SIM REPORT: Evolving cyberwarfare capabilities in Iran pose threats to companies

SIM REPORT: Evolving cyberwarfare capabilities in Iran pose threats to companies 

Iran is embarking on enhancing its cyberwarfare capabilities against its strategic adversaries, posing considerable risks to states’ infrastructure, private companies and citizens. In a 26 July report by Sky News, the Islamic Revolutionary Guard Corp’s (IRGC) cyber command, specifically a special unit within it identified as ‘Intelligence Team 13’ or Shahid Kaveh, has been engaged in research targeting technology companies and research institutions in France, Germany, Israel US and UK, among others. Leaked research papers revealed the IGRC’s intentions to exploit vulnerabilities in command-control systems of civilian infrastructure that would allow for remotely-launched sabotage operations.

There were five research papers focussed on water ballast systems of cargo vessels and maritime satellite communications devices, specifically the Seagull 5000i and Sealink CIR. Retail fuel pump systems manufactured by US-based Franklin Fuel Systems were researched with the intention of allowing attack vectors to cause explosions at petrol stations. The final reports focussed on smart devices designed for business and residential environmental control systems, with German-based manufacturer WAGO examined.

The research papers themselves are a very valuable precursor to the next stages of an operation which would entail the design and execution of an exploit or a malicious file for a phishing attack. Indeed, Iranian APTs have become savvier and more ambitious with their phishing campaigns. In 2018, Iran-based Mabna Institute was sanctioned by the US Justice Department after the latter uncovered a global IP theft operation that targeted 320 universities, including 144 in the US and 176 in 21 other countries, including in Canada, Germany, Israel, Japan and the UK. Of the 100,000 researchers targeted, around 8,000 were compromised. In the US, around 31.5 terabytes of academic data was stolen, amounting to around USD3.4 billion worth of IP. 

More recently in July 2021, an Iranian APT identified as TA456 (or ‘Tortoiseshell’) launched an 18-month cyberespionage campaign aimed at compromising employees and contractors working in the aerospace and defence industries. The operation entailed creating a fake persona on Facebook and Instagram, where hackers masqueraded as a female fitness instructor identified as ‘Marcella Flores’. Other fake personas on ‘Marcella’s’ profile pages were friends who identified themselves as employed by the defence industry, giving a level of credibility to the alias. This was an intensive social engineering operation aimed at building rapport with the goal of establishing IM and email communications before launching a malware attack via an infected file. ‘Marcella’ was just one of approximately 200 fake Facebook accounts targeting Americans employed in the defence and aerospace industries.

These developments are unsurprising given that Iran’s efforts to achieve cyberwarfare dominance has been well-documented with some notable successes. Cyber provides another tool to augment offensive warfare and espionage capabilities. In general, these media-grabbing developments portend to an evolving threat landscape that raises the stakes for companies and institutions with technology and data that can advance Iran’s strategic objectives globally.

With a new conservative administration led by President Ebrahim Raisi, whose staunch anti-Western credentials are well-established, these cyber capabilities are set to accelerate even despite the weight of US economic sanctions that has stifled its knowledge economy. Additionally, the adversarial conditions provide further incentive for private actors to contract their services to the state in a form of ‘ad-hocracy’ such as witnessed in Russia; this will undoubtedly complicate the cyber threat landscape for rival states and their respective private sectors and citizens.


Iraq: Growing concern over terrorism amid resurgence in recent militant attacks and drawdown of international troops

Open Source Intelligence Analysis