Amazon CISO: Iranian hacking crews ‘on high alert’ since Israel attack – Source: go.theregister.com

Interview Iran’s state-sponsored cyber operatives and hacktivists have all increased their activities since the military conflict with Israel erupted last week – but not necessarily in the way that Amazon chief information security officer CJ Moses expected.

Like most world powers and wannabes, Iran has a substantive crew of government-supported hackers who do all of the usual cyber dirty work for the state: espionage, meddling in elections , spear phishing, stealing data and credentials, deploying ransomware, and in some cases breaking into water utilities and other critical infrastructure.

“Each of the different threat actors has a different goal,” Moses told The Register, adding that Amazon has learned something interesting about the Iranians: “As opposed to what we saw in Russia when they invaded Ukraine, we haven’t seen a change in their goals.”

Before Russia invaded Ukraine, the Kremlin’s state-backed or state-permitted ransomware crews switched to wiper malware, which permanently destroyed data on critical systems to support the invasion.

Iran’s cyber-warriors haven’t done the same, Moses said.

“It’s been increased activity in most cases, but of the same type,” he added. “It’s trying to gain access for whatever that particular threat actor was into in the past, whether financial gain, or theft of intellectual property. The biggest takeaway I had from it: It’s essentially a high alert, everybody go to work, but the methods and what they are doing haven’t changed.”

Moses said Amazon’s threat intel team hasn’t spotted any destructive cyberattacks since the armed conflict began. “Which is what we expected,” he said. “It may lead back to what are the goals of those particular organizations or teams. Of the things they had access to, how detrimental or beneficial to them in light of what was going on.”

This may indicate a desire to maintain access to certain critical networks or systems for future use, depending on how the military component plays out, he noted.

It’s been increased activity in most cases, but of the same type, whether financial gain, or theft of intellectual property.

Moses also won’t say which Tehran-linked cyber-crews he’s talking about as Amazon doesn’t disclose its threat-group naming taxonomy. The CISO did note that “we intentionally, internally, name them differently.”

Another thing that has surprised Moses (so far) about the cyber piece of Iran’s attack strategy is its disinterest in AI.

“We haven’t seen as much as the migration towards gen AI or agentic AI from some of those threat actors,” he said.

This is unusual because some of the other gangs that Amazon tracks, both nation-state and financially motivated, “are doing agentic handoffs” that see them use various AI agents for each part of the attack chain. One agent scans for vulnerabilities, and once it spots those, it hands off the work to a different agent that works to exploit the flaw, and so on, until the criminals achieve their goal.

“That’s becoming, dare I say, normal,” Moses said.

Agentic AI gives attackers a speed boost

AWS runs a network of honeypots across its infrastructure known as MadPot, and uses tens of thousands of sensors to monitor criminals’ attempts to connect with decoys deployed in the honeypots.

“In the past, we would put a newly vulnerable instance out there and within 90 seconds it’s scanned and within three minutes somebody will attempt to take it over,” Moses said. “That timeline is changing significantly because of chained agentic AI capabilities.”

Amazon now sees attackers attempt to hijack the vulnerable instance “in near-real time,” Moses said, and credited AI agents for the speedier attacks. That means network defenders have a lot less time to protect their organizations.

You have a whole new generation of script kiddies using agentic AI

“The agents are designed to do roughly one thing,” he explained. “You start off with the first, it selects what is next based on its outcome, and you chain them together to get to the outcome that you predetermine, everything from gaining access to if you are a criminal actor, trying to glean any financial capabilities out of that, or if you are a nation state actor, establishing a beachhead and performing reconnaissance from there.”

• Cyber weapons in the Israel-Iran conflict may hit the US
• AWS locks down cloud security, hits 100% MFA enforcement for root users
• AWS stirs the MadPot – busting bot baddies and eastern espionage
• How Amazon red-teamed Alexa+ to keep your kids from ordering 50 pizzas

Meanwhile, the number of threat groups that Amazon tracks has increased between 30 percent and 35 percent over the past eight months for a similar reason, according to Moses.

“We attribute that back to the ability for non-software developers to get into the space, and either use agents or AI generated code,” he said. “You have a whole new generation of script kiddies using these tools but they aren’t just fumbling their way through things, they have gen AI upleveling them.”

The silver lining in all of this is that AWS also uses AI agents, and is chaining them to complete various parts of attacks in its red-teaming exercises to protect its infrastructure and customers.

“It’s this agentic battle going on, if you will,” Moses said. ®