Hacking in the Islamic Republic of Iran was first seen in the early 2000s, but cyber activities that aligned with state objectives weren’t noticed until after 2007.1 This is because Iran’s cyber capabilities weren’t fully realized until the 2009 ‘Green Revolution’ when mass protests were sparked by the Iranian presidential election resulting in the expansion of domestic surveillance and control.2;3 Since then, the nation and its sponsored cyber groups have increasingly utilized its cyber capabilities, particularly against its political adversaries. In fact, the United States (U.S.)  intelligence community claimed that Iran’s “growing expertise” in cyber has proven a “major threat to the security of U.S. and allied networks and data.”4

This article aims to explain the reasons behind why Iran has become a hub for cyber activity and, in turn, why its sponsored cyber actors have become a threat to watch out for. 

To be clear, cybersecurity legislation within the Islamic Republic aims to protect “sensitive business data against unauthorized access, use, disclosure, alteration, and/or  destruction.”5 However, despite enacting the Electronic Commerce Act of 2004, the Computer Crimes Act of 2009, the Publicizing and Access to Data (LPAD) law of 2010, and being a member of the European Convention on Cybercrime of 2004, there is little evidence that these laws have decreased the cybercrime activity within its borders.6 

For example, The Electronic Commerce Act of 2004 (Articles 67–77) addresses fraud,  forgery, advertising regulations, trade secrets, trademarks, data protection breaches and intellectual property violations, while Article 78 outlines civil liability laws.7 The Computer Crimes Act of 2009 fills gaps by outlining punishments for cyber offenses in  the Islamic Republic, including jail, forfeiture or both.8 

These criminal offenses include: 

• “Crimes against data privacy and computer systems through unauthorized access to computers or data Crimes against the accuracy of data and computer fraud 

• Destruction of or intervention in data and computer systems, such as wrongful  communication of any number, code, password, or other means of access to any  computer 

• Theft and fraud related to computers 

• Crimes against charity and public ethics 

• Crimes against rape dignity and spreading lies 

• Criminal liability of the persons.”9 

While these guardrails are put into place, the enforcement of them is less than satisfactory. In fact, Iran has recently been seen sponsoring individuals or groups with cyber skills to leverage their capabilities and use it for Iran’s advantage. Despite the Islamic Republic being militarily weaker than many other nations worldwide, its use of offensive cyber operations has given it leverage which allows it to compete with its more sophisticated adversaries.10 Arguably the state’s aligned dislike of the West, particularly the U.S. because of numerous political disputes, including America’s speedy withdrawal in 2018 from the Joint Comprehensive Plan of Action (JCPOA) – also known as the 2015 Iran Nuclear Deal – which has influenced the Iranian cyber threat to be overwhelmingly motivated by politics and international relations.11 Time and time again, Iran has used cyber elements to showcase that a small state lacking the expertise, qualifications and facilities of larger nations such as China and Russia “can push back against the United States in other domains.”12 In other words, Iranian cyber actions are retaliatory and often prove the point that they can infiltrate the U.S. without going to war. For example, the Sands Casino was compromised in 2014 when Iranian threat actors launched a denial of service attack which wiped data from the Las Vegas casino’s computer networks.13 

Furthermore, just like “Iran uses proxies to project its regional power, Tehran often masks its cyber operations using proxies to maintain plausible deniability.” This largely occurs through state-sponsored APT groups and individuals close to the Islamic Revolutionary Guard Corps (IRGC).14 In fact, an IRGC controlled civilian paramilitary organization known as the Basij claims that they have around 120,000 cyberwar volunteers and often recruits from universities and religious schools.15 While this number is likely exaggerated due to the group’s relations with these institutions, it's true that many individuals are outsourced from these locations because they contain a variety of people with vast “knowledge and talent when it comes to cyber operations.”16;17 

Over the years it's noticeable that Iran-linked cyber activity has exploited VPN vulnerabilities, utilized malicious malware, and conducted social engineering and spear phishing campaigns all in tandem with the Islamic Republic’s political incentives. In fact, there have been instances where “Iranian hackers stole terabytes of information worth billions of dollars from more than 100 American universities between 2013 and 2019.”18 Another instance mirrors Russia's interference in the 2016 U.S. presidential election. Iranian cyber actors Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian meddled in the 2020 presidential election and while they have both been charged by the U.S. government, due to the lack of an extradition treaty, the two men are not behind bars.19 

