Iran’s cyber conflict with Israel has reached global proportions, with cyberattacks against businesses and government agencies on other continents causing arguably as much ruckus as those in Israel itself.
It’s a classic case of cyber imitating life. While US military bases and international shipping routes are peppered by its proxy terrorist outfits — most notably, the dernier cri Houthis — Iran’s cyber threat cloud has been spreading its attacks into the US and Europe, against targets perceived to be aligned with its bête noire.
In a report published this week, Microsoft characterized this global proliferation as a “Phase 3” in Iran’s hebraic cyber offensive.
“This is highly likely to be part of the Iranian government’s strategic pressure campaign,” says a threat intelligence analyst from Recorded Future’s Insikt Group, who chose not to be named for this story. “Tehran is hoping to influence governments directly and not [get] directly involved in the conflict via the ability to impact economies. They are highly likely aiming to influence business communities to pressure their governments to support a cessation of Israeli military activities in the Gaza Strip.”
Among the latest victims of this Phase 3 pressure offensive: an Albanian government organization and Iran’s military guard itself.
The Latest in Iran’s Global Cyber Offensive
The most recent known case occurred on Feb. 1. Albania’s Institute of Statistics (INSTAT) disclosed on Facebook that a cyberattack “which aimed to damage INSTAT’s data has caused the Internet services of the official website and email to be interrupted.”
In an official statement, the country’s National Authority for Electronic Certification and Cyber Security (AKCESK) clarified that the affected INSTATE systems “are not currently classified as critical or important information infrastructure.”
On Telegram, the Iranian APT commonly known as “Homeland Justice” told a somewhat different story. Claiming the attack for itself, it described the event as more extortion than denial-of-service (DoS), with more than 100 terabytes of population and geographic information system data copied and then deleted from the organization’s servers.
As Microsoft noted in its report, Homeland Justice has previously targeted Albania, alongside other countries perceived to be in support of Israel. In a series of Telegram posts, the group framed the stolen data in the wider context of Albania’s support of “the terrorists,” including Mojahedin-e-Khalq (MEK), an Iranian dissident group with ties to Israel’s secret service.
Meanwhile, not one day after Albania’s statistics snafu, Iran’s cyberattack net once again reached US shores, when the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned six officials with the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).
The action follows a December intrusion into Vision Series programmable logic controllers (PLCs), developed by the Israeli-American company Unitronics, and utilized in both countries’ critical infrastructure.
“US authorities took remarkably fast action to sanction multiple Iranian cyber officials associated with these attacks,” says Scott Small, director of threat intel at Tidal Cyber. “This could provide limited deterrence against future attacks, but we also know Iranian cyber actors are persistently intent on attacking US-based targets, especially government entities.”
Though it might at first seem short-sighted for Iran to unnecessarily drag the US into a cyber conflict, the Insikt analyst suggests that it could be a well-calculated risk.
“Iran has been trying to de-escalate a kinetic tit-for-tat to minimize the risk of US retaliation against its territory. It is possible more aggressive and more global cyber operations will allow them to mitigate that risk while still contributing to the anti-Israel agenda,” they suggest.
The Three Phases of the Conflict
According to Microsoft, Iran’s pseudo-cyber war against Israel can be split into three distinct phases.
Phase 1, during the initial days following the Oct. 7 Hamas terrorist attack, was rather amateurish, the report claims. Iran-nexus groups performed light opportunistic attacks, leveraged pre-existing access to claim attacks against Israeli organizations, and repackaged old and publicly available data as new “leaks.”
Phase 2, beginning in mid-to-late October, ratcheted up the volume. The number of groups working actively against Israel rose from nine to at least fourteen. Iran conducted ten cyber-enabled influence operations in that month alone, alongside more coordinated and destructive campaigns. Still, much of the winnings from its most successful campaigns were overstated.
In Phase 3 the attacks have become even more honed, utilizing more advanced tactics, techniques, and procedures (TTPs), targeting more significant businesses and critical infrastructure operators, and weaving in more effective messaging aimed at undermining Israeli morale and pressuring Israel’s allies.
“This concern will only increase heading further into election season, since we know Iran has regularly sought to interfere with past US votes,” Small warns.
If recent months are anything to go by, we won’t know until it happens what the next Iranian cyberattack will look like.
“Recent cases demonstrate that the whole range of attack methods are considered fair game for these cyber operations, including Web app exploits, credential harvesting, and even ransomware and cryptomining. This creates a wide range for potential disruptions to critical operations, plus potential fuel for influence operations whether or not the attacks cause notable material impact,” Small says.