Microsoft: Iran's cybercrews got stuck into Israel days after Hamas attacked – not in tandem

At least two destructive attacks, but – crucially – after deadly conflict erupted

Iran's role in the Israel-Hamas war has been largely "reactive and opportunistic," says Microsoft, in contrast to reports that Tehran's spies plotted cyberattacks against Israel to coincide with the October 7 Hamas terrorist atrocity.

Iran's claims about the impact of subsequent computer network breaches were widely inflated, the Windows giant explained in a presentation at the CyberWarCon defense conference in Washington DC. Redmond has been monitoring cybercrews affiliated with Iran's Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC) for years now, but noted they didn't appear to be acting with prior knowledge of Hamas's actions.

There's significant overlap between the Iranian cybergangs, but in general security researchers track the MOIS-linked teams as MuddyWater and APT35 (Mandiant), and Rocket Kitten, while APT42 (Mandiant), Charming Kitten, Imperial Kitten, and Mint Sandstrom (Microsoft) are usually associated with the IRGC.

"It took 11 days from the start of the ground conflict before Microsoft saw Iran enter the war in the cyber domain," according to Microsoft Threat Intelligence, which posted detailed research presented at the conference on Thursday.

The first of two observed destructive cyberattacks targeting Israel's infrastructure occurred on October 18, the threat hunters added, but did not provide details about what infrastructure Iranian cybercrews targeted nor the damage they caused.

It is worth noting that, in separate research published today, CrowdStrike attributed a "series" of cyberattacks in October targeting Israeli transportation, logistics, and technology firms to the IRGC's Imperial Kitten group.

CrowdStrike also doesn't provide details about the October attacks or their impact, if any, but says the operations and malware used indicate similar tactics and techniques that Imperial Kitten has employed for the last year or so. 

The Microsoft research indicates that Iranian crews have deployed ransomware at least once since the Israel conflict began.

"Operators leveraged existing access or acquired access to the first available target. Further, the data shows that, in the case of a ransomware attack, Iranian actors' claims of impact and precision targeting were almost certainly fabricated."

This is true to form for Iran-backed miscreants, Microsoft explained, and part of their "tried-and-true" method of "exaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations."

In other words propaganda, amplified by social media, which has become increasingly popular in cyberwar — as we've seen in the ongoing illegal Russian invasion of Ukraine.

As an example of this in Israel, Redmond's team spotted Iranian crews compromising webcams and then framing this as a strategic operation against a specific military installation. 

"In reality, the compromised cameras were located at scattered sites outside any one defined region," Microsoft wrote.

"This suggests that despite Iran actors' strategic claims, this camera example was ultimately a case of adversaries continuing to opportunistically discover and compromise vulnerable connected devices and try to reframe this routine work as more impactful in the context of the current conflict." ®

More about


Send us news

Other stories you might like