Iran cyber operations exposed in reports from Google, Microsoft

Iran’s military is using an array of cyber campaigns to root out people accused of helping the country’s adversaries, according to a new report from Google. 

Researchers at the company’s Mandiant unit uncovered a web of social media accounts, fake websites and more used by Iran’s military to gain information on “Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in Israel.” 

“The collected data may be leveraged to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations,” the researchers explained.

Mandiant attributed the campaign to Iran’s government based on the tactics, techniques and targeting seen. The security company noted that it saw no relation between this campaign and the recently discovered operations targeting U.S. elections. 

More than 40 fake recruiting websites written in Farsi and Arabic were discovered, with most offering jobs in Israel. Visitors of the website were asked to enter their personal information and other data.

Mandiant found multiple fake social media accounts on Twitter, Telegram, YouTube and an Iranian social media site known as Virasty. The posts promote recruiting firms offering jobs in IT, cybersecurity and human resources.

The campaign appears to have begun as early as 2017 and lasted until March 2024, according to Mandiant, which added that similar campaigns were allegedly conducted on behalf of proxy groups in Syria and Lebanon. 

They found both desktop and mobile versions of the fake recruiting websites displaying similar content made to look as though it was made by companies based in Israel. Several of the websites specifically sought out military personnel in “the army, security services and intelligence from Syria and Hezbollah, Lebanon.”

A YouTube channel found by Mandiant contained a single video touting a recruiting service and offering an email address that applicants could send their information to. 

Mandiant said the campaign should be “of concern to Iranian individuals who are suspected to be collaborating with countries Iran might perceive as adversaries.” 

“These may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran. The campaign casts a wide net by operating across multiple social media platforms to disseminate its network of fake HR websites in an attempt to expose Farsi-speaking individuals who may be working with intelligence and security agencies and are thus perceived as a threat to Iran’s regime,” they said. 

“The collected data, such as addresses, contact details, as well as professional and academic experience, might be leveraged in future operations against the targeted individuals.”

Tickler

The Mandiant report was released on the same day as a Microsoft study on another allegedly Iran-based campaign involving a custom malware named Tickler. 

Microsoft said that between April and July, it observed an Iranian Islamic Revolutionary Guard Corps (IRGC) hacking group deploying Tickler in attacks on “targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates.” 

The goal of the campaign is intelligence gathering and is part of what Microsoft called “long-standing cyber operations.”

Microsoft tracks the actors behind the campaign as Peach Sandstorm and said their primary focus is facilitating intelligence collection in support of Iran’s government. 

As Google found in their report, Microsoft said going back to 2021, they saw Peach Sandstorm use fake LinkedIn profiles masquerading as talent acquisition managers based in the U.S. and Western Europe.

“Peach Sandstorm primarily used them to conduct intelligence gathering and possible social engineering against the higher education, satellite sectors, and related industries,” they said.

Like Google, Microsoft took down the profiles as soon as they were discovered. Both reports come amid a flurry of focus on Iran’s cyber operations since news emerged of alleged attacks on both U.S. presidential campaigns.  

Former White House cyber official Tom Kellermann noted that backdoors like the one spotlighted by Microsoft are proliferating throughout the defense sector and have prompted the need for expanded threat hunting. 

“Iran’s cyberespionage capabilities have become much more sophisticated thanks to Russian tech transfer,” said Kellermann, who now works as a senior vice president at Contrast Security. “There is coordinated intel sharing between Iran and Russia due to their military alliance. The Axis of Evil is alive and well in cyberspace."