On May 2, 2023, Microsoft announced that Iran had been “rapidly accelerating” cyberattacks since mid-2022. The tech giant attributed 24 cyber operations since June 2022 to Iran’s so-called Cotton Sandstorm, which the U.S. Treasury had also linked to cyberattacks on the 2020 presidential election. The Iranian operations were largely targeting Israel, Iranian opposition, and Gulf rivals. “Iran directed nearly a quarter (23%) of its cyber operations against Israel between October of 2022 and March of 2023, with the United States, United Arab Emirates, and Saudi Arabia also bearing the brunt of these efforts,” the report said. The following is the assessment from Microsoft followed by a timeline of significant cyberattacks involving Iran as well as the United States and/or Israel assembled by The Iran Primer.
Iran continues to be a significant threat actor, and it is now supplementing its traditional cyberattacks with a new playbook, leveraging cyber-enabled influence operations (IO) to achieve its geopolitical aims.
Microsoft has detected these efforts rapidly accelerating since June 2022. We attributed 24 unique cyber-enabled influence operations to the Iranian government last year – including 17 from June to December – compared to just seven in 2021. We assess that most of Iran’s cyber-enabled influence operations are being run by Emennet Pasargad – which we track as Cotton Sandstorm (formerly NEPTUNIUM) – an Iranian state actor sanctioned by the US Treasury Department for their attempts to undermine the integrity of the 2020 US Presidential Elections.
Though Iran’s techniques may have changed, its targets have not. These operations remain focused on Israel, prominent Iranian opposition figures and groups, and Tehran’s Gulf state adversaries. More broadly speaking, Iran directed nearly a quarter (23%) of its cyber operations against Israel between October of 2022 and March of 2023, with the United States, United Arab Emirates, and Saudi Arabia also bearing the brunt of these efforts.
Iranian cyber actors have been at the forefront of cyber-enabled IO, in which they combine offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives. The goals of its cyber-enabled IO have included seeking to bolster Palestinian resistance, fomenting unrest in Bahrain, and countering the ongoing normalization of Arab-Israeli ties, with a particular focus on sowing panic and fear among Israeli citizens.
Iran has also adopted cyber-enabled IO to undercut the momentum of nationwide protests by leaking information that aims to embarrass prominent regime opposition figures or to expose their “corrupt” relationships.
Most of these operations have a predictable playbook, in which Iran uses a cyber persona to publicize and exaggerate a low-sophistication cyberattack before seemingly unassociated inauthentic online personas amplify and often further hype the impact of the attacks, using the language of the target audience. New Iranian influence techniques include their use of SMS messaging and victim impersonation to enhance the effectiveness of their amplification.
These are a few of the insights in a new Microsoft Threat Intelligence report on Iranian cyber-enabled IO. The report highlights how Iran is leveraging these operations to retaliate against external and internal threats more effectively. It also looks at what actions we might see them take in the months ahead, including the increased speed with which they are operationalizing newly reported exploits.
As some Iranian threat groups have turned to cyber-enabled IO, we have detected a corresponding decline in Iran’s use of ransomware or wiper attacks, for which for which they had become prolific in the past two years.
At the same time, the future threat of increasingly destructive Iranian cyberattacks remains, particularly against Israel and the United States, as some Iranian groups are likely seeking cyberattack capabilities against industrial control systems. Iranian cyberattacks and influence operations are likely to remain focused on retaliating against foreign cyberattacks and perceived incitement of protests inside Iran.
Microsoft invests in tracking and sharing information on Iranian cyber-enabled IO so that customers and democracies around the world can protect themselves from attacks. We will publish semi-annual updates on these and other nation-state actors to warn our customers and the global community of the threat posed by such operations, identifying specific sectors and regions at heightened risk.
Click here for the full Microsoft report.
Timeline of Cyberattacks
Dec. 18, 2009: Twitter’s homepage was hacked and defaced by a group claiming to be the “Iranian Cyber Army” in response to the Green Revolution protests.
