‘Digital fog of war’ around Iranian cyberattacks
Sign up now: Get ST's newsletters delivered to your inbox
Companies, infrastructure and surveillance cameras have suffered cyberattacks since the end of February.
PHOTO: REUTERS
PARIS – Hostilities on the digital front have intensified since the outbreak of war between the US, Israel and Iran, with many cyberattacks claimed by Iranian groups, as more advanced actors move in the shadows.
Companies, infrastructure and surveillance cameras have suffered cyberattacks since the end of February.
Pro-Iranian group Handala claimed to have snatched 50,000 e-mails from an Israeli researcher specialising in Iran, a day after it said it attacked two American companies.
“Seeing them pop up again now isn’t especially surprising,” said Mr Pierre-Yves Amiot, director of French company Orange Cyberdefense’s CERT cyberalert centre, adding that Handala’s visible activity got going in late 2023.
American cybersecurity company Palo Alto Networks’ Unit 42 research service said in early March it had spotted an “escalation of attacks from activists” based outside Iran.
On March 12, it warned against an “increased risk of wiper attacks related to the conflict”, in which attackers erase data from a target’s computers.
There have been “multiple related incidents impacting organisations in Israel and the US”, Unit 42 added.
Israel’s National Cyber Directorate has issued a series of recent alerts, including on the “hacking of security cameras for espionage purposes” by Iranian groups.
‘Ambiguity’
While it is clear that Handala is responsible for multiple cyberattacks, “it’s always a bit tricky to tell what’s claimed from what’s real”, Orange’s Mr Amiot said.
“They’ve recently been working on claiming responsibility for attacks that aren’t totally accurate... Their aim is to try and maintain this ambiguity, to make people believe they’re extremely active when the truth may sometimes be less clear,” he added.
Such confusion adds up to a “digital fog of war”, Mr Amiot said.
It is still unclear what kind of group Handala may be.
Long believed to be a “hacktivist” outfit – an independent group carrying out politically-motivated cyberattacks – Handala may be more closely tied to Tehran.
“The group is currently assessed by the threat intelligence community to be a state-directed front for Iran’s Ministry of Intelligence and Security,” Unit 42 said on March 12.
Handala is itself only the most visible part of Iran’s far-reaching cyber operations.
“They’re regularly active, but not nearly as active as an APT,” said Mr Adam Burgher, a specialist in following so-called “Advanced Persistent Threats” – the label for the most dangerous hacking groups.
Mr Burgher, an analyst at cybersecurity firm ESET, said Iran has around 10 active groups, with the most active known as MuddyWater.
All have built up experience over recent years.
“The volume of Iranian state-linked cyberactivity remains consistently high, with persistent campaigns observed across diverse industries,” Microsoft said in its annual cybersecurity report published in November.
“I would put them behind North Korea, Russia and China in terms of sophistication and complexity, but they do dedicate significant resources to cyberespionage and cyberattacks,” Mr Burgher said.
For the moment, Iran’s cyber capabilities may be degraded by the general government-imposed internet blackout there.
Fallback satellite connections are an alternative, but are less able to support major operations.
“Complex techniques and attacks are probably not going to be seen until they re-establish their hardline connection,” Mr Burgher said. AFP
