The Scorched-Earth Tactics of Iran’s Cyber Army
In the early hours of January 5, a popular anonymous Iranian dissident account called Jupiter announced on Twitter that his friends had killed Abolqasem Salavati, a maligned magistrate nicknamed the “Judge of Death.” The tweet went viral, and thousands of jubilant people poured into the account’s Twitter Space to thank them for assassinating the man responsible for sentencing hundreds of political prisoners to die.
Soon, however, a few attendees voiced doubts over the veracity of the claim. They were cursed at and kicked out of the room, as the host insisted, “Tonight is about celebration!” while repeatedly encouraging viewers to make the Space go viral. The next day, activists on the ground and Iranian media confirmed that Salavati was, in fact, alive. Several experts suspect Jupiter to have been an Islamic Republic of Iran cyber operation aimed at distracting people, while the Iranian government executed two protesters the same night as the Twitter Space.
Within its borders, the Iranian regime controls its population through one of the world’s toughest internet filtering systems, physical crackdowns, and mass arrests carried out with impunity. However, the IRI is vulnerable beyond its physical and virtual borders, as the regime struggles to contain the discourse and silence dissidents. To combat opposition narratives in the West and among VPN-armed domestic activists online, the IRI cyber army deploys multifaceted, devious, and sometimes clumsy tactics. With the ongoing political unrest in Iran, old cyber tactics have been ramped up, and new tricks that aim to distract, discredit, distort, and sow distrust have come to the fore as the regime finds itself in a critical moment.
Desperate Times, Desperate Measures
Among the tactics used by the IRI’s cyber agents—known colloquially as Cyberi—is old-school hacking. The Iran-linked hacker group Charming Kitten gained notoriety in 2020 for its spear-phishing attempts on journalists, scholars, and policy experts in the West. The group was recognized by its signature strategy of pretending to be reporters or researchers and feigning interest in their targets’ work as a pretext for setting up interview requests embedded with a spear-phishing link. Recent reports from the UK government’s National Cyber Security Center and security firm Mandiant found that such spear-phishing activities cyber groups TA453 and APT42, which are affiliated with the Iranian Revolutionary Guard Corps, have been increasingly prevalent. Last month, the popular anti-regime account RKOT claimed to have received an interview request geolocated to an IRGC department in Shiraz from an individual purporting to be a journalist from The New York Times.
According to Amin Sabeti, founder of CERTFA, a cybersecurity collective specializing in uncovering state-backed Iranian cyber activities, these operations have shifted their methods over the past few months, since most targets of interest are aware of the threat and have learned to protect themselves from spear-phishing. Instead, Sabeti says, they now use a “domino effect” strategy by taking aim at low-profile targets, whose credentials they harvest in order to build trust and gain access to higher-profile targets in their network. Early this month, for example, the Iranian Canadian human rights activist Nazanin Afshin Jam said that she received a spear-phishing link from a trusted colleague who had been hacked.
“Right now, they go after everyone who they are interested in, in terms of this revolution, especially people who are working in nonprofits,” Sabeti says.
Notably, some of these state actors establish credibility and trust over time by masking themselves as anti-regime voices and ardent supporters of the protest movement, or by building relationships with targets. One account by the name of Sara Shokouhi was created in October 2022 and claimed to be a Middle East scholar. The account spent months boosting opposition voices and writing heartfelt tributes to protesters before finally being outed by Iran experts as a state-sponsored phishing operation.