June 2010: The Stuxnet computer virus, allegedly developed by Israel and the United States, was detected in computers at the Bushehr nuclear power plant. The virus then spread to other facilities. By September, 30,000 computers across at least 14 facilities—including the Natanz facility—were reportedly infected. The virus caused the engines in IR-1 centrifuges to increase their speed and eventually explode. At least 1,000 centrifuges of the 9,000 installed at Natanz were destroyed, the Institute for Science and International Security estimated. After conducting investigations, Iran blamed Israel and the United States for the virus.
Sept. 25, 2010: Iran’s Atomic Energy Organization said it was fighting malware that targeted its nuclear facilities. An Iranian official said 30,000 computers had been infected by Stuxnet.
April 2011: Iran’s cyber defense agency discovered a virus nicknamed “Stars” that was designed to infiltrate and damage its nuclear facilities. The virus mimicked official government files and inflicted “minor damage” on computer systems, according to Gholam Reza Jalali, the head of Iran’s Passive Defense Organization. Iran blamed the United States and Israel.
April 2012: Iran discovered the “Wiper” malware erasing the hard drives of computers owned by the oil ministry and the National Iranian Oil Company. “Wiper” appeared to be similar in design to Duqu and Stuxnet, thought to have been developed by Israel and the United States. Iran blamed the United States and Israel for the attack.
May 2012: Iran announced that a virus dubbed “Flame” had infected government computers and had tried to steal government data. Israel and the United States had deployed the Flame virus to collect intelligence and to prepare for a wider cyberwarfare campaign, The Washington Post reported. In Israel, Vice Prime Minister Moshe Yaalon did not confirm the nation’s involvement but acknowledged that Israel would use “all means... to harm the Iranian nuclear system.”
June 19, 2012: Western officials told The Washington Post that the United States and Israel had deployed the Flame virus to collect intelligence on Iranian computer networks in order to prepare for a cyberwarfare campaign.
July 2012: Iranian hackers targeted Israeli government officials with a cyber espionage tool nicknamed Madi. The malware logged keystrokes, recorded audio, and stole documents.
August 2012: The Shamoon virus erased three-quarters of all corporate computers owned by Saudi Aramco and replaced the data with an image of a burning American flag. U.S. officials blamed Iran for the cyberattack.
Sept. 11, 2012: A group called the Izz ad-Din al-Qassam Cyber Fighters directed a DDoS attack against U.S. banking infrastructure in a cyber campaign named Operation Ababil.
Oct. 12, 2012: U.S. official blamed Iranian hackers with ties to the government for attacks against U.S. banks and Saudi oil facilities.
Jan. 8, 2013: U.S. officials blamed Iran for the Operation Ababil banking cyberattacks.
February 2013: Symantec Corp researchers found pieces of Stuxnet code that had been used to infiltrate systems at Natanz in November 2007, some two years earlier than previously reported. But the researchers could not determine if the earlier version of the virus had caused any damage.
Sept. 27, 2013: Iranian hackers compromised unclassified U.S. Navy computers in the midst of talks over Iran’s nuclear program.
February 2014: Iranian hackers targeted Sheldon Adelson’s Las Vegas Sands Corp. The attack shut down communications systems and wiped hard drives clean.
June 2015: Security experts in Israel discovered a cyberespionage campaign that started in 2012. Hackers using malware – dubbed “Explosive” by the security company Check Point – tried to steal data from military suppliers, media agencies, telecommunications firms, and universities in about a dozen countries. Researchers said the attack appeared to be the work of Hezbollah and an Iranian hacker.
June 2015: The cybersecurity company ClearSky discovered a widespread “phishing” operation targeting over 500 academic researchers in Israel, Saudi Arabia and other Middle Eastern countries. The cyberespionage dated as far back as 2011 and was linked to Iranian interests.
November 2015: IRGC hackers targeted State Department and other Obama administration officials.
March 24, 2016: The Department of Justice indicted seven Iranian hackers for cyberattacks against U.S. banks and a New York dam. It claimed the hackers worked on behalf of the Iranian government and the IRGC.
Nov. 11, 2016: The Shamoon virus resurfaced in Saudi Arabia, according to Symantec.
