that have already occurred since the initial bombing started Saturday.
These attacks include several by Cotton Sandstorm (aka Emennet Pasargad, Aria Sepehr Ayandehsazan, MarnanBridge, and Haywire Kitten), an Iranian cyber actor affiliated with the IRGC. The group revived its old cyber persona, Altoufan Team, which mostly specialized in targeting Bahrain and had been silent for more than a year, according to Check Point. It’s now claimed new alleged targets in Bahrain, where there are US military bases.
Another group, the FAD Team (aka Iran’s Resistance Hub and the Fatimion Cyber Team) has executed a global SQL injection campaign, leaking personally identifiable information (PII) from a wide range of targets, according to Flashpoint. These include a virtual US Air Force group and educational institutions in France, India, and Vietnam.
The FAD Team also claimed control over network monitoring dashboards for firewall devices in Mecca and Medina and Saudi Arabia, and targeted other US-allied Arab states, disabling the Bahrain News Agency and launching DDoS attacks against Qatari oil firm Gasco and Qatar Radio, according to Flashpoint.
Meanwhile, Unit 42 reports Handala Hack, a hacktivist persona linked to Iran’s MOIS, has combined data exfiltration with cyber operations against the Israeli political and defense establishment. So far, since Saturday, the group has claimed responsibility for compromising an Israeli energy exploration company and the fuel system of the country of Jordan. Handala also claimed to target Israeli civilian healthcare institutions to create domestic pressure just days before the war broke out.
Another pro-Iranian umbrella collective called the Cyber Islamic Resistance, which coordinates multiple hacktivist teams — including groups like RipperSec and Cyb3rDrag0nzz — has launched synchronized DDoS attacks, data-wiping operations, and website defacements against Israeli and Western infrastructure to support Iran. So far, they have claimed responsibility for compromising an Israeli drone defense and detection system, as well as payment infrastructure in Israel, according to Unit 42.
Iran’s Allies Join the Cyber Fray
Aside from threat groups directly linked to Iran, groups outside of the country with Iranian sympathies are making coordinated cyberattacks to support the Islamic Republic.
Pro-Palestinian group Dark Storm Team (aka DarkStorm or MRHELL112) for instance claims to have targeted several Israeli websites, including that of an Israeli bank, with DDoS attacks, its specialty, according to Unit 42.
Meanwhile, several pro-Russia hacktivist groups have claimed attacks of their own to support Iran. The “Cardinal” group claimed to target the Israel Defense Forces (IDF) systems via their public Telegram board, infiltrating IDF networks and posting the leaked information publicly.
The pro-Russian hacktivist group NoName057(16) also has claimed multiple Israeli targets, including disruptive operations against a range of Israeli municipal, political, telecom, and defense-related entities. Meanwhile, a partnership between this group and the Cyber Islamic Resistance has conducted DDoS attacks against Israeli defense contractor Elbit Systems and municipal governments, according to Unit 42.
Buckle Up, Cyber Defenders
What all this amounts to is that organizations, critical infrastructure operators, and even individuals on the ground will feel the impact, both cyber and physical, from the conflict, and should buckle up and get ready for a bumpy ride in the weeks and months ahead, according to the researchers.
Organizations across the board should implement maximum-security protocols and prepare for physical-to-cyber hybrid attacks, with special attention paid to secure third-party partners or customers in the Middle East region with network links to US-based companies, Cisco Talos researchers noted.
“Since this activity appears to be regionally focused, making sure enterprises are aware of any impacts to partners and third-party suppliers in the region will be paramount,” according to a post by Cisco Talos. “Additional inspection or controls may be warranted to insulate potential larger impacts to the wider organization.”
In general, all organizations should ensure they are practicing sound security hygiene, including having multifactor authentication (MFA) enabled, being diligent around any links or documents that are circulating, and ensuring proper monitoring is in place to confront any collateral impacts as they arise.
Source: www.darkreading.com…