Iranian state-backed hackers are borrowing from the Russian cyber playbook and sharing tools with ideologically aligned hacktivist groups in the wake of a series of military strikes, experts tell Axios.

Why it matters: Leaning on these hackers allows Iran to amplify its reach while maintaining plausible deniability and staying below the threshold of what's considered war.

Driving the news: Iran-linked hackers threatened last night to publish emails purportedly stolen from Trump allies, including White House chief of staff Susie Wiles, lawyer Lindsey Halligan and adviser Roger Stone.

• CISA and the FBI released an advisory yesterday warning U.S. critical infrastructure, and particularly defense contractors, are at increased risk for potential Iran-linked cyberattacks.

The intrigue: Experts at cybersecurity firm Armis say they've observed Iranian nation-state actors providing tools and resources to pro-Iran hacktivist groups since Israel launched military strikes on June 13.

• Michael Freeman, head of threat intelligence at Armis, told Axios that pro-Iran hacktivists have received "a lot of help," including access to nondescript cyber weapons and hacking techniques that could help them target Western organizations.
• "Those [weapons and techniques] were being used to target more critical infrastructures within nation-states," Freeman told Axios.
• These attackers appear focused on strategic cyber campaigns, including ransomware, linked to the broader regional conflict.
• "They're definitely using these tools, gaining more access, being more careful — without getting caught," Freeman added.

The big picture: Iran increasingly mirrors Russia's model of relying on cyber proxies and psychological operations to project power.

• "This is very Russian in nature," Alexander Leslie, a threat intelligence analyst at Recorded Future, told Axios. "Using proxies for plausible deniability is essentially the essence of how they can scale these operations and remain resilient to any kind of disruption."
• Leslie added that Iran frequently leans on "pseudo-hacktivist groups" to stay just below the threshold of conventional cyber warfare.

Zoom in: A hacker tied to a well-known Russian nation-state hacking team has been sharing tools and advice in a pro-Iran hacktivist group, Freeman said.

Between the lines: Some of the most serious attacks have likely been stopped before they became public, thanks to early detection and Five Eyes intelligence-sharing, Nadir Izrael, chief technology officer at Armis, told Axios.

• "The silence isn't an indication of nothing happening," Izrael said. "It's an indication of defenses holding — and a lot of people doing a lot of work to make that happen."

State of play: Activity from pro-Iran hacktivist groups has dipped since a ceasefire was announced last week, but many of the most opportunistic actors had already pivoted to targeting last week's NATO summit.

• More than 100 hacktivists groups, 90 of which are linked to pro-Iranian positions, have been targeting organizations in Israel and throughout the Middle East, North Africa, Western Europe and North America since Israel's strikes last month, Leslie said.
• Many of those groups resurfaced during this conflict after a long hiatus, Leslie added.
• Despite broad claims of successful attacks, most of the groups' reported DDoS campaigns are unverified. "The point is to overwhelm and shape perception," Leslie said.

Threat level: Freeman warned U.S. critical infrastructure operators to take inventory of their systems and patch overlooked vulnerabilities — especially in "systems that operate systems."

• "The companies who've had to deal with the Iranian groups, that really had a good understanding of their environment, were able to detect them quickly, within a few hours," he said.

What to watch: Law enforcement and private sector partners are actively working to identify and harden vulnerable industrial systems that Iranian threat actors may be targeting.

Congress has six legislative weeks left to reauthorize a decade-old law that underpins cybersecurity threat information-sharing between the federal government and the private sector.

Why it matters: Lawmakers warn that any lapse in renewing the Cybersecurity Information Sharing Act of 2015 could prevent major companies from sharing cyber threat observations with U.S. government partners.

Driving the news: Rep. Eric Swalwell (D-Calif.) told me during an Axios event in D.C. last week that he's hearing anxiety from medium-sized companies and Fortune 500 boardrooms about what cyber intel-sharing looks like if the law isn't renewed.

• Swalwell, the top Democrat on the House Homeland Security cyber subcommittee, added that if Congress lets the program lapse, "we will be almost completely blind" to what the private sector sees in cyberspace.

State of play: The law, which expires Sept. 30, provides liability protections for companies sharing threat intelligence with the government.

• The U.S. has limited visibility into cyber activity on private networks and relies on industry to fill those gaps.
• Cyber intel sharing has already been rocky under the Trump administration, following workforce departures and the collapse of another key program.

Zoom in: With Congress in recess in August, industry officials are urging lawmakers to pass a clean reauthorization of the law, leaving it unchanged.

• "Right now, there are different avenues that this could go, but the important part is that it is passed so there is not a lapse in authorities," Hannah Specogna, government affairs manager at the Information Technology Industry Council, told Axios. "Clean extension is the more preferred route."
• A bipartisan Senate pair has introduced a clean reauthorization bill, while House lawmakers are weighing updates — including to the definition of "cyber threat indicators."