The examples continue. Iranian cyber actor Alireza Shafie Nasab combined with co-conspirators, Mehrsam Andisheh Saz Nik, Dadeh Afzar Arman, Komeil Baradaran Salmani and Hosein Mohammad Haruni to conduct a campaign from 2016 to April 2021 targeting the U.S. Department of Treasury and State, along with dozens of private companies.20 These actors used tactics such as spear phishing and sophisticated social engineering to infect over 200,000 devices, many of which stored classified documents.21 These individuals additionally stole the identity of a real person to create specific accounts to manage the attacks, resulting in gained access to the administrator account of a defense contractor.22 More recently in 2022, Iranian-sponsored hackers targeted the Boston Children’s Hospital using “ransomware and extortion of hundreds of small businesses, nonprofits, and critical infrastructure companies.”23 

Furthermore, Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division claimed that charging individuals like those mentioned in these cases “highlight[s] Iran’s corrupt cyber ecosystem, in which criminals are given free rein to target computer systems abroad and threaten U.S. sensitive information and critical infrastructure.”24 Just as cybercriminals and hackers are allowed to operate in Russia as long as their activities target other countries, it can be inferred that Iran follows a similar approach. To show more correlation between Iran and Russia, as of January 26, 2021, "Iran and Russia signed a joint cybersecurity cooperation agreement that includes technology transfer, training, information sharing, and bilateral collaboration during international events.”25 This emphasizes the impact of international collaboration in cybersecurity and shows an increased threat to the U.S. and its allies. 

Over the past few years, Iranian cyber groups have also targeted Israel and provided cyber aid to Hamas since the beginning of the war between Hamas and Israel.26 This signifies the motivations of Iranian cyber activity to be largely political since the U.S. and Israel are steadfast allies. As Iran continues to build a network of actors working together to push forward Iranian interests, one should take note that social engineering is Iran’s most popular way to foster opportunities for nefarious cyber activities. There are two specific APT groups which have managed operations not only in the U.S., but also in the Middle East: APT42 and UNC1549. 

APT42 

Heavily affiliated with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), the state-sponsored cyber group known as APT42 targets Western and Middle Eastern non-governmental organizations (NGOs), educational institutions, media corporations, legal services and, more specifically, activists.27 The group specializes in espionage campaigns using “enhanced social engineering schemes to gain access to victim networks, including cloud environments.”28 

According to Mandiant, there are three main tactics that APT42 uses to harvest credentials and in turn, gain access to cloud environments: posing as news outlets and NGOs, impersonating legitimate services, and imitating a ‘mailer daemon,’  URL shortening services and NGOs.29 

The first tactic is to pose as a news outlet or NGO. Using this tactic,  members take on the persona of The  Washington Post (U.S.), The Economist (UK), The Jerusalem Post (IL), or Khaleej Times (UAE), to name a few. Be mindful that these pages often “involve the use of typo-squatted domains like washinqtonpost[.]press.”30 This means that nefarious links from these typo-squatted domains look like news articles but are most commonly sent via spear phishing. Then they redirect the user to a fraudulent Google login page. The target is often specific researchers, journalists, and entities that are regionally or geopolitically important to Iran. 

The second tactic is to impersonate legitimate services. Individuals within APT42 will actually create generic login pages and file hosting services. In order to do this, they use top-level domains (TLDs) – one of the highest level of domains in the hierarchical system – “like .top, .online, .site and .live, and often contain several words separated by hyphens, like panel-live-check[.]online.”31  This is done by sending legitimate links via spear phishing masqueraded as invitations to conferences or documents in the cloud, which require the receiver to provide their credentials. As a result, the user unknowingly sends their information to the attackers. This often targets individuals who are “perceived as a threat to the Iranian regime, including researchers, journalists, NGO leaders, and human rights activists.”32 

Assessed by Mandiant, the third tactic is to imitate a ‘mailer daemon,’ URL shortening services and NGOs targeting “individuals and entities affiliated with various defense, foreign affairs and academic issues in the U.S. and Israel.”33 For example, the organization observed that in November 2023, “a nuclear physics professor in a major Israeli university” was targeted by utilizing a phishing URL posed as a legitimate Microsoft 365 login: 

