Iran-linked hacking groups have increased their regional activities following recent US and Israeli strikes, though wartime disruptions may limit their impact. Their methods include phishing campaigns, such as one impersonating Israel's emergency alert app to deliver malware, and exploiting unsecured surveillance cameras across several Middle Eastern countries for intelligence gathering.
The main topics covered are the cyber activities of state-backed Iranian groups, their specific tactics and targets since the conflict's outbreak, and the assessment that kinetic military strikes have degraded some of their operational capabilities.
Highly capable Iran-linked hacking groups have widened their activities across the region since the US and Israel attacked last weekend, experts argue, although disruption from the war may limit their effectiveness.
Spectacular coups against well-protected systems are unlikely, as cyberattackers prefer to target weaker links in the chain or dupe human users into granting them access to important data and networks.
Since the outbreak of war, suspected Iranian cyberattacks flagged by cyberintelligence company Unit 42 and Israeli cybersecurity firm Check Point include an alleged mass "phishing" attempt against Israelis.
Attackers allegedly saw opportunity in bugs with Israel's widely used Home Front Command application, which provides emergency alerts and information.
The hackers sent mass texts to users urging them to download an update.
"It was the kind of text that perfectly makes sense" but linked to "an app that imitated the Home Front Command," Check Point chief of staff Gil Messing told AFP.
"Actually, it was a malware that enables you to get a lot of information out of the device".
Messing added that a similar attack had previously targeted people expecting a package from the post office.
Check Point also alleged it saw suspected Iranian attackers accessing widely used connected surveillance cameras, which are often unsecured.
Beyond top target Israel, infiltrated cameras were found in Qatar, Bahrain, Kuwait, the United Arab Emirates, and Cyprus -- all countries targeted by Iranian drones and missiles.
Imagery was likely being used for battle damage assessment (BDA) after such kinetic attacks, Messing said, or "beforehand to collect the intelligence you need about... (targets') routines or where to strike".
Compromised cameras in Tehran were similarly used by Israel in planning the strike that killed Iran's supreme leader Ayatollah Ali Khamenei, the Financial Times and other media reported earlier this week.
Disruptive strikes
"Iran, I would say, is in the top five or seven cyber nations in the world when it comes to offence" alongside Russia, China and North Korea, Messing said.
Hackers are "a part of their army... very much government owned or backed" by the Islamic Revolutionary Guard Corps (IRGC) or the Ministry of Intelligence and Security, he alleged.
He identified several main avenues of Iranian cyberactivity: "classic" cyberattacks to extract information and show off capabilities, disinformation campaigns on social media, recruitment of arm's length agents in target nations for pay or via blackmail, and harassing Iranians in exile.
With drones and missiles in the air, "we must be careful not to overplay the role of cyber... It is easier to bomb a TV tower than conduct a cyberattack on a TV station," said James Sullivan, cyber and tech chief at London defence think-tank RUSI.
US and Israeli strikes have also inflicted "loss of connectivity and significant degradation of Iranian leadership and command structures" that will hamper its hackers, Unit 42 wrote in a report.
US cybersecurity firm Crowdstrike had seen "muted IRGC-linked retaliatory cyberattacks" since the outbreak of war, its intelligence chief Adam Meyers said.
Hinting at the extent of disruption to internet connectivity, Check Point said this week it had spotted cyberattackers using methods typical of Iranian groups operating via Starlink satellite connections.
Tehran had attempted weeks earlier to jam the Elon Musk-owned network to keep demonstrators from using it.
Destructive operations
Crowdstrike said that it had seen "a surge in claimed activity from Iran-aligned and sympathetic hacktivist groups" since the outbreak of war.
The groups were claiming responsibility for acts like distributed denial of service (DDoS) attacks, in which a target server is inundated with requests for information.
Such attacks are a relative constant of life online and do not require sophisticated capabilities.
And the claims, often made via social media or defaced websites, are difficult to verify.
Suspected Iran-linked groups tracked by Unit 42 claimed attacks on targets in healthcare, banking, oil infrastructure and an airport in countries including Jordan, Saudi Arabia, the UAE and Kuwait this week.
