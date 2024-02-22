Fashion
Iranian PTAs disguise themselves as hacktivists for disruption and influence operations
Iranian state-backed advanced persistent threat (APT) groups pose as hacktivists, claiming attacks on Israeli critical infrastructure and air defense systems.
While threat actors in Gaza itself I remained silent on the radioThe majority of cyberattacks against Israel in recent months have been carried out by hacktivist operations and state actors “broadcasting them on television,” according to a new report from CrowdStrike.
These so-called “faketivists” have had a mixed impact on the Israel-Gaza war so far, claiming numerous public relations victories but leaving few traces of truly disruptive attacks.
What is clearer are the benefits of the model itself: it creates a layer of plausible deniability for the state and gives the public the impression that its attacks are inspired from below. While this denial has historically been a key driver of state-sponsored cyberattacks, researchers called this case remarkable because of the effort put behind the charade.
“We've seen a lot of hacktivist activity that appears to be nation states trying to have this 'deniable' capability,” Adam Meyers, CrowdStrike's senior vice president for counter-adversarial operations, said at a conference. press this week. “So these groups continue to maintain their activity, moving from what were traditionally website defacements and DDoS attacks to extensive hacking and leaking operations. »
Iranian faketivists
Faketivists can be nation-state actors such as “Karma Power”, the front of BAnished Kitten, linked to the Ministry of Intelligence, or “The Malek Team”, actually SPECTRAL KITTEN or companies like HAYWIRE KITTEN associated with Islamic Revolutionary Guard Corps contractor Emennet Pasargad, who operated at various times under the nom de guerre Yare Gomnam Cyber Team and The al Toufan Team (aka Cyber Toufan).
To sell their persona, faketivists like to adopt the aesthetics, rhetoric, tactics, techniques, and procedures (TTP), and sometimes the actual names and iconography associated with legitimate hacktivist groups. A keen eye will notice that they usually occur just after major geopolitical events, without an established history of activity consistent with the interests of their government sponsors.
It is often difficult to distinguish fake activists from hacktivists, as each can promote and support the activities of the other.
After October. The activities of the fake Iranian activists, real and otherwise, have involved alleged attacks on critical infrastructure and Israel's “Iron Dome” missile defense system, as well as frequent information operations.
And the first is often just a thin facade for the second. While faketivists have obtained a number of notable violationsthe majority of them appear as opportunistic attacks, with little material impact, intended to raise morale on one side and degrade morale on the other.
“We have seen disruptions targeting Israel, with a focus on things like air warning systems that warn of impending missile strikes. We have seen attempts to disrupt infrastructure in Israel, c “It's safe,” Meyers said, adding that such activity is likely. continue in order to terrorize the Israelis. “It's basically the same pattern that Russia used in Ukraine, about how we can terrorize the population, delegitimize their government and make them distrust certain things.”
The Void Left by Hamas Threat Actors
At the same time that Iranian faketivism grew in Israel, cyberactivity associated with Hamas plunged.
Since the October 7 terrorist attack in Israel, threat analysts have consistently found nothing from Hamas-linked cyberthreat actors, such as Extreme Jackal (aka BLACKSTEM, MOLERATS) and Renegade Jackal (aka DESERTVARNISH, UNC718 , Desert Falcons, Arid Viper).
This, CrowdStrike speculates in its report, could be explained by significant internet disruptions in the region. Since the start of the war, he explains, connectivity in Gaza has been hampered by a combination of kinetic warfare, power outages and distributed denial of service (DDoS) attacks.
Case in point: there is a CruelAlchemy group linked to Hamas whose command and control (C2) infrastructure has remained active since the start of the war. Although linked to Gaza, the group appears to be physically located in Türkiye.
So even if Hamas remains inactive online, its allies make up the difference (in volume, if not in quality).
“The fact is that APTs continue to proliferate. We see more and more bad actors every year, and more and more activity from these bad actors every year,” says Meyers.