“hxxps://email-daemon[.]online/<university_acronym>365[.]onmicrosofl[.]com/accountID=<target_handle>”

Like the second tactic, using the ‘mailer daemon’ technique, malicious actors send legitimate links via spear phishing posed as invitations to conferences or documents in  the cloud. These require the receiver to provide their credentials, and in turn give APT42 the information needed to cause damage.34 

Furthermore, in August 2024, APT42 used invasive espionage tactics and targeted  specific ‘high-value’ individuals in the U.S. and Israel.35 One incident highlights APT42 meddling with Donald Trump’s presidential campaign with the aim to influence the American voter.36 However, the targeting of anti-Iranian activists, journalists and U.S. officials continues. John Hultquist, Chief Analyst of Mandiant claims that APT42 is incredibly dangerous because of “this idea that they are an organization that has a history of physically targeting people of interest.”37 Threat actor group, UNC1549 presents a different form of threat. 

UNC1549

Observed since June 2022, Iranian threat actor group UNC1549 poses a threat to a variety of countries in the geopolitical region of the Arabian Peninsula. Most prominently, the group targets entities “related to defense, aerospace and aviation in the  Middle East, particularly in Israel and the UAE, and potentially in Turkey, India and Albania.”38 

As reviewed in a Mandiant report, these entities are significant to Iranian interests, have been targeted via espionage or traditional (kinetic) operations, and have ties to the IRGC.39 One tactic most often used by UNC1549 is the deployment of spear phishing emails. These emails include links to fraudulent websites full of information on the Israel-Hamas war and fake job offers, which ultimately foments a hefty payload.40 Additionally, the group mirrors major companies’ logins, fomenting users to unknowingly provide their credentials to a phony site.41 As of February 2024, however, UNC1549 deployed “multiple evasion techniques to mask their activity, most prominently the extensive use of Microsoft Azure cloud infrastructure as well as social engineering schemes to disseminate two unique backdoors: MINIBIKE and MINIBUS.”42 This is important to keep in mind if your business has assets in the Middle East. 

The growing strength and significance of Iran's cyber capabilities is something to closely monitor. Even though Iran is a smaller nation with fewer resources than Russia or China, it has still been able to affect the U.S. and its allies. 

The following article provides a deep dive into the Nigerian hub of cyberfraud. 

Notes

1 Anderson, Collin, and Karim Sanjadpour, Publication, Iran’s Cyber Threat: Espionage, Sabotage, and Revenge, Carnegie Endowment for International Peace, 2018, 5. https://carnegie-production-assets.s3.amazonaws.com/static/files/Iran_Cyber_Final_Full_v2.pdf.

2 Fixler, Annie, “The Dangers of Iran’s Cyber Ambitions,” Foundation for Defense of Democracies, October 28, 2022. https://www.fdd.org/analysis/2022/10/28/the-dangers-of-irans-cyber-ambitions/.

3 Lewis, James Andrew, “Iran and Cyber Power,” Center for Strategic & International Studies, June 25, 2019. https://www.csis.org/analysis/iran-and-cyber-power. 

4 Rep, Annual Threat Assessment of the U.S. Intelligence Community, Office of the Director of National Intelligence, February 7, 2022, 15. https://www.dni.gov/files/ODNI/documents/assessments/ATA-2022-Unclassified-Report.pdf. 

5 Fard, Anahita Asgari, “E-Commerce Law And Cybersecurity In Iran,” Mondaq, March 10, 2023. https://www.mondaq.com/privacy-protection/1291984/e-commerce-law-and-cybersecurity-in-iran.

6 Ibid.

7 Ibid.

8 Ibid.

9 Ibid.

10 Anderson, Collin, and Karim Sanjadpour, Publication, Iran’s Cyber Threat: Espionage, Sabotage, and Revenge, Carnegie Endowment for International Peace, 2018, 6. https://carnegie-production-assets.s3.amazonaws.com/static/files/Iran_Cyber_Final_Full_v2.pdf.

11 Ibid, 7.

12 Rep, Annual Threat Assessment of the U.S. Intelligence Community, Office of the Director of National Intelligence, February 7, 2022, 15. https://www.dni.gov/files/ODNI/documents/assessments/ATA-2022-Unclassified-Report.pdf.