Jan. 2017: An updated Shamoon virus targeted Saudi government computer systems at petrochemical plants.
April 2017: The Iranian hacker group OilRig attempted to launch a cyberespionage operation against over 250 Israeli targets. The hackers tried to use a vulnerability in Microsoft Word to gain access to the systems of government officials and computing companies. Israel’s Cyber Defense Authority thwarted the attack. Cybersecurity experts said that the attempt showed that the hackers were using increasingly sophisticated methods. “This is one of the more advanced fileless campaigns I’ve seen,” Michael Gorelik, vice president of Israeli security firm Morphisec, said. “It was a targeted, large campaign using quite a big infrastructure.”
Aug. 2017: A failed cyberattack attempted to trigger an explosion at a Saudi petrochemical company.
March 22, 2018: A ransomware attack known as SamSam crippled Atlanta’s city government.
May 9, 2018: Cybersecurity firm CrowdStrike warned about a “notable” increase in Iranian cyberactivity within 24 hours of the Trump administration’s withdrawal from the JCPOA.
July 20, 2018: U.S. senior officials warned Iran had prepared for extensive cyberattacks against the United States and European infrastructure.
September 2018: The Trump administration allegedly issued a presidential finding that allowed the CIA to conduct more aggressive cyberattacks against Iranian critical infrastructure.
Oct. 28, 2018: The head of Iran’s civil defense agency claimed that it had neutralized a “new generation” of the Stuxnet virus attempting to damage communications infrastructure. Iranian officials blamed Israel for the attack. “Thanks to our vigilant technical teams, it failed,” Telecommunications Minister Mohammad Javad Azari Jahromi said.
Dec. 5, 2018: The Department of Justice indicted two Iranian nationals for the SamSam ransomware attack against the city of Atlanta.
Jan. 2019: Cybersecurity firm FireEye detailed a two-year campaign by Iran to steal login credentials and business details in the Middle East, Europe and North America.
March 2019: Before Israel’s parliamentary election, Iranian intelligence allegedly hacked the phone of Benny Gantz, leader of the Blue and White party.
March 6, 2019: Microsoft said Iranian cyberattacks had targeted over 200 companies in the past two years.
April 2019: A hack against Iranian data centers left a U.S. flag on Iranian computer screens along with a message not to interfere with American elections.
June 17, 2019: Tehran claimed it dismantled a CIA-run cyber espionage network in Iran.
June 20, 2019: The United States conducted a cyberattack after Iran’s attacks against oil tankers in the Strait of Hormuz and downing of a U.S. drone. U.S. officials later told The New York Times that the attacks wiped clean an IRGC database used to plan the tanker attacks.
June 22, 2019: The Department of Homeland Security said Iran had increased its “malicious cyber activity” against U.S. government agencies and private industry.
June 26, 2019: Netblocks reported widespread internet disruption in Iran.
July 17, 2019: Microsoft said nearly 10,000 customers were targeted by state-sponsored cyberattacks from Iran, Russia, and North Korea
September 2019: The United States conducted a cyberattack against Iran in retaliation for a drone and missile attack against Saudi oil facilities. U.S. officials told Reuters the operation targeted physical hardware related to Iran’s ability to disseminate propaganda.
Oct. 4, 2019: Microsoft said that Iranian hacker group Phosphorous tried to breach accounts associated with U.S. presidential campaigns. The hackers failed to breach accounts connected with President Trump’s re-election campaign as well as the accounts of journalists and U.S. officials.
Oct. 22, 2019: Court documented revealed that the FBI tracked Iranian hackers who had breached American satellite technology companies.
Jan. 25, 2020: The United States blocked access to “farsnews.com,” the English language web address for the Revolutionary Guard-affiliated Fars News Agency.
Feb. 8, 2020: Netblocks reported that national internet connectivity in Iran fell to 75 percent after Iran activated cyber countermeasures to a DDoS attack.
Feb. 14, 2020: The head of Iran’s civil defense organization blamed the United States for a DDoS cyberattack that led to hours of service disruption.
