Microsoft: Iran accelerates global cyber influence operations
While influence campaigns are on the rise, ransomware attacks are declining. Iran’s main target remains Israel
Mandi Kogosowski
| 07/05/2023
Iran's Supreme Leader Ayatollah Ali Khamenei waves during Eid al-Fitr prayer marking the end of the holy fasting month of Ramadan in Tehran, Iran April 22, 2023. Office of the Iranian Supreme Leader/WANA (West Asia News Agency) via REUTERS
Iran has been supplementing its traditional cyberattacks with a new playbook, leveraging influence operations to achieve its geopolitical aims. This, according to a recent Microsoft Threat Intelligence report.
Microsoft has detected these efforts rapidly accelerating since June 2022, and has attributed 24 unique cyber-enabled influence operations to the Iranian government throughout the year. This, in comparison to only seven in 2021.
The threat intelligence team assesses that most of Iran’s cyber influence operations are being run by Emennet Pasargad, also known as Cotton Sandstorm (formerly NEPTUNIUM) – an Iranian state actor sanctioned by the US Treasury Department for their attempts to undermine the integrity of the 2020 US Presidential Elections.
According to the report, Iran’s operations remain focused on Israel, prominent Iranian opposition figures and groups, and Tehran’s Gulf state adversaries. Iran directed nearly a quarter (23%) of its cyber operations against Israel between October of 2022 and March of 2023, with the United States, United Arab Emirates, and Saudi Arabia also bearing the brunt of these efforts.
The goals of its cyber-enabled IO have included seeking to bolster Palestinian resistance, fomenting unrest in Bahrain, and countering the ongoing normalization of Arab-Israeli ties, with a particular focus on sowing panic and fear among Israeli citizens. Most of these operations have a predictable playbook, in which Iran uses a cyber persona to publicize and exaggerate a low-sophistication cyberattack.
New Iranian influence techniques include their use of SMS messaging and victim impersonation to enhance the effectiveness of their amplification.
As some Iranian threat groups have turned to cyber-enabled IO, Microsoft has detected a corresponding decline in Iran’s use of ransomware or wiper attacks, for which for which they had become prolific in the past two years.
While influence campaigns are on the rise, ransomware attacks are declining. Iran’s main target remains Israel
Iran's Supreme Leader Ayatollah Ali Khamenei waves during Eid al-Fitr prayer marking the end of the holy fasting month of Ramadan in Tehran, Iran April 22, 2023. Office of the Iranian Supreme Leader/WANA (West Asia News Agency) via REUTERS
Iran has been supplementing its traditional cyberattacks with a new playbook, leveraging influence operations to achieve its geopolitical aims. This, according to a recent Microsoft Threat Intelligence report.
Microsoft has detected these efforts rapidly accelerating since June 2022, and has attributed 24 unique cyber-enabled influence operations to the Iranian government throughout the year. This, in comparison to only seven in 2021.
The threat intelligence team assesses that most of Iran’s cyber influence operations are being run by Emennet Pasargad, also known as Cotton Sandstorm (formerly NEPTUNIUM) – an Iranian state actor sanctioned by the US Treasury Department for their attempts to undermine the integrity of the 2020 US Presidential Elections.
According to the report, Iran’s operations remain focused on Israel, prominent Iranian opposition figures and groups, and Tehran’s Gulf state adversaries. Iran directed nearly a quarter (23%) of its cyber operations against Israel between October of 2022 and March of 2023, with the United States, United Arab Emirates, and Saudi Arabia also bearing the brunt of these efforts.
The goals of its cyber-enabled IO have included seeking to bolster Palestinian resistance, fomenting unrest in Bahrain, and countering the ongoing normalization of Arab-Israeli ties, with a particular focus on sowing panic and fear among Israeli citizens. Most of these operations have a predictable playbook, in which Iran uses a cyber persona to publicize and exaggerate a low-sophistication cyberattack.
New Iranian influence techniques include their use of SMS messaging and victim impersonation to enhance the effectiveness of their amplification.
As some Iranian threat groups have turned to cyber-enabled IO, Microsoft has detected a corresponding decline in Iran’s use of ransomware or wiper attacks, for which for which they had become prolific in the past two years.
