Apparent Russia-linked hacking collectives backing Iran have been observed joining the cyber activity unfolding alongside the U.S.-Israel war against Iran, though analysts have mixed views on whether their involvement represents a meaningful escalation or little more than online noise.
The outlook on such “hacktivist” groups — hackers who attempt to penetrate systems and steal information for political activism — comes days after The Washington Post reported that Russia is supplying Iran with intelligence to help target U.S. forces in the Middle East and adds another dimension to the already complex cyber and information environment surrounding the war.
One well-known pro-Russia group dubbed “NoName057(16)” recently claimed massive distributed denial-of-service attacks against Israeli defense contractors and also claimed to have gained full access to the human-machine interfaces of Israeli water management systems, said Kathryn Raines, a cyber threat intelligence team lead at cybersecurity firm Flashpoint. But company analysts have not verified these claims, she said.
Distributed denial-of-service hacks, known colloquially as “DDoS” attacks, overwhelm websites with large amounts of artificial internet traffic to stop legitimate users from accessing them.
CrowdStrike has similarly observed a surge in pro-Iran hacktivists with ties to Russia. In the first few days after the war broke out on Feb. 28, one Russia-aligned hacktivist group the company dubs “Z-Pentest” claimed responsibility for compromising several U.S.-based entities, said Adam Meyers, the company’s head of counter adversary operations.
Those claims are also unverified, though “Western organizations should continue to remain on high alert for potential cyber response as the conflict continues and activity may move beyond hacktivism and into destructive operations,” he said.
The United States has long supplied Ukraine with intelligence and equipment to strike Russian targets within its borders. Now, as the war unfolds in Iran, Moscow could be seizing its own opportunity for retaliation by aiding Tehran.
“Russia is comfortable providing some proxy support to Iran, or at least taking advantage of an unstable situation,” Cynthia Kaiser, a former deputy director at the FBI’s Cyber Division, said in a LinkedIn post this weekend. “Expect exaggeration, but don’t dismiss the underlying access. These groups regularly inflate the impact of their attacks for media attention. But they have caused real physical damage to critical infrastructure. Calling their bluff shouldn’t mean ignoring the threat.”
“Russia has a variety of partner engagements with Iran that could prompt Moscow to get involved in the conflict, particularly if Russia perceives that U.S. military operations dragging out would further pull the White House’s focus from Ukraine,” said Justin Sherman, founder and CEO of Global Cyber Strategies, a Washington, D.C.-based research and advisory firm.
The Kremlin’s vast and complex cyber ecosystem allows it to leverage state elements, hired or coerced cybercriminals and patriotic hackers encouraged by propaganda to pursue its goals, Sherman said, explaining that “one of the benefits of Russia’s cyber web for the state is how the Kremlin can pick and choose its actors and capability sets as it pleases, depending on its needs.”
In a recent case, Russian state-backed groups initiated a massive global campaign targeting the Signal and WhatsApp accounts of officials, military personnel and civil servants, Dutch intelligence said Monday.
But Sherman said that attributing Russian-origin cyber operations is complex, and that analysts should try to examine which parts of Vladimir Putin’s government may have authorized an operation to better understand how Moscow would be aiding Iran in cyberspace.
Some are skeptical that Russia sharing targeting intelligence would translate directly into cyber support for Tehran.
“Russia providing intelligence assistance to the Iranian government to support kinetic strikes, and the idea of Russian cyber actors as implied by the conventional use of the phrase — i.e., those with a nexus to the Russian state — ‘joining the cyber aspect of this conflict’ are two very different things,” said Alex Orleans, a former National Security Council contractor and head of threat intelligence at Sublime Security.
“I have not encountered Russian APTs inserting themselves into a conflict to support a third-party and I’d be surprised if they did now,” he said, referring to “advanced persistent threat” groups that are typically well-resourced, highly skilled and backed by a nation-state.
Other analysts have not publicly attributed any hacktivist activity to a particular nation.
“While we have observed some initial hacktivist groups supporting the Iranian regime, these activities are in the very early stages. There is currently no clear indication that this is being directed by a state actor like Russia or Iran, and it remains difficult to verify,” said John Fokker, vice president of threat intelligence at Trellix. “That said, in any geopolitical conflict, it is common practice for involved countries to provide aid in various forms.”
Iran’s cyber capabilities have likely diminished in recent days, said Dave DeWalt, CEO of NightDragon, a venture capital firm that manages a portfolio of cybersecurity companies.
“We’ve been monitoring almost every actor and every indicator of compromise that we possibly can, and we’ve seen next to zero activity … and that’s largely because we believe that most of their cyber operations have been dismantled physically,” he said in an interview.
Israel said last week it destroyed Iran’s cyberwarfare headquarters, though it’s not immediately clear how much effect that’s had on its cyber operations.
“We’ve seen little activity from [Iran] globally, that doesn’t mean that it’s completely dismantled,” DeWalt said. “I don’t have full confirmation, but I would tell you it certainly looks like no other case I’ve seen in 20 years, where we’ve seen such silence in the digital world from [Iran].”
Asked about whether China and Russia are sharing capabilities with Iran at this point, he said those nations may be keeping their distance, but there’s possible sharing of satellite, electronic warfare and radar-jamming services. “I would not be surprised at all,” he said.
Read the full article here