Iranian hackers are waging a sophisticated espionage campaign targeting the country’s rivals across the Middle East and attacking key defense and intelligence agencies, according to a leading Israeli-American cybersecurity company, a sign of how Iran’s quickly improving cyberattacks have become a new, important prong in a shadow war.
Over the past year, the hackers struck at countries including Israel, Saudi Arabia and Jordan in a monthslong campaign linked to Iran’s Ministry of Intelligence and Security, according to a new report by the company, Check Point.
The Iranian hackers appeared to gain access to emails from an array of targets, including government staff members, militaries, telecommunications companies and financial organizations, the report said.
The malware used to infiltrate the computers also appeared to map out the networks the hackers had broken into, providing Iran with a blueprint of foreign cyberinfrastructure that could prove helpful for planning and executing future attacks.
“The primary purpose of this operation is espionage,” security experts at Check Point wrote in the report, adding that the approach was “notably more sophisticated compared to previous activities” that Check Point had linked to Iran.
Iran’s mission to the United Nations did not respond to an inquiry on Monday about the hack. But Iran’s minister of defense, Brig. Gen. Mohammad Reza Ashtiani, said last week in a speech to his country’s defense officials that given the current complex security situation in the Middle East, Iran had to redefine its national defenses beyond its geographic borders.
He said that meant utilizing new warfare strategies to defend Iran, including the use of space, cyberspace and other ways. “Our enemies know that if they make one mistake, the Islamic Republic of Iran will respond with force,” General Ashtiani said, according to Iranian media.
Although the report did not specify what, if any, data Iran had taken, Check Point said the hacking campaign successfully broke into computers associated with the Saudi Arabian ministry of defense, and agencies, banks and telecom firms in several other Middle Eastern countries including Jordan, Kuwait and Oman. The report also did not specify which Israeli systems had been hacked.
A senior Israeli official dealing with cyber issues has confirmed that in recent months an attack by a group known as LionTail has been underway against local and national government agencies and various institutions in Israel. The official said that the attacks are identified and handled by Shin Bet, Israel’s internal security agency, and the Israeli National Cyber Directorate.
Another official said that LionTail is one of 15 groups affiliated, directly or as a proxy, with the Iranian Revolutionary Guard Corps or the Iranian Ministry of Intelligence.
The second Israeli official added that in recent months there have been attempts by Iranian cybergroups or those that belong to Hamas or Hezbollah to hack cameras in Israel, including private cameras near the border with Lebanon, and that the National Cyber Directorate issued an urgent warning to the public with instructions on how to better secure the cameras.
The Saudi government’s Center for International Communication, which handles media inquiries, did not immediately respond to a request for comment on Monday. Jordan’s information minister did not immediately respond to a similar request.
The cyberattacks mark a new phase in a digital conflict between Iran and its rivals. The widespread and surprisingly sophisticated hacks, according to Check Point, underscored how Iran has found ways to punch back in an arena where it had been outmuscled.
“This is the most sophisticated and stealthy Iranian cyberattack we’ve seen,” said Sergey Shykevich, who oversees threat intelligence at Check Point and led the research for the report. “There’s a clear common denominator between the victims we’ve spotted across the Middle East: whether they’re from the government, financial or NGO sectors — they’re all a top intelligence priority for the Iranian government.”
The campaign follows a series of other Iranian cyberattacks over the past two years, experts said, including one aimed at critical U.S. infrastructure and another that sought to impersonate a nuclear expert at an American research institute.
Researchers at Microsoft said earlier this year that Iran was running more sophisticated operations that sought to undermine warming ties between Israel and Saudi Arabia and foment unrest in Bahrain. The most recent attack may be Iran’s most successful yet, as it helped the country to gain potentially critical intelligence, and knowledge that could help with future cyberstrikes, according to the Check Point report.
“The attackers were able to exfiltrate big amounts of data unnoticed for a long period of time, from days to months, potentially achieving significant and sensitive data which could be of service to them for various purposes,” Mr. Shykevich said.
“Some of the information Iran gained from previous cyberattacks in the past was used by them long after the attack took place,” he added. “This can indicate that this specific campaign, with its width and sophistication, may be of use for Iran for years to come.”
The quiet but sustained campaign amounts to a sort of Iranian counteroffensive in a digital shadow war that has been running for well over a decade against countries like Israel, and one in which Tehran has been at a disadvantage. It underscores Iran’s fast improving capabilities and determination to break into the networks of regional rivals at a moment when tensions in the Middle East have erupted into war.
For years, Israel and Iran have engaged in a covert war, by land, sea, air and computer, but the targets have usually been military- or government-related. Two years ago the cyberwar widened to target civilians on a large scale. Suddenly, millions of ordinary people in Iran and Israel found themselves caught in the crossfire of a cyberwar between their countries.
Iran has accused Israel of a hack that took down a portion of the country’s gas stations in 2021, leaving motorists without fuel. In Israel, hundreds of thousands of people panicked when they learned that their private details were stolen from an L.G.B.T.Q. dating site and were uploaded on social media, one of a series of attacks by cybergroups associated with Iran.
The latest cyberattacks stand out, according to Check Point, for the way Iranians redesigned malware they had once used to openly pilfer data into a less detectable means of accumulating huge amounts of secret government data, not unlike a wiretap.
The code had striking similarities to a program used to attack the Albanian government last year, Check Point said. That hack, in which a large amount of sensitive police data was taken and posted online, led Albania to break off diplomatic relations with Iran, which officially denied it was responsible.
The malware exploits a known vulnerability in outdated versions of Microsoft Windows servers. After infecting a vulnerable computer, the program burrows deep into the network, in some cases for months, quietly gathering and transmitting data back to Iran. Check Point observed that the attackers were able to customize the malware for each network, revealing the growing scale of Iran’s cybercapabilities.
Initially, as the world learned about the powers of hacking, Iran was perhaps the best known victim of the real-world impact of digital weapons. In 2010, centrifuges at an Iranian nuclear facility were hijacked by a cyberweapon built and used by the United States and Israel. Over the course of a year, the cyberweapon, called Stuxnet, was used to manipulate Iranian nuclear equipment, and later, to destroy part of the facilities.
At the time, experts in the United States said Iran’s hacking capabilities were clumsy and elementary. But Stuxnet “was a big wake-up call,” said Adam Meyers, senior vice president of counter adversary operations at the cybersecurity firm Crowd Strike. “What we saw after Stuxnet, was that Iran threat actors started professionalizing.”
Mr. Meyers also noted an uptick in regional cyberactivity after the Iran nuclear deal went into effect in late 2015. “Iranian threat actors stopped targeting the West” and focused their energy on regional targets, he said.
In recent years cybersecurity groups have warned of Iran’s fast evolving capabilities as it has narrowed the gap with other United States rivals, like Russia and China. In particular, officials have said that a new burst of cyberattacks began in 2018, after President Donald J. Trump pulled out of the Iran nuclear deal.
By 2019, Iran had assailed more than a half-dozen United States government agencies with hacks that exploited underlying weaknesses in the internet’s backbone and were more difficult to detect.
Vivian Nereim contributed reporting from Riyadh, Saudi Arabia, and Farnaz Fassihi from New York.
