Ali Khamenei Iran
Image: (CC BY 4.0)

Iranian hackers turn to influence operations to amplify cyberattacks

Iranian state-backed hackers are increasingly using influence operations to amplify the impact of conventional cyberattacks and promote Tehran's political agenda, according to new research.

Iran’s cyber-enabled influence operations, which combine offensive cyberattacks with social media posts and SMS campaigns, mostly target Israel, the U.S., and activists who oppose the regime of Ali Khamenei, the supreme leader of Iran, Microsoft said in a report published Tuesday.

Last year, Microsoft identified 24 influence operations that were attributed to the Iranian government and military — a significant increase from seven operations identified in 2021.

The company highlighted multiple reasons why influence operations are gaining popularity in Iran, including that they require fewer resources and less time compared to ransomware or wiper attacks. When combined with conventional cyberattacks, influence operations can have a longer-lasting impact, according to Microsoft.

Iranian hackers may have resorted to merging cyber and influence operations as they lack the capabilities to respond to advanced cyberattacks from their adversaries. The country has been hit by a barrage of such attacks since July 2021, following nationwide protests sparked by water shortages and a worsening economic climate.

The convergence of cyber and influence operations is not a novel concept — it is currently being extensively used by Russia, one of Iran's allies, in its war against Ukraine. These operations are primarily conducted by state-affiliated hackers and have the goal of advancing the Kremlin's narratives, according to a report published by Google earlier this year.

How Iranian influence operations work

The majority of Iran's influence operations are carried out by a threat actor called Emennet Pasargad, also known as Neptunium, Microsoft said. This group was sanctioned by the U.S. Treasury Department for attempting to interfere in the 2020 U.S. presidential election.

The group’s most popular targets include Israel, the U.S., the United Arab Emirates, and Saudi Arabia. Influence operations usually follow or precede conventional cyberattacks on the targeted countries to publicize and amplify their effects.

For instance, in December, Neptunium sent text messages that appeared to be from a major Israeli television company, Sport5, cautioning Israelis against traveling to Muslim countries. One of these messages even contained a link to a hacked Sport5 website. According to Microsoft, this campaign "probably aimed to amplify the impact of the cyberattack and to spread fear among Israelis."

Iran's state-sponsored hackers are also utilizing these attacks to target opposition movements within the country by publishing purportedly provocative and embarrassing leaked information about activists.

Improving cyber capabilities

Although Iranian state-sponsored actors are not as advanced as their Russian and Chinese counterparts, they are enhancing their cyber capabilities, according to Microsoft.

For example, they rapidly exploit recently disclosed vulnerabilities to breach organizations and use tailored tools against their targets.

Apart from Israel and the U.S., NATO members and European countries may also be at a heightened risk of future Iranian cyber and influence operations, according to the report. In January, Iran conducted a cyber-enabled influence operation against a French magazine Charlie Hebdo for holding a competition for cartoons ridiculing Iran’s supreme leader. Iran’s intelligence agencies also accuse European intelligence of cooperating with the CIA on a project to foment protests in Iran, according to Microsoft.

Additionally, Iranian state-sponsored hackers launched a cyberattack last September against Albania's government, which is a member of NATO. The attack was serious enough that Albania considered invoking a NATO declaration that could have potentially led to a confrontation with Iran involving all member states.

“As Iranian threat actors improve their capabilities, they are likely to continue to hone both their cyber and influence techniques to match the highly sophisticated cyberattacks of their adversaries,” Microsoft said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.