Iran regime ratchets up cyberattacks in wake of Soleimani’s death
Iran’s hacking attempts have significantly increased in 2020. In early January, cyberattacks that were traced back to Iranian IP addresses nearly tripled in just two days.
This is most likely a response to US President Donald Trump’s order to kill top Iranian general Qassem Soleimani, who enjoyed enormous influence in directing the Iranian regime’s foreign policy, was a staunch and loyal confidante to Supreme Leader Ali Khamenei, and was the head of the Quds Force — the elite branch of the Islamic Revolutionary Guard Corps (IRGC) that is mandated to carry out extraterritorial operations in order to export Tehran’s revolutionary principles and increase its influence in other countries in the Middle East.
From the Iranian leaders’ perspective, they have yet to take revenge, as Soleimani’s death was a significant blow to the theocratic establishment. This is because he was an irreplaceable asset for the ruling mullahs. He had built deep connections with the leaders of militia and terror groups across the region and was in charge of extraterritorial operations, including organizing, supporting, training, arming and financing predominantly Shiite militia groups. He was also responsible for launching wars directly or indirectly via these proxies; fomenting unrest in other nations to advance Iran’s ideological and hegemonic interests; attacking and invading cities and countries; and assassinating foreign political figures and powerful Iranian dissidents worldwide.
After Soleimani’s death, Iranian hackers defaced many websites, including those of the Texas Department of Agriculture and an Alabama veterans’ group. They posted an image of Soleimani, which was accompanied by a message saying: “Hacked by Iranian hacker.” A website belonging to the US Government Publishing Office was also defaced, while the Iranian hackers posted a mocked-up image of Trump being bit by a fist.
Iranian hackers mainly tend to target political, financial and energy institutions. In late January, Iran-linked threat actor APT34 was reportedly detected sending malicious email attachments to US-based services company Westat. Many US state and local institutions, as well as dozens of federal agencies, use Westat to carry out research. The targeted emails asked recipients to fill in a survey about how Westat was performing by downloading an Excel spreadsheet. By allowing the spreadsheet to be downloaded, a virus was also automatically downloaded without the recipient’s knowledge.
The Iranian regime has also been targeting journalists and dual Iranian citizens living in the West, particularly the Iranian-American community. Last November, Iranian-born German academic Erfan Kasraie received a malicious email, written in Farsi, purportedly sent by journalist Farnaz Fassihi, who was said to be working with the Wall Street Journal. Fassihi was previously affiliated with that publication but is now working for the New York Times.
The Iranian hackers posted a mocked-up image of Trump being bit by a fist
Dr. Majid Rafizadeh
The same message was sent to journalists working for international outlets including CNN and Deutsche Welle, according to a Reuters report last week. The email asked each recipient to answer some questions and share their “important achievements” in order to “motivate the youth of our beloved country.” In order to view and answer the questions, they were asked to enter their Google password. Once the recipient opened the file by entering their password, the Iranian hackers gained access to the account and could impersonate the journalist.
Some of the emails asked the recipient to sign a contract to sell some of their pictures to the Wall Street Journal. The Israeli firm ClearSky Cyber Security provided evidence that two media figures at CNN and Deutsche Welle were impersonated. The London-based cybersecurity company Certfa blamed the Iranian hacking group nicknamed Charming Kitten for these attacks.
Iran has invested significant capital in its cyber program. The Israeli-based Institute for National Security Studies acknowledged in 2016 that: “The IRGC clearly makes the country one of the best and most advanced nations when it comes to cyberwarfare. In a case of escalation between Iran and the West, Iran will likely aim to launch a cyberattack against critical infrastructures in the United States and its allies, (targeting) energy infrastructure, financial institutions, and transportation systems.”
This is not the first time that the Iranian regime has been engaged in such extreme activities, targeting innocent and vulnerable people and organizations. In 2016, the US Justice Department indicted seven Iranian citizens for distributed denial of service attacks against 46 companies mainly in the banking and financial sectors.
In addition, US intelligence concluded that the Islamic Republic was behind the “Shamoon” virus that targeted the computers of Saudi Arabia’s Aramco oil corporation in 2012. And, in November 2018, two people based in Iran were accused of being behind a series of cyberattacks on US targets, which included crippling the city of Atlanta’s government by targeting its hospitals, schools, state agencies and other institutions. Data from these major institutions was held hostage in exchange for ransom payments.
The Iranian regime must be held accountable for deliberately carrying out cyberattacks and hacking vulnerable individuals and organizations.
- Dr. Majid Rafizadeh is an Iranian-American political scientist. He is a leading expert on Iran and US foreign policy, a businessman and president of the International American Council. Twitter: @Dr_Rafizadeh