What to watch: Swalwell noted Sen. Rand Paul (R-Ky.) may have his own issues with a clean renewal, which could complicate efforts to keep the law running after Sept. 30.

• "We can probably get this out of the House, but the Senate and its homeland security chair over there has a lot of issues with this," Swalwell said.
• Lawmakers are also weighing backup options, such as a short-term extension to allow more time to debate changes.

In as little as 30 seconds, hackers are using a popular generative AI development tool to build phishing sites mimicking login pages, according to researchers at identity management company Okta.

Why it matters: At least one of the cloned phishing pages was a replica of Okta's own login portal.

• If successful, such a lure could have allowed attackers to harvest users' Okta credentials and gain access to sensitive corporate systems.

Driving the news: In a report first shared with Axios, Okta revealed that threat actors have been abusing Vercel's v0 to generate a fake Okta sign-in page.

• Brett Winterford, vice president of Okta Threat Intelligence, told Axios that this is the first time the company has seen cybercriminals use a generative AI tool to create the phishing infrastructure itself, not just the contents of a phishing email or other lure.

How it works: v0 allows users to create websites using only natural-language prompts.

• In a video shared with Axios, Okta researchers demonstrated how easily they could create a convincing phishing page simply by prompting v0 to "build a copy of the website login.okta.com."
• While investigating the incident, Okta also uncovered phishing sites hosted on Vercel's platform targeting users of cryptocurrency services and Microsoft 365.

Threat level: Winterford said Okta doesn't have any evidence yet that hackers successfully harvested credentials through these sites.

• But in the weeks that Okta spent investigating the one instance of a phishing site targeting one of its customers, researchers observed threat actors had used v0 to spin up new sites targeting other tech platforms.
• Vercel has since removed access to the identified phishing sites and is collaborating with Okta to develop mechanisms for third-party reporting of abuse on the v0 platform.
• "Like any powerful tool, v0 can be misused," Ty Sbano, CISO at Vercel, told Axios in a statement. "This is an industry-wide challenge, and at Vercel, we're investing in systems and partnerships to catch abuse quickly and keep v0 focused on what it does best: helping people build powerful web apps."

The big picture: Security researchers have long warned that generative AI could accelerate low-sophistication cyberattacks like phishing.

• "We've got to stop adding to our defensive measures by increment and just tweaking around the edges," Winterford said. "The attackers are going to innovate faster than we can as defenders."

The intrigue: Okta also found cloned versions of the v0 tool circulating on GitHub, meaning hackers could continue generating phishing sites even if Vercel cracks down on abuse.

The bottom line: Okta says the only way to defend against these phishing attacks is to turn to passwordless technologies, noting that the old ways of spotting a phishing website don't apply anymore.

@ D.C.

⚠️ The Treasury Department didn't deploy cybersecurity measures that could have prevented the three major hacks that it's faced in the last five years. (Bloomberg)

🔍 The Department of Homeland Security is rolling out a new, searchable national citizenship data system that was built quickly without public input. (NPR)

🧊 The relationship between the private and public sectors is on thin ice as government leaders cancel meetings with infrastructure operators, stop attending industry events, and force out longtime officials, executives say. (Cybersecurity Dive)

@ Industry

💰 Rubrik is buying AI startup Predibase in a deal valued between $100 million and $500 million. (CNBC)

📈 Cybersecurity venture funding bounces back as major data leaks and hacks dominate the news and help push security companies' profiles. (Axios Pro)

🤖 Only one in five executives say they're confident in their ability to secure generative AI models against cyber risks, according to a recent Accenture survey. (Axios)

@ Hackers and hacks

✈️ Scattered Spider has started targeting the aviation and transportation sectors after hitting retail and insurance companies. (Axios)

🇰🇵 U.S. law enforcement arrested a New Jersey man and searched laptops across 16 states as part of a crackdown on a North Korean remote IT worker operation that has affected more than 100 companies. (CNN)

🏥 U.K. health officials say that a ransomware attack on NHS's blood services contributed to a patient's death. (Bloomberg)

Former Rep. Will Hurd (R-Texas) told me at an Axios reception in D.C. last week that he's made AI a core part of his daily routine:

• 🍼 Parenting: "I just had a daughter, she's 16 weeks old," he said. "I have asked all the AI systems every imaginable thing about infant poop, what kind of stories should I be telling her, how long should she be sleeping, how do I sleep train."
• 🖊️ Writing: "I am notorious for using the passive voice, so when I write something, I load it up," he said. "And I use all the models. I use Claude, I use ChatGPT, I use Gemini."
• 📆 Scheduling: "It takes me about two hours to plan my week," he said. "I have a running list of my to-dos, I have a grocery list, I have all this and then I use the audio back and forth, talking with it" to schedule my week.

The bottom line: Too few lawmakers use AI, Hurd argued — and if they don't use it, how can they regulate it?