Iran surges cyber-enabled influence operations in support of Hamas

Iran’s cyber and influence operations have progressed through multiple phases since the Hamas terrorist attack on October 7. One element of their operations has remained constant throughout: the combination of opportunistic cyber targeting with influence operations that often mislead the precision or scope of impact.

This report focuses on Iranian influence and cyber-enabled influence operations from October 7 until the end of 2023, while covering trends and operations dating back to the spring of 2023.

Iranian groups were reactive during the initial phase of the Israel-Hamas war. Iranian state media issued misleading details of claimed cyberattacks and Iranian groups re-used dated material from historical operations, re-purposed access they had before the war, and exaggerated the overall scope and impact of claimed cyberattacks.

Nearly four months into the war, Microsoft has still not seen clear evidence from our data indicating Iranian groups had coordinated their cyber or influence operations with Hamas’s plans to attack Israel on October 7. Rather, the preponderance of our data and findings suggests that Iranian cyber actors were reactive, quickly surging their cyber and influence operations after the Hamas attacks to counter Israel.

Misleading details on claimed attacks through state media: 
The day the war broke out, Tasnim News Agency, an Iranian outlet affiliated with the Islamic Revolutionary Guard Corps (IRGC), falsely claimed that a group called “Cyber Avengers” conducted cyberattacks against an Israeli power plant “at the same time” as Hamas’s attacks. ² Cyber Avengers, an IRGC-run cyber persona, actually claimed to have conducted a cyberattack against an Israeli electric company the evening prior to Hamas’s incursion.³ Their evidence: weeks-old press reporting of power outages “in recent years” and a screenshot of an undated disruption of service to the company’s website. ⁴

Re-using old material: 
After Hamas’s attacks on Israel, Cyber Avengers claimed to conduct a string of cyberattacks against Israel, the earliest of which our investigations revealed to be false. On October 8, they claimed to leak documents of an Israeli powerplant, though the documents had been previously published in June 2022 by another IRGC-run cyber persona “Moses Staff.”⁵

Re-purposing access: 
Another cyber persona “Malek Team,” which we assess is run by Iran’s Ministry of Intelligence and Security (MOIS), leaked personal data from an Israeli university on October 8 without any clear link in targeting to the burgeoning conflict there, suggesting the target was opportunistic and perhaps chosen based on preexisting access prior to the outbreak of war. Rather than drawing links between the leaked data and support for Hamas’s operations, Malek Team initially used hashtags on X (formerly Twitter) to support Hamas and only days later shifted messaging to align with the type of messaging denigrating Israeli Prime Minister Benjamin Netanyahu seen in other Iranian influence operations.

On October 18, the IRGC’s Shahid Kaveh Group, which Microsoft tracks as Storm-0784, used customized ransomware to conduct cyberattacks against security cameras in Israel. It then used one of its cyber personas, “Soldiers of Solomon,” to falsely claim it had ransomed security cameras and data at Nevatim Air Force Base. Examination of the security footage Soldiers of Solomon leaked reveals it was from a town north of Tel Aviv with a Nevatim street, not the airbase of the same name. In fact, analysis of the victims’ locations reveal that none were near the military base (see Figure 5). While Iranian groups had begun destructive attacks, their operations remained largely opportunistic and continued to leverage influence activity to exaggerate the precision or effect of the attacks.

On October 21, another cyber persona run by the IRGC group Cotton Sandstorm (commonly known as Emennet Pasargad) shared a video of the attackers defacing digital displays at synagogues with messages that referred to Israel’s operations in Gaza as “genocide.” ⁷ This marked a method of embedding messaging directly into cyberattacks against a relatively soft target.

During this phase, Iran’s influence activity used more extensive and sophisticated forms of inauthentic amplification. In the first two weeks of the war, we detected minimal advanced forms of inauthentic amplification—again suggesting operations were reactive. By the third week of the war, Iran’s most prolific influence actor, Cotton Sandstorm, entered the scene launching three cyber-enabled influence operations on October 21. As we often see from the group, they used a network of social media sockpuppets to amplify the operations, though many appeared to be hastily repurposed without authentic covers disguising them as Israelis. On multiple occasions Cotton Sandstorm sent text messages or emails in bulk to amplify or boast about their operations, leveraging compromised accounts to enhance authenticity.⁸

