Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Iranian APTs Dress Up as Hacktivists for Disruption, Influence Ops

Iran has taken a page from the Russian playbook: Passing off military groups as civilians for the sake of PR and plausible deniability.

4 Min Read
Israeli and Iranian flags
Source: Alexandre Rotenberg via Alamy Stock Photo

Iranian state-backed advanced persistent threat (APT) groups have been masquerading as hacktivists, claiming attacks against Israeli critical infrastructure and air defense systems.

While threat actors in Gaza itself have been radio silent, the majority of cyberattacks against Israel in recent months have been carried out by hacktivist operations and nation-state actors "playing them on TV," according to a new report from CrowdStrike.

These so-called "faketivists" have had a mixed impact on the Israeli-Gaza war thus far, claiming many public relations wins but leaving evidence of few truly disruptive attacks.

What's clearer are the benefits of the model itself: creating a layer of plausible deniability for the state, and the impression among the public that their attacks are grassroots-inspired. While this deniability has always been a key driver with state-sponsored cyberattacks, researchers characterized this instance as noteworthy for the effort behind the charade.

"We've seen a lot of hacktivist activity that seems to be nation-states trying to have that 'deniable' capability," Adam Meyers, CrowdStrike senior vice president for counter adversary operations said in a press conference this week. "And so these groups continue to maintain activity, moving from what was traditionally website defacements and DDoS attacks, into a lot of hack and leak operations."

Iran's Faketivists

Faketivists can be nation-state actors — such as "Karma Power," the front for the Ministry of Intelligence-linked BANISHED KITTEN, or "The Malek Team," in actuality SPECTRAL KITTEN — or corporate ones like HAYWIRE KITTEN — associated with Islamic Revolutionary Guard Corps contractor Emennet Pasargad, which at various times has operated under the nom de guerre Yare Gomnam Cyber Team and al Toufan Team (aka Cyber Toufan).

To sell the persona, faketivists like to adopt the aesthetic, rhetoric, tactics, techniques, and procedures (TTPs), and sometimes the actual names and iconography associated with legitimate hacktivist outfits. Keen eyes will spot that they typically arise just after major geopolitical events, without an established history of activity, in alignment with the interests of their government sponsors.

Oftentimes, it's difficult to separate the faketivists from the hacktivists, as each might promote and support the activities of the other.

Post-Oct. 7 activity from Iran's faketivists — real and otherwise — has involved purported attacks against critical infrastructure and Israel's "Iron Dome" missile defense system, as well as frequent information operations.

And the former is often just a thin guise for the latter. While faketivists have achieved a select number of breaches of note, the majority of them appear to be opportunistic attacks of low material impact, intended to boost the morale of one side and degrade the other's.

"We've seen disruptions targeting Israel, a lot of focus on things like air alert systems that alert about incoming missile strikes. We've seen attempts to disrupt infrastructure within Israel, for sure," Meyers said, adding that such activity is likely to continue in order to terrorize Israelis. "It's basically the same playbook that Russia used in Ukraine, of how can we terrorize the population and delegitimize their government, and cause them to distrust things."

The Gap Left by Hamas Threat Actors

At the same time Iranian faketivism has shot up in Israel, cyber activity associated with Hamas has taken a nosedive.

Since the Oct. 7 terrorist attack in Israel, threat analysts have consistently found zilch from Hamas-connected cyber threat actors like Extreme Jackal (aka BLACKSTEM, MOLERATS) and Renegade Jackal (aka DESERTVARNISH, UNC718, Desert Falcons, Arid Viper).

This, CrowdStrike speculates in its report, might be explained by significant Internet disruptions in the region. Since the onset of war, it explained, connectivity in Gaza has been hampered by some combination of kinetic war, power outages, and distributed denial-of-service (DDoS) attacks.

Case-in-point: there is one Hamas-linked group — CruelAlchemy — whose command-and-control (C2) infrastructure has remained active since the onset of war. Though Gaza-connected, the group appears to be physically located in Turkey.

So while Hamas remains MIA online, its allies are making up the difference (in volume, if not quality).

"The point is that APTs continue to proliferate. We see more and more threat actors every year, and more and more activity from those threat actors every single year," Meyers says.

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights