Threat Insights

Iran uses Hacktivism as Cover for Destructive Cyber Attacks

Russia has leaned heavily onto so-called “hacktivism” as a proxy for various forms of cyber vandalism as a means to instill fear, uncertainty and distrust in their adversaries. The first example of this is Russia’s DDOS campaign against Estonia as far back as in 2007. Typical of Russian hacktivism is also that while the overall direction of these campaigns come from the Russian government, there are followers that amplify these attacks from a mixture of patriotism and attempts to monetize their activities.

Iran has two main intelligence organizations that conduct cyber operations, the Ministry of Intelligence and Security (MOIS) and Iran’s Revolutionary Guard Corps (IRGC) and both are involved in destructive cyber attacks under the guise of “hacktivism”.

Ministry of Intelligence and Security

At least two alleged hacktivist groups that conduct destructive cyber attacks have been linked to Iran’s Ministry of Intelligence and Security (MOIS).

– “DarkBit” is a persona used by Iranian hackers associated with MOIS that claim to be hacktivists. As early as 2012 DarkBit has been responsible for the Shamoon wiper, a destructive malware used in attacks on the Saudi oil giant Aramco, among other victims.1

– “Agrius” is another group controlled by MOIS that use the guise of hacktivism for their activities. Agrius is responsible for deploying the Debosit (a.k.a. DEADWOOD) encryptor in attacks on Saudi Arabia in 2019.2

Both DarkBit and Agrius have been linked to a known Iranian cyber espionage group known as Mango Sandstorm that is part of MOIS, and may be different iterations of the same group.

– Another Iranian group, using the name “Homeland Justice”, has been tied to destructive cyber attacks against government networks in Albania in 2022. This group has been tied to a cyber espionage group known as Hazel Sandstorm, that is believed to be another part of MOIS cyber organization.3

Iran is currently engaged in a cyber conflict with Israel. Both Agrius and Homeland Justice has been involved in destructive cyber attacks against Israel, sometimes masking them as ransomware attacks, especially since the war in Gaza.

Iran’s Revolutionary Guard Corps

IRGC also conducts offensive cyber operations under the guise of hacktivism.

– Cyber Av3ngers is a an alleged Iranian hacktivist group that has been linked to an IRGC group known as Mint Sandstorm. Cyber Av3ngers have been responsible for hacking critical infrastructure in Israel and USA.4 5

– Anzu Team, that was part of an Iranian information operation agianst Sweden in 2023, claimed to be a hacktivist group, but is also linked to an IRGC group known as Cotton Sandstorm.6 Cotton Sandstorm is also linked to cyber attacks against the US elections in 2020.7

– Moses Staff is a third group using the guise of hacktivism to conduct cyber operations. Moses Staff is also assessed to be part of IRGC. Moses Staff has been linked to so-called “hack-and-Leak attacks against Israel.8

Assessment: Keep Calm and Secure your Networks

The destructive attacks on Saudi Arabia and Albania shows that Iran is willing to deploy destructive cyber attacks to other countries than Israel, as a means to exert pressure on their governments. Iran has already conducted information operations and DDOS attacks against Sweden, in retaliation for General Hamid Nouri that was sentenced to jail in Sweden in 2022 for war crimes. Iran has also recruited gang criminals in Sweden to attack jewish targets in Sweden. [8]

Truesec assess that it’s possible that Iran will also direct destructive cyber attacks against targets in Sweden, sometime in the future, but so far, Iran has not crossed that threshold yet.

Iran’s cyber capabilities are extensive, even if they are not as sophisticated as those of Russia or China. Many methods used by Iran in destructive cyber attacks mirror those used by large ransomware groups, such as abusing vulnerabilities in VPN applications to gain entrance. Follow recommendations for securing your networks against ransomware attacks, to strengthen your resilience against destructive attacks too.

References

  1. https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/ ↩︎
  2. https://www.sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/ ↩︎
  3. https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ ↩︎
  4. https://www.dragos.com/blog/cyber-av3ngers-hacktivist-group-targeting-israel-made-ot-devices/ ↩︎
  5. https://home.treasury.gov/news/press-releases/jy0948 ↩︎
  6. https://go.recordedfuture.com/hubfs/reports/cta-2024-0125.pdf ↩︎
  7. https://go.recordedfuture.com/hubfs/reports/cta-2024-0125.pdf ↩︎
  8. https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/ ↩︎