April 2020: Hackers linked to Iran reportedly conducted a phishing attack against top executives at Gilead Sciences Inc, a U.S. drugmaker. Cybersecurity researchers at Israeli cybersecurity firm ClearSky traced the web domain and servers employed in the attack back to Iran.
April 2020: Iran reportedly hacked into Israel’s Water Authority systems to increase chlorine levels in water for residential use. Water pumps at a station in southern Israel malfunctioned, but the water supply was not contaminated.
May 9, 2020: A cyberattack hit computers that regulate maritime traffic at Shahid Rajaee port on Iran's southern coast in the Persian Gulf. The disruption created a traffic jam of ships that waited days to dock. Iran acknowledged that it had been hit by a foreign hack. Israel was reportedly behind the cyberattack, although it did not claim responsibility, according to The Washington Post.
June 4, 2020: Google said that Iranian hackers with APT 35 conducted a phishing attack against President Trump’s reelection campaign. The hackers failed to gain access to any staffer email accounts.
July 16, 2020: IBM said that Iranian hackers with APT 35/Charming Kitten breached the Google account of a U.S. Navy official and targeted State Department employees with phishing attacks.
Sept. 2, 2020: The Justice Department took down two domains - “Aletejahtv.com” and “Aletejahtv.org”- affiliated with Kataib Hezbollah, an Iranian-backed militia in Iraq.
Sept. 17, 2020: The Treasury sanctioned two groups for cyber espionage. The new sanctions covered Rana Intelligence Computing Company, an Iranian cyber firm, and a cyber espionage group dubbed “Advanced Persistent Threat 39 (APT 39)” by U.S. cyber security companies. The Treasury also designated 45 individuals employed by Rana. All were allegedly working – directly or indirectly – for the Ministry of Intelligence and Security (MOIS).
Sept. 30, 2020: Twitter removed 150 accounts that it said "appeared to originate in Iran" and were "attempting to disrupt the public conversation during the 2020 U.S. presidential debate."
September-October 2020: A hacker group allegedly linked to Iran targeted “many prominent Israeli organizations” in September, according to two Israeli cybersecurity companies. Clearsky and Profero, the firms, said that they had thwarted the large-scale operation launched by MuddyWater, a group that previously worked for Iran’s Revolutionary Guards. MuddyWater had used malware disguised as ransomware. The virus was designed to encrypt files and demand payment, “but the malware was modified so that it could not revert and decrypt the files,” according to a report by Clearsky.
Oct. 7, 2020: The United States seized 92 domain names used by the Revolutionary Guards to spread disinformation. Four of the domain names "purported to be genuine news outlets but were actually controlled by the IRGC and targeted the United States for the spread of Iranian propaganda," the Justice Department said.
Oct. 15, 2020: Tehran confirmed two cyberattacks against government targets that occurred from October 12-13. Iran's port authority claimed that it thwarted an attack against the agency's electronic systems. Several agencies temporarily suspended services and conducted technical tests after the attacks were reported.
Oct. 20, 2020: A hacker group with alleged ties to Iran targeted "many prominent Israeli organizations" in September, according to two Israeli cybsersecurity companies. Clearsky and Profero reported that the group, named MuddyWater, had used malware "disguised as ransomware." The virus would encrypt files and demand payment, "but the malware was modified so that it could not revert and decrypt the files," the report said.
Oct. 28, 2020: An Iranian cybergroup known as Phosphorus targeted attendees of the Munich Security Conference and the Think 20 Summit in Saudi Arabia, according to Microsoft. The hacker group sent fake invitations to attendees. It successfully comprised the accounts of "former ambassadors and other senior policy experts" before Microsoft detected the attacks.
Oct. 30, 2020: An Iranian cybergroup targeted U.S. state election websites and "successfully obtained voter registration data in at least one state," according to the Federal Bureau of Investigation (FBI) and the Cyber Security & Infrastructure Agency (CISA). Iran obtained "non-public voter data" but were not able to "alter any voter data in the state system," the two agencies said in a joint statement.
