Iran’s evolving influence operations and cyberattacks support Hamas

April 15, 2024

Iran launched its own campaign targeting Israel as the war commenced on October 7. Initially, Iran’s efforts were reactive, and its influence campaign focused on disseminating misleading information.

Iranian and Iran-affiliated groups quickly grew more coordinated in their efforts, adding targeted cyberattacks to add to the confusion and mayhem about the situation on the ground. As time has worn on, this two-pronged approach is expanding its reach worldwide to involve more nations and impact the global dialogue about the ongoing conflict.

The evolving nature of Iran’s campaign presents both a present concern and a template for future attacks against organizations and society as a whole. For defenders, understanding how these threats unfold across three distinct phases may help identify vulnerabilities and attack vectors.

Phase 1: Reactive and misleading

Immediately after the conflict began, Iran’s state media and affiliated news agencies began by making claims that turned out to be provably false or unrelated, such as the boast that a hacking group successfully attacked an Israeli power company at the same time as the initial attack by Hamas. Old news reports of power outages and undated screenshots were the only proof offered. The same hacking group claimed to later leak documents from another Israeli power plant; an examination of the documents revealed they had been leaked more than a year earlier.

Along with reusing older material, Iran-affiliated threat actors used credentials gathered in earlier attacks to leak unrelated information in order to add to the confusion. Personal data from an Israeli university was leaked on October 8, although there appeared to be no connection to Hamas’s attack, suggesting that the target was opportunistic.

The influence campaign’s reach was widest early on

The reach of Iranian state-affiliated media surged during the early days of the war. Microsoft AI for Good Lab’s Iranian Propaganda Index rose by 42% that first week, reflecting additional traffic visiting Iran’s state and state-affiliated news sites. English-speaking countries made up much of that increase, in particular Australia, Canada, and the U.K. A month later, worldwide traffic to these sites remained at nearly 30 percent higher than before the war.

An important element in the early stage of the influence campaign was speed. Multiple actors moved quickly, spreading misleading messages within hours or days of the start of the conflict. This may reflect the ease of launching a cyber-enabled influence campaign, as opposed to a full-blown cyberattack strategy.

Phase 2: All-hands-on-deck

As fighting continued through October, more Iranian groups turned their focus on Israel. More critically, these threat actors evolved their tactics to include active cyberattacks against specific targets. Data deletion and ransomware surged, and IoT devices were targeted. At this point, groups became increasingly coordinated in their efforts.

At the beginning of the war, nine Iranian groups were targeting Israel, but by the end of the second week, Microsoft Threat Intelligence tracked 14 groups. Some of these attackers went after the same targets using both cyber and influence techniques. This suggests coordination or common goals.

Iran quickly linked threat actors and techniques

Cyber-enabled influence operations also increased over the first several weeks, with more than twice the activity as at the start of the conflict. For example, one group used ransomware to impact some security cameras in parts of Israel; the same group then used an online persona to say those cameras were on an Israeli Air Force base. This false claim was meant to overstate the Iranian group’s capabilities.

By the end of October, Iran’s operations became more extensive and sophisticated in their use of inauthentic amplification. Using multiple false or stolen online personas (“sockpuppets”), they sent emails and texts to spread fabricated messages, often using compromised accounts to add a veneer of authenticity.

Phase 3: Expanding geographic scope

As the conflict wore on, the Iranian groups widened their cyber-enabled influence activities to target nations they saw as providing support to Israel. Cyberattacks targeted Bahrain, the U.S., and possibly Ireland. In the U.S., Iran-affiliated groups targeted industrial computers made in Israel, including one such device at a water authority in Pennsylvania.

Meanwhile, their cyber-enabled influence campaigns grew more nuanced, with updates to their sockpuppets’ profiles. The groups also began using AI to create new content for these online personas to distribute, along with hacking streaming television channels to show AI-generated “news reports.” These hacks were reported to impact viewers in the UAE, Canada, and the UK.

Understanding the evolving threat

Over time, the Iranian groups refocused their efforts from quick, opportunistic responses to more coordinated, multi-pronged operations. Multiple groups worked in concert to deploy both cyberattacks and cyber-enabled influence campaigns, becoming more destructive while growing in scope. For defenders worldwide, it is essential to raise awareness of this expanding threat environment while actively tracking the widening array of participants and threat actors.

To learn more about Iran’s cyber-influence operations, read this Microsoft Security Insider Nation state report or listen to the Microsoft Threat Intelligence Podcast.


Leave a Comment