Iran's cyber operations in Israel a potential prelude to US election interference
Tactics are more sophisticated and supported in greater numbers
Iran's anti-Israel cyber operations are providing a window into the techniques the country may deploy in the run-up to the 2024 US Presidential elections, Microsoft says.
An analysis of Iran's activity, published by Microsoft Threat Analysis Center (MTAC) today, concluded that Iran may again target US elections as it did in 2020, using more sophisticated techniques from a wealth of different groups.
The main fear for US elections comes from the growing number of pro-Iran and Iran-linked groups carrying out cyberattacks and influence operations since the conflict between Israel and Hamas broke out in October 2023.
"Defenders can no longer take solace in tracking a few groups," MTAC's report reads. "Rather, a growing number of access agents, influence groups, and cyber actors makes for a more complex and intertwined threat environment."
Based on Microsoft's threat intelligence data, the US and Israel have consistently been the prime targets for Iran-linked cyberattacks, and the increasing effectiveness and brazenness of those efforts may be a cause for concern as November's election edges closer.
Iran's influence operations, for example, pushing anti-Israel propaganda, were shown to be highly effective at reaching Western audiences – a tactic that could feasibly be transposed to the US election too.
In the first week of the war between Israel and Hamas, Microsoft spotted a 42 percent spike in traffic to news sites run by or affiliated with the Iranian state.
That surge was especially apparent in English-speaking countries such as the US, UK, Canada, Australia, and New Zealand, and even though this traffic trailed off after the first week of the war, for three weeks after it remained 28 percent above pre-war levels.
These influence operations are well documented already and were spotted early in the conflict, but the effectiveness of the campaigns to reach Western audiences, combined with the increasing number of groups willing to engage in these missions, is a concern.
Iran is known for historically taking advantage of channels such as social media for these operations, but for the first time AI played a role, Microsoft said. It pointed to a December hijacking of a streaming TV channel to broadcast fake news reports, presented by an AI-generated human newsreader that reached audiences in the UK, Canada, and the United Arab Emirates.
"This marked the first Iranian influence operation Microsoft has detected where AI played a key component in its messaging and is one example of the fast and significant expansion in the scope of Iranian operations since the start of the Israel-Hamas conflict."
As for how Iran might wish to act in the months leading up to November's presidential election, we can look back to 2020 for clues.
According to a report [PDF] from the US Director of National Intelligence (DNI), the country's main aim was to undermine the reelection prospects of President Trump.
The pro-Iran players at work here didn't attempt to jeopardize Trump's campaign through the promotion of his rivals, but instead by sowing division and exacerbating social tensions among US citizens. There was no evidence to suggest that the election itself or its voting systems were tampered with by Iran's campaign.
"We have high confidence in this assessment," the report reads. "We assess that Supreme Leader Khamenei authorized the campaign and Iran's military and intelligence services implemented it using overt and covert messaging and cyber operations."
In response, the US indicted two Iranians who both have $10 million bounties on their heads, per the Rewards for Justice program, available to anyone with information leading to their location.
Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, aged 24 and 27 respectively, are alleged to have stolen US voter data and used it to send threatening emails in a bid to intimidate voters. Among a sprawling list of allegations, they also are said to have breached a US media company's network and would have succeeded in publishing false narratives if the FBI hadn't caught them and alerted the company beforehand.
- Uncle Sam wants to make it clear that America's elections are very, very safe
- Iranian cyberspies target US defense orgs with a brand new backdoor
- Hacktivists boast: We shut down Iran's gas pumps today
- US warns Iranian terrorist crew broke into 'multiple' US water facilities
Iran's influence efforts are essentially categorized by the US as those that seek to undermine the legitimacy of its elections and institutions more so than any single candidate. For example, the emails sent to US voters, like those by the two indicted individuals, were mainly designed to spread uncertainty around voter fraud.
"We assess that Tehran's efforts to attempt to influence the outcome of the 2020 US election and Iranian officials' preference that former President Trump not be reelected were driven in part by a perception that the regime faced acute threats from the US," the DNI report reads.
Microsoft believes that all three of the prime suspects for election interference – Iran, Russia, and China – will spin up their respective campaigns in the run-up to this year's election, despite taking a backseat during the 2022 midterms.
It may be the first time a US election faces simultaneous interference attempts from multiple authoritarian states, it said.
Iran's cyber capability
In addition to Iran's methods for conducting influence operations, including the abuse of social media platforms and pushing news content that's seemingly legitimate, Iran has also demonstrated its significant cyber capability in recent attacks in Israel to support its campaign.
In addition to pushing the boundaries, poking the US to see what it can get away with, as it has done recently with the attack on its water systems late last year, Iran has engaged in destructive cyber operations akin to those used in the Russia-Ukraine conflict.
For example, in addition to taking an Israel-made programmable logic controller offline at a Pennsylvania water authority in November, displaying an anti-Israel message on the screen, Tehran-linked groups such as Shahid Kaveh used ransomware against Israeli CCTV cameras.
This took place in October, roughly two weeks into the war, and Shahid Kaveh used one of its personas to claim it breached the CCTV of the Nevatim Air Force base, when in fact it only popped the cameras on a civilian street in Nevatim, not the military base in the same area.
As the conflict raged on, Iran's destructive cyber attacks began to grow in scope, including targets such as Bahrain and Albania – both of which have relatively friendly relations with Israel.
Albania was the target of attacks from the Homeland Justice group, part of Iran's Ministry of Intelligence and Security (MOIS). Homeland Justice warned of impending attacks in November which eventually came on Christmas Day.
Government systems were downed by the attacks, while a national airline and telco were also targeted at the same time.
Bahrain, on the other hand, was targeted by al-Toufan. Government and financial organizations bore most of the brunt, which is thought to be in large part due to the 2020 signing of the Bahrain–Israel normalization agreement.
From the early days of the conflict, the number of pro-Iran groups carrying out cyber operations grew quickly beyond the nine Microsoft initially tracked to 14 by the two-week mark. This then led to greater collaboration among these groups, including between MOIS group Pink Sandstorm and the Lebanon-based, pro-Iran Hezbollah group.
"Collaboration lowers the barrier to entry, allowing each group to contribute existing capabilities and removes the need for a single group to develop a full spectrum of tooling or tradecraft," said Clint Watts, general manager at MTAC and author of its latest report.
"Iranian focus on Israel has intensified. While Israel and the US have always been Tehran's main targets, the outbreak of the Israel-Hamas war saw 43 percent of Iranian nation-state cyber activity focused on Israel, more than the next 14 targeted countries combined." ®