Nov. 4, 2020: The United States took down 29 websites used by the Revolutionary Guards that sought to "covertly influence United States policy and public opinion," the Justice Department said.
Dec. 3, 2020: CISA issued a "heightened awareness" alert for Iranian cyberattacks. They warned about Iran's range of capabilities, including "website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information...social media-driven influence operations, destructive malware, and, potentially, cyber-enabled kinetic attacks."
Feb. 23, 2021: Twitter removed 238 accounts operating from Iran after completing an investigation into Iranian efforts to interfere in the 2020 presidential election. The accounts were suspended for "various violations of our platform manipulation policies," the social media company said.
March 16, 2021: The Office of the Director of National Intelligence said that it had "high confidence" that Supreme Leader Ayatollah Ali Khamenei authorized a cyber influence campaign during the 2020 presidential election. The online operation was intended to "undercut former President Trump's reelection prospects - though without directly promoting his rivals." Iranian cyber actors published more than 1,000 pieces of online content from several thousand fake social media accounts. Iran also sent threatening emails to Democratic voters, tried to exploit vulnerabilities on state election websites and attempted to hack the email accounts of political campaign officials.
March 30, 2021: The hacking group dubbed Charming Kitten (aka Phosphorous) had targeted two dozen medical researchers in the United States and Israel, the cybersecurity group Proofpoint reported. Iranian hackers impersonated a prominent Israeli physicist and sent spear phishing emails to medical professionals.
April 11, 2021: An explosion at Natanz hit the power supply for centrifuges and caused damage that could take up to nine months to fully repair, The New York Times reported. Alireza Zakani, head of Parliament’s Research Center, said that “thousands of centrifuges” were destroyed during the blackout. He claimed that 300 pounds of explosives had been smuggled into the facility in equipment that had been sent abroad for repair.
American and Israeli intelligence officials told The New York Times that Israel played a role in the sabotage. Unnamed intelligence sources told Israeli media that the Mossad was responsible for a cyberattack that caused the blackout.
May 2021: A hacking group dubbed Agrius had been launching cyberattacks on Israeli targets since December 2020, SentinelLabs researchers reported. The group, allegedly linked to Iran, tried to deploy malware that would erase data on infected devices.
May 2021: A hacking group called N3tw0rm launched ransomware attacks against H&M Israel and other Israeli companies. The group appeared to be related to Pay2Key, an Iran-linked group that claimed previous attacks on Israel Aerospace Industries and the Israeli cybersecurity company Portnox.
June 22, 2021: The United States seized three dozen web addresses affiliated with Iran and its proxies, including Tehran’s flagship international broadcaster Press TV. Thirty-three websites operated by the Iranian Islamic Radio and Television Union (IRTVU) had conducted "disinformation campaigns and malign influence operations," the Justice Department said in a statement. Three others were used by Kataib Hezbollah, an Iraqi Shiite militia group backed by Iran’s Revolutionary Guards.
July 9-10, 2021: On July 9, hackers caused chaos at train stations nationwide by posting fake messages about cancellations on display boards. The messages urged passengers to call 64411, the number for a hotline run by the Supreme Leader’s office. On the next day, websites tied to the Ministry of Roads and Urbanization reportedly went down. Iran blamed Israel and the United States.
An Israeli-American cybersecurity company, however, concluded that Indra, a group of hackers who identify as opponents of Iran’s theocratic regime, was most likely responsible. The code used in the attack resembled code in previous attacks claimed by the group in 2019 and 2020.
July 15, 2021: Facebook took down nearly 200 fake accounts used by Iranian hackers to target U.S., British and European military and defense personnel. The hackers, known as Tortoiseshell, sought to infect victims’ computers with malware and steal their login information. The malware used by the hackers was developed by Mahak Rayan Afraz (MRA), “an [information technology] company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC),” according to Facebook’s cybersecurity team.
The hackers, known as Tortoiseshell, posed as recruiters for the defense and aerospace industries, as well as employees in the hospitality industry, medicine, journalism, NGOs and civilian airliners. They reached out to their targets online to "build trust and trick them into clicking on malicious links," Facebook said in a statement. The hackers also ran several fake job recruiting websites, including one that mimicked the U.S. Department of Labor's job website, to steal their victims' login credentials. "This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it," the statement said.
