May 2, 2023 - Technology

Iran is diving into the disinformation wars, Microsoft says

Illustration of a photocopied image of a keyboard with elements of the Iranian flag.

Illustration: Aïda Amer/Axios

Iran's state-backed hackers are expanding their cyber playbook to include disinformation campaigns, Microsoft warned in a report Tuesday.

Driving the news: Microsoft estimates that the Iranian government was behind 24 "cyber-enabled influence operations" throughout 2022, including 17 since mid-June.

  • That was more than three times as many as in 2021, when that number stood at seven.

Why it matters: Microsoft's findings mark an escalation in Iran's adversarial cyber interests, given the country has historically leaned solely on more-traditional disruptive hacks in its operations.

  • Typically, Russia and China have been the only two U.S. adversaries that lean on disinformation in their schemes.

Threat level: While Iran's tactics are changing, the government's targets remain largely the same, Microsoft said.

  • The disinformation operations have largely focused on Israel, prominent Iranian opposition figures and Tehran's Gulf state adversaries.
  • Between October and March, Iran directed nearly a quarter of its cyber operations against Israel — although the U.S., the United Arab Emirates and Saudi Arabia also bore "the brunt of these efforts," per the report.
  • Most of these cyber-enabled influence operations are run by an Iranian group that Microsoft tracks as Cotton Sandstorm. Others call the group Emennet Pasargad.

Details: Iran currently has a "predictable playbook" in its influence operations, Microsoft said.

  • First, Iranian state-backed hackers use online accounts they've already established — including those on social media and messaging services — to "publicize and exaggerate" the impact of a low-level cyberattack.
  • Some of the posts are published on social media, while others are sent to specific targets via text message.
  • Then, a flurry of inauthentic online personas will rush to amplify and "often further hype" the impact of the attacks, the company noted.

The intrigue: Microsoft has detected a "corresponding" decline in the number of Iran-backed ransomware and wiper attacks as the government's teams shift to disinformation.

  • However, Microsoft warned that the threat of future cyberattacks on U.S. and Israeli critical infrastructure remains, as some Iranian groups are likely to be seeking new tactics for launching such attacks.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper