Nov 21, 2023 - Technology

Iranian hackers seize an opening in Israel-Hamas war

Illustration of a photocopied image of a keyboard with elements of the Iranian flag.

Illustration: Aïda Amer/Axios

Iran-backed hackers are starting to take a more aggressive stance against Israel in its ongoing war with Hamas, researchers have found in recent weeks.

Why it matters: As the U.S. continues to support Israel, security experts have warned that Iran could retaliate by trying to hack American organizations and companies tied to other allies of Israel.

  • Iran's hacking activities have gotten more sophisticated in recent years — advancing from clunky, phishing-based campaigns to destructive cyberattacks on other countries, including last year's wiper malware attack on the Albanian government.

The big picture: News reports from the early days of the war suggested that Iran helped coordinate Hamas' surprise attack on Israel in early October.

  • But according to a Microsoft report this month, there's no evidence that Iranian hacking groups had prior knowledge of Hamas' plans.

Zoom out: Iran is one of the U.S.' top cyber adversaries, alongside China, Russia and North Korea.

  • Iran is best known for its espionage campaigns targeting Israel and other neighbors. However, in recent years, the country has expanded its portfolio to incorporate more destructive attacks on governments and critical infrastructure — while also advancing its espionage capabilities.

Details: Iranian hacking activity didn't start in earnest until at least 11 days into the war, according to Microsoft. But since then, researchers have uncovered evidence of destructive wiper malware, hack-and-leak operations, website takedowns and espionage campaigns.

  • At least 10 Iran-linked hacking groups are involved in the conflict, Gil Messing, chief of staff at Israel-based cybersecurity company Check Point Software Technologies, told Axios by email Monday.
  • One group, believed to be tied to Iran, started a campaign Thursday that targeted more than 150 organizations, including online retailers and web-hosting services, according to Messing.
  • In another incident last month, Microsoft found Iranian hackers hacking surveillance cameras across the region — although the locations of the compromises were a bit scattershot.

Meanwhile, other cybersecurity companies are uncovering evidence of escalating Iranian attacks leading up to the start of the war on Oct. 7.

  • CrowdStrike reported that Imperial Kitten, a hacking group with ties to Iran's Islamic Revolutionary Guard Corps, used new malware strains to hack Middle Eastern organizations across the transportation, logistics and technology sectors in both the leadup to and the early days of the war.

Between the lines: Iranian cyber actors have mostly pivoted their existing hacking campaigns to take advantage of the ongoing war, rather than starting completely new operations.

  • "One thing you can do in wartime you did not anticipate is think on your feet," said Emiel Haeghebaert, senior hunt analyst at Microsoft, during a presentation at the Cyberwarcon conference Thursday. "You react quickly, and you take advantage of operations you had already planned or are already ongoing, and you make them about the war."

Yes, but: Some Iranian hackers' claims are also being exaggerated online.

  • In the case where Iranian hackers broke into a group of web and surveillance cameras, the hackers made it seem like the intrusions were part of a sophisticated, preplanned operation.
  • But this is unlikely considering the cameras are located in random spots, Microsoft argues.

What we're watching: Experts are continuing to hunt for signs of increased Iranian hacking activity against U.S. organizations.

Go deeper