13 “Compromise of the Sands Casino,” Council on Foreign Relations, December 2014. https://www.cfr.org/cyber-operations/compromise-sands-casino.

14 Anderson, Collin, and Karim Sanjadpour, Publication, Iran’s Cyber Threat: Espionage, Sabotage, and Revenge, Carnegie Endowment for International Peace, 2018, 5. https://carnegie-production-assets.s3.amazonaws.com/static/files/Iran_Cyber_Final_Full_v2.pdf.

15 Lewis, James Andrew, “Iran and Cyber Power,” Center for Strategic & International Studies, June 25, 2019. https://www.csis.org/analysis/iran-and-cyber-power. 

16 Ibid.

17 “Threat profile - Iran,” Hunt & Hackett, n.d.. https://www.huntandhackett.com/threats/iran

18 “FBI director warns of increased risk of Iranian cyberattacks,” Foundation for Defense of Democracies, November 2, 2023. https://www.fdd.org/analysis/2023/11/02/fbi-director-warns-of-increased-risk-of-iranian-cyberattacks/

19 “Iranian Interference in 2020 U.S. Elections,” Federal Bureau of Investigation: Most Wanted, 2020. https://www.fbi.gov/wanted/cyber/iranian-interference-in-2020-us-elections.

20 “Treasury Designates Iranian Cyber Actors Targeting U.S. Companies and Government Agencies,” U.S. Department of the Treasury: Press Releases, April 23, 2024. https://home.treasury.gov/news/press-releases/jy2292 

21 Ibid. 

22 Ibid. 

23 “FBI director warns of increased risk of Iranian cyberattacks,” Foundation for Defense of Democracies, November 2, 2023. https://www.fdd.org/analysis/2023/11/02/fbi-director-warns-of-increased-risk-of-iranian-cyberattacks/

24 “U.S. Attorney Announces Charges Against Iranian National For Multi-Year Cyber Campaign Targeting U.S. Defense Contractors And Private Sector Companies,” U.S. Department of Justice: United States Attorney’s Office: Southern District of New York, February 29, 2024. https://www.justice.gov/usao-sdny/pr/us-attorney-announces-charges-against-iranian-national-multi-year-cyber-campaign.

25 El-Masry, Ahmed, “The Abraham Accords and Their Cyber Implications: How Iran Is Unifying the Region’s Cyberspace,” Middle East Institute, June 9, 2021. https://www.mei.edu/publications/abraham-accords-and-their-cyber-implications-how-iran-unifying-regions-cyberspace.

26 “Iran surges cyber-enabled influence operations in support of Hamas,” Microsoft Threat Intelligence, February 26, 2024. https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas#section-master-oc32f6

27 Rozmann, Ofir, Asli Koksal, Adrian Hernandez, Sarah Bock, and Jonathan Leathery, “Uncharmed: Untangling Iran’s Apt42 Operations,” Google Cloud: Mandiant, May 1, 2024. https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations. 

28 Ibid.

29 Ibid.

30 Ibid.

31 Ibid.

32 Ibid.

33 Ibid.

34 Ibid.

35 Bing, Christopher, and Gram Slattery, “The Iranians Who Hacked Trump’s Campaign Have Deep Expertise,” Reuters, August 23, 2024. https://www.reuters.com/world/trump-campaigns-iranian-hackers-have-dangerous-history-deep-expertise-2024-08-23/.

36 Ibid. 

37 Ibid. 

38 Rozmann, Ofir, Chen Evgi, and Jonathan Leathery, “When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors,” Google Cloud: Mandiant, February 27, 2024. https://cloud.google.com/blog/topics/threat-intelligence/suspected-iranian-unc1549-targets-israel-middle-east.

39 Ibid.

40 Lakshmanan, Ravie, “Iran-linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors,” The Hacker News, February 28, 2024. https://thehackernews.com/2024/02/iran-linked-unc1549-hackers-target.html

41 Ibid. 

42 Rozmann, Ofir, Chen Evgi, and Jonathan Leathery, “When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors,” Google Cloud: Mandiant, February 27, 2024. https://cloud.google.com/blog/topics/threat-intelligence/suspected-iranian-unc1549-targets-israel-middle-east.