Iran has stepped up its cyber-influence operations on a global scale, coupling traditional cyberattacks with cyber-enabled influence operations (IO), according to recent findings from Microsoft. The aim of these operations is to further Tehran’s geopolitical objectives.
The tech giant detected a significant acceleration in Iran’s cyber activity from June 2022, attributing 24 unique cyber-enabled influence operations to the Iranian government in that year – a stark increase compared to just seven in 2021. Microsoft has identified most of these operations as the work of Emennet Pasargad, tracked as Cotton Sandstorm (previously NEPTUNIUM), an Iranian state entity previously sanctioned by the U.S. Treasury Department for attempts to destabilize the 2020 U.S. Presidential Elections.
Despite adopting new techniques, Iran’s targets have remained consistent, focusing on Israel, leading Iranian opposition figures, and the Gulf state adversaries of Tehran. Between October 2022 and March 2023, nearly 23% of Iran’s cyber operations were directed against Israel. The United States, United Arab Emirates, and Saudi Arabia were also major targets.
The Iranian cyber units are pioneering the fusion of offensive cyber operations with multi-pronged influence operations to foster geopolitical shifts in line with Tehran’s objectives. The operations aim to strengthen Palestinian resistance, incite unrest in Bahrain, counter the ongoing normalization of Arab-Israeli relations, and stir panic among Israeli citizens.
Iran has also utilized these operations to thwart the momentum of nationwide protests by leaking information designed to discredit leading opposition figures or expose their purportedly corrupt affiliations.
A common modus operandi observed involves the use of a cyber persona to publicize and amplify a rudimentary cyberattack, which is then echoed and hyped by seemingly unconnected inauthentic online personas. Innovative influence techniques by Iran include SMS messaging and victim impersonation to enhance the impact of their amplification efforts.
These insights are part of a new Microsoft Threat Intelligence report highlighting Iran’s use of these operations as a more efficient retaliation against both external and internal threats. The report also predicts possible actions in the future, including faster operationalization of newly discovered exploits.
While an uptick in cyber-enabled IO has been noted, there has been a corresponding decline in Iran’s usage of ransomware or wiper attacks, previously a dominant strategy. Nevertheless, the threat of escalating Iranian cyberattacks, particularly against Israel and the U.S., persists, with some Iranian groups likely aiming to enhance their cyberattack capabilities against industrial control systems.
Microsoft is committed to tracking and sharing information on Iranian cyber-enabled IO to help customers and democracies worldwide safeguard themselves from these threats. Semi-annual updates on these and other nation-state actors will be released to alert the global community and highlight specific sectors and regions under increased risk.