A new report has laid bare the sudden surge in cyber-threat activity from pro-Iran hacking groups which accompanied the 12-day war against Israel earlier this summer.
SecurityScorecard said it analyzed 250,000 Telegram messages to uncover various activity including intelligence gathering, propaganda and direct attacks on critical infrastructure and public entities.
This came from a diverse set of groups, including state-backed hackers, proxies and looser collectives of “ideologically aligned hacktivists” supporting Iran’s war aims.
Among these activities were:
- Pro-Iran propaganda across at least 178 Telegram groups which blended “ideologically driven messaging with coordinated cyber-operations.” Channels included “Islamic Hacker Army group,” “Resistance Toast” and “Al-Qassam Toast”
- DDoS campaigns, phishing operations and data dumps “under the banner of local grievance narratives” from Palestinian-linked hacktivists Cyber Islamic Resistance and Cyber Fattah team, Afghanistan’s Fatimion cyber team, Tunisia’s Maskers Cyber Force and Islamic outfits like Islamic Hacker Army group and sharp333
- Web defacement and DDoS by pro-Iran hacktivists Fatimion Cyber Team
- Data theft and dumping of thousands of records including PII from the Saudi Games by state-aligned cyber-resistance group Cyber Fattah team. This was achieved by scanning for and exploiting web vulnerabilities
- Website defacements, service disruptions, propaganda broadcasts and “morale messaging” from hacktivist group Cyber Islamic Resistance
- Website defacements, data exfiltration operations and the sale of zero-day vulnerabilities by financially motivated collective Tunisian Maskers Cyber Force
State-Backed APT Strikes
This activity came alongside more traditional state-sponsored attacks by APT group Tortoiseshell (aka Cuboid Sandstorm, Yellow Liderc and Imperial Kitten).
“Only a few days after the conflict between the two nations flared, the actor began purchasing domain names from NameCheap that revolve around themes of the conflict, such as nowsupportisrael[.]com, supportisraelfunding[.]com or stoprirannukes[.]com. The actor then purchased a few virtual servers to host their domain,” SecurityScorecard explained.
“The threat actor used these VPSs alongside the Evilginx phishing framework, to lure Hebrew speaking victims with petition forms offering support for Israel while focusing on the October 7th attack, when Hamas attacked Israel in 2023.”
The group then deployed the RemCosRAT remote access Trojan malware to selected targets.
The report claimed threat actors in this conflict displayed varying degrees of sophistication and alignment with the Islamic Revolutionary Guard Corps (IRGC).
“Understanding the difference between state-sponsored and opportunistic groups is crucial for making sense of increasingly complex and interlinked cyber and kinetic conflicts,” it said.
“Key recommendations include emphasizing employee awareness to the dangers of phishing and social engineering at times of conflict and asking your security vendors to assess whether your organization might fall within the scope of a targeted camp.”
Read more on pro-Iran hacktivism: US Warns of Heightened Risk of Iranian Cyber-Attacks After Military Strikes