July 26, 2021: Five documents allegedly outlining Iran's research on offensive cyber operations were leaked to Sky News. The reports were reportedly compiled by Intelligence Team 13, a group within the Revolutionary Guard's cyber unit, Shahid Kaveh. They detailed how Iran planned to hack critical infrastructure, including water filtration, fuel supply systems and maritime communications. One report examined vulnerabilities in "smart" building management systems in the United States, France and Germany.
Oct. 11, 2021: Microsoft announced that a hacking group linked to Iran attempted to gain access to more than 250 accounts “with a focus on U.S. and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.” Some of the targeted companies produce drones, military-grade radars and other advanced equipment. Less than 20 of the targets were compromised since July 2021.
Microsoft stopped short of attributing the attacks to the Iranian government but said that the “activity likely supports the national interests of the Islamic Republic.” The techniques and targets matched those of another hacking group originating in Iran.
Oct. 26, 2021: A cyberattack knocked out the system that allows Iranians to use government-issued cards to purchase fuel at a subsidized rate. The outage impacted all 4,300 gas stations in Iran. Consumers either had to pay the regular price, more than double the subsidized one, or wait for stations to reconnect to the central distribution system. By October 30, some 3,200 out of 4,300 stations had been reconnected to the system. Iran blamed Israel and the United States.
Nov. 17, 2021: U.S., Australian and British cybersecurity agencies said that an Iran-backed hacking group was targeting the transportation and healthcare sectors in the United States as well as Australian organizations. The hackers were trying to access firms’ computer networks by exploiting vulnerabilities in software developed by Microsoft and Fortinet (a cybersecurity firm). The hackers “can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” according to an advisory co-authored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and Britain’s National Cyber Security Centre (NCSC).
In a separate blog post, Microsoft said that six distinct groups linked to Iran were deploying ransomware, which often encrypts data until a victim sends payment to the hackers. The company warned that Iranian capabilities had improved since September 2020. “As Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations,” Microsoft said on November 16.
June 1, 2022: FBI Director Christopher Wray alleged that Iran-backed hackers targeted Boston Children’s Hospital in “one of the most despicable cyberattacks” he has seen. Hackers attempted to infiltrate the facility’s computer network in June 2021, but the FBI warned the hospital, then helped identify and mitigate the threat in time. “Quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids who depend on it.”
Sept. 9, 2022: The United States sanctioned Iran’s intelligence ministry and minister for cyberattacks against the United States and its allies. “Iran’s cyberattacks targeting civilian government services and critical infrastructure sectors can cause grave damage to these services and disregard norms of responsible peacetime state behavior in cyberspace,” Secretary of State Antony Blinken said in a statement.
Feb. 23, 2022: Iran’s Revolutionary Guards published footage from security cameras at two key Israeli ports, Ashdod and Haifa. They also published a file with personal information on hundreds of port workers. Representatives of the ports told Israeli media, however, that the footage was obtained by hacking a company that operated the cameras. So the equipment had not been compromised. The ports also said that footage was old.
April 18, 2023: Microsoft warned that an Iran-linked hacking group, Mint Sandstorm (previously dubbed Phosphorus), had started targeting critical U.S. infrastructure including energy companies, transit systems and seaports in 2021. The group gained access to sensitive systems “in support of retaliatory destructive cyberattacks,” according to Microsoft. “The increased aggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national security apparatus, suggesting such groups are less bounded in their operations.”
April 25, 2023: Iranian hackers had gained access to a local government website that was due to report November 2020 election results, U.S. Cyber Command revealed. But the attack, which was detected by the military, was foiled before the votes were counted with assistance from the Department of Homeland Security. “It could make it look like the votes had been tampered with,” Maj. Gen. William J. Hartman, commander of the Cyber Command’s Cyber National Mission Force, said at a conference.
Second publication by courtesy of The Iran Imprimer, Original-Text