Iranian groups have turned to cyber-enabled influence operations to fuel the regime’s objectives for geopolitical change. Read more about these techniques and what they could mean for future threats.




Iran Computer

iStock/mirsad sarajlic

By Microsoft Security

Iranian state actors have latched on to a new set of preferred attack vectors over the course of the past year. Known as cyber-enabled influence operations (IO), these techniques combine offensive computer network operations with messaging and amplification to shift perceptions, behaviors, or decisions by target audiences in accordance with the perpetrator’s interests and objectives.

Iranian groups have turned to cyber-enabled IO as a way to boost, exaggerate, or compensate for shortcomings in their network access or cyberattack capabilities. By combining offensive cyber operations with multi-pronged IO, they are able to fuel geopolitical change in alignment with the regime’s objectives. These include bolstering Palestinian resistance, fomenting Shi’ite unrest in the Gulf, and countering the normalization of Arab-Israeli ties.

Continued improvements in Iranian threat actors’ offensive cyber methods will enhance their ability to be more selective in targeting, including against higher-profile targets, while their new influence techniques will add to the amplification, realism, and ultimate effectiveness of their campaigns.

Read on to learn about the specific techniques Iran is utilizing and what they could mean for future threats.

How is Iran using cyber-enabled IO?

The increased convergence of cyber and IO follows on the heels of highly sophisticated cyberattacks against Iran since July 2021. Iran’s inability to match these attacks likely prompted the regime to find innovative methods to retaliate in a way that appeared proportional. This is in alignment with their national security preference for proportional and directed retaliation.

Microsoft linked 24 unique cyber-enabled IOs to the Iranian government in 2022 – including 17 since mid-June. This is compared to just seven in 2021. As cyber-enabled IO rises, we’re seeing a corresponding decline in ransomware or wiper attacks by groups linked to Iran’s military, notably the Islamic Revolutionary Guard Corps (IRGC). The IRGC’s latest string of cyber-enabled IO in the last year has leveraged low-impact, low-sophistication cyberattacks, such as defacements, which take less time and fewer resources, while dedicating more effort to its multi-pronged amplification methods.

Iranian state actors have utilized cyber-enabled IO for a number of purposes. In addition to their efforts in the Israeli-Palestinian conflict and support for the politically underrepresented Shi’ite majority in Bahrain, Iranian groups have also focused on matters closer to home. We have seen Iran adopt cyber-enabled IO to undercut the momentum of nationwide protests by leaking information that aims to embarrass prominent regime opposition figures or to expose their “corrupt” relationships. Shortly after the outbreak of anti-government protests in Iran in late September 2022, a new cyber persona, Adll Ali, which we assess is acting on Iran’s behalf, began leaking information to slander several prominent Iranian opposition figures.

What’s next for Iran?

As Iranian state actors hone their influence techniques through the increased use of cyber-enabled IO, they have also added two new amplification methods to their toolkit.

Microsoft observed multiple Iranian actors attempting to use bulk SMS messaging in three cases in the second half of 2022, likely to amplify the psychological effects of their cyber-influence operations. Likewise, Iranian groups have begun impersonating purported victim organizations, or leading figures in those organizations, to add credibility to the effects of the cyberattack or compromise. These sock puppet accounts are often created in the weeks leading up to a publicized cyberattack or data leak.

Iranian cyberattacks and IOs will likely remain focused on retaliating against foreign cyberattacks and perceived incitement of protests inside Iran. We believe Israel, followed by the United States, is likely at the highest risk for future operations. Israeli and US organizations have consistently been the most common targets of Iranian cyber operations in the past year, with a further increase in Israeli targeting in the past six months, judging from Microsoft data.

NATO member nations and European countries may also be at a heightened risk of future Iranian cyber and influence operations. The increased aggressiveness of Iranian actors since 2021 indicates a less bounded operating environment. Likewise, we’re seeing indicators of a greater future threat for less conventional Iranian targets, as demonstrated by Iran’s first cyberattack directly against a NATO government (Albania) in July 2022.

In summary, Iranian threat groups have grown increasingly sophisticated as they seek to leverage a variety of cyberattack methods to further their geopolitical agenda. The increase in cyber-enabled IO for greater retaliatory impact is just one example of this trend.

To learn more about emerging nation-state threats, visit Microsoft Security Insider and for a more detailed report on Iranian state activity, download our full special report.

Copyright © 2023 IDG Communications, Inc.