And a Russian group known as Z-Pentest claimed it had gained access to factory automation systems and CCTV networks in the United States, Crowdstrike added.
"Western organisations should remain on high alert... Activity may move beyond hacktivism and into destructive operations," Crowdstrike's Meyers said.
Spectacular coups against well-protected systems are unlikely, as cyberattackers prefer to target weaker links in the chain or dupe human users into granting them access to important data and networks.
Since the outbreak of war, suspected Iranian cyberattacks flagged by cyberintelligence company Unit 42 and Israeli cybersecurity firm Check Point include an alleged mass "phishing" attempt against Israelis.
Attackers allegedly saw opportunity in bugs with Israel's widely used Home Front Command application, which provides emergency alerts and information.
The hackers sent mass texts to users urging them to download an update.
"It was the kind of text that perfectly makes sense" but linked to "an app that imitated the Home Front Command," Check Point chief of staff Gil Messing told AFP.
"Actually, it was a malware that enables you to get a lot of information out of the device".
Messing added that a similar attack had previously targeted people expecting a package from the post office.
Check Point also alleged it saw suspected Iranian attackers accessing widely used connected surveillance cameras, which are often unsecured.
Beyond top target Israel, infiltrated cameras were found in Qatar, Bahrain, Kuwait, the United Arab Emirates, and Cyprus -- all countries targeted by Iranian drones and missiles.
Imagery was likely being used for battle damage assessment (BDA) after such kinetic attacks, Messing said, or "beforehand to collect the intelligence you need about... (targets') routines or where to strike".
Compromised cameras in Tehran were similarly used by Israel in planning the strike that killed Iran's supreme leader Ayatollah Ali Khamenei, the Financial Times and other media reported earlier this week.
Disruptive strikes
"Iran, I would say, is in the top five or seven cyber nations in the world when it comes to offence" alongside Russia, China and North Korea, Messing said.
Hackers are "a part of their army... very much government owned or backed" by the Islamic Revolutionary Guard Corps (IRGC) or the Ministry of Intelligence and Security, he alleged.
He identified several main avenues of Iranian cyberactivity: "classic" cyberattacks to extract information and show off capabilities, disinformation campaigns on social media, recruitment of arm's length agents in target nations for pay or via blackmail, and harassing Iranians in exile.
With drones and missiles in the air, "we must be careful not to overplay the role of cyber... It is easier to bomb a TV tower than conduct a cyberattack on a TV station," said James Sullivan, cyber and tech chief at London defence think-tank RUSI.
US and Israeli strikes have also inflicted "loss of connectivity and significant degradation of Iranian leadership and command structures" that will hamper its hackers, Unit 42 wrote in a report.
US cybersecurity firm Crowdstrike had seen "muted IRGC-linked retaliatory cyberattacks" since the outbreak of war, its intelligence chief Adam Meyers said.
Hinting at the extent of disruption to internet connectivity, Check Point said this week it had spotted cyberattackers using methods typical of Iranian groups operating via Starlink satellite connections.
Tehran had attempted weeks earlier to jam the Elon Musk-owned network to keep demonstrators from using it.
Destructive operations
Crowdstrike said that it had seen "a surge in claimed activity from Iran-aligned and sympathetic hacktivist groups" since the outbreak of war.
The groups were claiming responsibility for acts like distributed denial of service (DDoS) attacks, in which a target server is inundated with requests for information.
Such attacks are a relative constant of life online and do not require sophisticated capabilities.
And the claims, often made via social media or defaced websites, are difficult to verify.
Suspected Iran-linked groups tracked by Unit 42 claimed attacks on targets in healthcare, banking, oil infrastructure and an airport in countries including Jordan, Saudi Arabia, the UAE and Kuwait this week.
And a Russian group known as Z-Pentest claimed it had gained access to factory automation systems and CCTV networks in the United States, Crowdstrike added.
"Western organisations should remain on high alert... Activity may move beyond hacktivism and into destructive operations," Crowdstrike's Meyers said.
Meridiano
