Vigilante assesses that cyber threat actors will continue to exploit the current fallout surrounding Iran to meet their own ends, complicating efforts to differentiate between official state sponsorship, hacktivism, independent threat actors showcasing their expertise, and disinformation campaigns; all increasing the risk of a policy miscalculation.
Vigilante notes an increasing amount of cyber-related activity on several fronts in response to the death of Qasem Soleimani and the subsequent retaliation by the Iranian military: website defacements, social media account takeovers, disinformation campaigns, rampant accusations of “hacks”, and calls for increased cyber-attacks against the US and its allies.
Vigilante urges vigilance and cooperation as Iranian-sponsored cyber actors, and other cyber actors sympathetic to Iran, to become more overtly aggressive in attempts to penetrate US and US-affiliated websites, servers, databases, and infrastructure.
Vigilante continues to monitor the situation and will report as actionable intelligence is acquired.
Website Defacements Proliferate in Immediate Aftermath of Iran Actions
Vigilante uncovered preliminary evidence suggesting that the group calling themselves “Iran Cyber Security Group Hackers”, which claimed responsibility for defacing the US government’s Federal Depository Library Program (FDLP), is likely not Iranian-State sponsored, but the work of lower tier hackers trying to make a name for themselves, complicating attribution efforts during this tense period. Vigilante places medium confidence in its assessment based on trusted, yet uncorroborated, human sources and preliminary intelligence suggesting that the group in question recycled templates and usernames from a 2015 hack that was also deployed against US government sites at that time.
Within 48 hours of the death of Soleimani, at least 300 websites primarily affiliated with the US, including the FDLP’s, were defaced with pro-Iran and anti-US slogans and images, which Vigilante assesses were carried out primarily by non-Iranian-state affiliated entities that may have an affinity for the current Iran regime.
Social Media Remains Battleground for Messaging, Disinformation Campaigns
Almost immediately following the death of Soleimani, cyber actors of all persuasions have taken to major social media platforms to promulgate their respective hyperbolic political messaging, including the takeover of legitimate accounts to send out exaggerated often distasteful comments about the opposition. Regardless of the content, the endgame with these antics is to exaggerate the opposition’s proclivities while magnifying the virtue of one’s own side, which results in deepening societal divisions, muddying the waters, and creating hysteria that seeks to destabilize an otherwise stable society.
For example, former Australian cricket coach Darren Lehmann’s Twitter account was hacked, during which time the hackers tweeted out several hyperbolic statements on Soleimani death, which followers believed until Lehmann clarified that he had been hacked.
Other more prolific social media users are calling on Iran to hack more US infrastructure and are calling for an escalation in cyber attacks, including calls to hack the US Internal Revenue Service (IRS) and other more prominent US government entities.
Vigilante highlights that there is no compelling evidence at this time that any of these campaigns are being done at the behest of the Iranian government, their common goals and tradecraft notwithstanding. However, Iranian-backed proxy groups are almost certainly active and cannot be ruled out as perpetuators of some of these antics. Vigilante continues to monitor our intelligence streams for additional insight.
Vigilante further notes that most cyber campaigns carried out by a capable government’s intelligence service—Iranian intelligence services are well funded and capable of conducting complex and ongoing intelligence operations—are multi-faceted and capable of hiding its hand, which further complicates attribution.