Iran and the Rise of Cyber-Enabled Influence Operations

Iranian state actors have another weapon in their arsenal. Since June 2022, multiple Iranian state groups have deployed a new type of attack vector known as cyber-enabled influence operations (IO). This technique combines offensive computer network operations with messaging and amplification in a coordinated and manipulative fashion. The goal is to further geopolitical objectives by shifting the perceptions, behaviors, and decisions of their end targets. 

Likely motivated by its inability to match the sophistication of past cyberattacks against the regime, Iran is leveraging cyber-enabled IO to boost, exaggerate, or compensate for shortcomings in its network access or cyberattack capabilities. 

Keep reading to learn more about how the Iranians use this method and what the rise of cyber-enabled IO has taught us about broader trends in cybersecurity.

3 Examples Of Cyber-Enabled IO

Microsoft linked 24 unique cyber-enabled IO to the Iranian government last year, including 17 since June 2022. This is compared with just seven cyber-enabled IO in 2021, demonstrating Iran's increasing reliance on the technique. 

Interestingly, the rise in these operations has also coincided with a decline in ransomware and wiper attacks by Iranian military affiliates — the most dominant being the Islamic Revolutionary Guard Corps (IRGC). Instead, Iran is now leveraging low-impact, low-sophistication cyberattacks, such as defacements, to bolster its cyber-enabled IO. These attacks take less time and fewer resources, enabling Iran to dedicate more effort to multipronged amplification methods instead.

This trend can be seen in three key examples.

1. Bolstering Palestinian Resistance

In February 2022, the group known as Storm-1084 used destructive cyberattacks in concert with messaging that encouraged pushback against Israel's policies toward Palestinians. Believed to have Iranian ties, the group masked its attack as ransomware and included a ransom note that called Israel "an apartheid regime" that should "pay for occupation, war crimes against humanity, killing the people," including Palestinians.

2. Inciting Shi'ite Unrest in Bahrain

Also in February 2022, a cyber persona known as Al-Toufan took credit for defacing multiple Bahraini and Israeli websites. This attack happened in conjunction with the 12th anniversary of nationwide anti-government protests in Bahrain. Al-Toufan used these attacks to fan protests among the politically underrepresented Shi'ite majority in Bahrain by calling attention to poverty and inflation in the region. 

The group replaced legitimate content on news and government websites with articles that criticized the regime. Sockpuppet Arabic-language social media accounts were later used to amplify the defacements. A similar attack happened in November 2022 when Cotton Sandstorm launched its first cyber-enabled IO against Bahrain’s parliamentary elections.

3. Countering Normalization Of Arab-Israeli Ties

Finally, in December 2022, a cyber persona known as Atlas Group (believed to be Cotton Sandstorm) took credit for hijacking an Israeli sports website. The group posted a message stating that Israelis were not welcome at the World Cup in Qatar or in any Muslim countries. This message was then amplified by sockpuppet accounts in an attempt to intensify Arab-Israeli animosity. Notably, Atlas Group launched its influence operation during the World Cup quarterfinals — one month after Israel and Qatar agreed to establish direct flights for the games.

Iran is likely to continue honing its cyber and influence capabilities in an attempt to match the sophistication of its adversaries' cyberattacks and retaliate against perceived threats to the regime. Additionally, new influence techniques will allow Iran to add to the amplification, realism, and ultimate effectiveness of its campaigns.

For the broader cybersecurity community, this underscores the importance of reliable, comprehensive threat intelligence. NATO member nations and European nations may be at heightened risk. Currently, Israel is the most targeted country, making up 23% of Iranian attacks. They are followed closely by the US (13%) and the United Arab Emirates (8%). By continuing to monitor Iranian attack trends, these and other target groups can better fortify their own protections.

Read more Partner Perspectives from Microsoft Security.