In cyber attacks, Iran shows signs of improved hacking capabilities

Sign up now: Get ST's newsletters delivered to your inbox

Over the past year, hackers struck at countries including Israel, Saudi Arabia and Jordan in a months-long campaign linked to Iran’s Ministry of Intelligence and Security.

Over the past year, hackers struck at countries including Israel, Saudi Arabia and Jordan in a months-long campaign linked to Iran’s Ministry of Intelligence and Security.

PHOTO: REUTERS

NEW YORK – Iranian hackers are waging a sophisticated espionage campaign targeting the country’s rivals across the Middle East and attacking key defence and intelligence agencies, according to a leading Israeli-American cyber-security company, a sign of how Iran’s quickly improving cyber attacks have become a new, important prong in a shadow war.

Over the past year, hackers struck at countries including Israel, Saudi Arabia and Jordan in a months-long campaign linked to Iran’s Ministry of Intelligence and Security, according to a new report by the company, Check Point.

The Iranian hackers appeared to gain access to e-mails from an array of targets, including government staff, militaries, telecommunications companies and financial organisations, the report said.

The malware used to infiltrate the computers also appeared to map out the networks the hackers had broken into, providing Iran with a blueprint of foreign cyber infrastructure that could prove helpful for planning and executing future attacks.

“The primary purpose of this operation is espionage,” security experts at Check Point wrote in the report, adding that the approach was “notably more sophisticated compared with previous activities” that Check Point had linked to Iran.

Iran’s mission to the United Nations did not respond to a query on Monday about the hack.

But Iranian Defence Minister Mohammad Reza Ashtiani said last week in a speech to his country’s defence officials that given the current complex security situation in the Middle East, Iran had to redefine its national defences beyond its geographic borders.

He said that meant utilising new warfare strategies to defend Iran, including the use of space, cyber space and other ways.

“Our enemies know that if they make one mistake, the Islamic Republic of Iran will respond with force,” Brigadier-General Ashtiani said, according to Iranian media.

Although the report did not specify what, if any, data Iran had taken, Check Point said the hacking campaign successfully broke into computers associated with the Saudi Arabian Ministry of Defence, and agencies, banks and telecom firms in several other Middle Eastern countries including Jordan, Kuwait and Oman.

The report also did not specify which Israeli systems had been hacked.

A senior Israeli official dealing with cyber issues has confirmed that in recent months, an attack by a group known as LionTail has been under way against local and national government agencies and various institutions in Israel.

The official said that the attacks are identified and handled by Shin Bet, Israel’s internal security agency, and the Israeli National Cyber Directorate.

The Saudi government’s Centre for International Communication, which handles media inquiries, did not immediately respond to a request for comment on Monday. Jordan’s information minister did not immediately respond to a similar request.

The cyber attacks mark a new phase in a digital conflict between Iran and its rivals. The widespread and surprisingly sophisticated hacks, according to Check Point, underscored how Iran has found ways to punch back in an arena where it had been outmuscled.

“This is the most sophisticated and stealthy Iranian cyber attack we’ve seen,” said Mr Sergey Shykevich, who oversees threat intelligence at Check Point and led the research for the report.

“There is a clear common denominator between the victims we’ve spotted across the Middle East. Whether they’re from the government, financial or NGO (non-governmental organisation) sectors – they’re all a top intelligence priority for the Iranian government.”

The campaign follows a series of other Iranian cyber attacks over the past two years, experts said, including one aimed at critical United States infrastructure and another that sought to impersonate a nuclear expert at an American research institute.

Researchers at Microsoft said earlier in 2023 that Iran was running more sophisticated operations that sought to undermine warming ties between Israel and Saudi Arabia and foment unrest in Bahrain.

The most recent attack may be Iran’s most successful yet, as it helped the country gain potentially critical intelligence, and knowledge that could help with future cyber strikes, according to the Check Point report.

“The attackers were able to exfiltrate big amounts of data unnoticed for a long period of time, from days to months, potentially achieving significant and sensitive data that could be of service to them for various purposes,” Mr Shykevich said.

“Some of the information that Iran gained from previous cyber attacks in the past was used by them long after the attack took place,” he added. “This can indicate that this specific campaign, with its width and sophistication, may be of use to Iran for years to come.”

The quiet but sustained campaign amounts to a sort of Iranian counter-offensive in a digital shadow war that has been running for well over a decade against countries including Israel, and one in which Teheran has been at a disadvantage.

It underscores Iran’s fast-improving capabilities and determination to break into the networks of regional rivals at a time when tensions in the Middle East have erupted into war.

The latest cyber attacks stand out, according to Check Point, for the way Iranians redesigned malware they had once used to openly pilfer data into a less detectable means of accumulating huge amounts of secret government data, not unlike a wiretap.

The code had striking similarities to a program used to attack the Albanian government in 2022, Check Point said.

That hack, in which a large amount of sensitive police data was taken and posted online, led Albania to break off diplomatic relations with Iran, which officially denied it was responsible.

The malware exploits a known vulnerability in outdated versions of Microsoft Windows servers. After infecting a vulnerable computer, the program burrows deep into the network, in some cases for months, quietly gathering and transmitting data back to Iran.

Check Point observed that the attackers were able to customise the malware for each network, revealing the growing scale of Iran’s cyber capabilities.

Initially, as the world learnt about the powers of hacking, Iran was perhaps the best known victim of the real-world impact of digital weapons.

In 2010, centrifuges at an Iranian nuclear facility were hijacked by a cyber weapon built and used by the US and Israel. Over the course of a year, the cyber weapon, called Stuxnet, was used to manipulate Iranian nuclear equipment and, later, to destroy part of the facilities.

At the time, experts in the US said Iran’s hacking capabilities were clumsy and elementary.

But Stuxnet “was a big wake-up call”, said Mr Adam Meyers, senior vice-president of counter-adversary operations at cyber-security firm CrowdStrike. “What we saw after Stuxnet was that Iran threat actors started professionalising.” NYTIMES

See more on