Beginning in late November, Iranian groups expanded their cyber-enabled influence beyond Israel, to include countries that Iran perceives are aiding Israel, very likely to undermine international political, military, or economic support for Israel’s military operations. This expansion in targeting aligned with the start of attacks on international shipping linked to Israel by the Houthis, an Iran backed Shi’ite militant group in Yemen (see Figure 8).⁹

Iran’s cyber-enabled influence operations also continued to grow in sophistication in this latest phase. They better disguised their sockpuppets by renaming some and changing their profile photos to appear more authentically Israeli. Meanwhile they made use of new techniques we’ve not seen from Iranian actors, including using AI as a key component to its messaging. We assess Cotton Sandstorm disrupted streaming television services in the UAE and elsewhere in December under the guise of a persona called “For Humanity.” For Humanity published videos on Telegram showing the group hacking into three online streaming services and disrupting several news channels with a fake news broadcast featuring an apparently AI generated anchor that claimed to show images of Palestinians injured and killed from Israeli military operations (Figure 7).¹⁴ News outlets and viewers in the UAE, Canada, and the UK reported disruptions in streaming television programming, including BBC, that matched For Humanity’s claims.¹⁵

To achieve its objectives in the information space, Iran has relied heavily on four influence tactics, techniques, and procedures (TTPs) over the past nine months. These include use of impersonation and enhanced abilities to activate target audiences, paired with increasing use of text message campaigns and the use of IRGC-tied media to amplify influence operations.

Impersonating Israel activist groups and Iranian partners 
Iranian groups have built on a longstanding technique of impersonation by developing more specific and convincing personas that masquerade both as Iran’s friends and its enemies. Many of Iran’s past operations and personas have purported to be activists in favor of the Palestinian cause.²⁷ Recent operations from a persona we assess is run by Cotton Sandstorm have gone further, using the name and logo of Hamas’s military wing, the al-Qassam Brigades, to spread false messaging about the hostages held in Gaza and send Israelis threatening messages. Another Telegram channel that has threatened IDF personnel and leaked their personal data, which we assess was run by an MOIS group, also used the al-Qassam Brigades logo. It is unclear whether Iran is acting with Hamas’s consent.

Similarly, Iran has created increasingly convincing impersonations of fictitious Israeli activist organizations on the right and left of the Israeli political spectrum. Through these fake activists, Iran seeks to infiltrate Israeli communities to gain their trust and sow discord.

Activating Israelis to action 
In April and November, Iran demonstrated repeated success in recruiting unwitting Israelis to engage in on-the-ground activities promoting its false operations. In one recent operation, “Tears of War,” Iranian operatives reportedly succeeded in convincing Israelis to hang branded Tears of War banners in Israeli neighborhoods featuring a seemingly Al-generated image of Netanyahu and calling for his removal from office (see Figure 11).²⁸

Amplifying through text and email with increased frequency and sophistication 
While Iranian influence operations continue to rely heavily on coordinated inauthentic social media amplification to reach target audiences, Iran has increasingly leveraged bulk text messaging and emails to enhance the psychological effects of their cyber-enabled influence operations. Amplification on social media using sockpuppets doesn’t have the same impact as a message showing up in one’s inbox, let alone one’s phone. Cotton Sandstorm built on past successes using this technique beginning in 2022,²⁹ sending text messages, emails, or both in bulk in at least six operations since August. Their increased use of this technique suggests the group has honed the capability and views it as effective. Cotton Sandstorm’s “Cyber Flood” operation in late October included up to three sets of bulk text messages and emails to Israelis amplifying claimed cyberattacks or distributing false warnings of Hamas attacks on Israel’s nuclear facility near Dimona.³⁰ In at least one case, they leveraged a compromised account to enhance the authenticity of their emails.

Leveraging state media 
Iran has used overt and covert IRGC-linked media outlets to amplify alleged cyber operations and at times exaggerate their effects. In September, after Cyber Avengers claimed cyberattacks against Israel’s railway system, IRGC-linked media almost immediately amplified and exaggerated their claims. IRGC-linked Tasnim News Agency incorrectly cited Israeli news coverage of a different event as proof that the cyberattack had occurred.³¹ This reporting was further amplified by other Iranian and Iran-aligned outlets in a way that further obscured the lack of evidence supporting the cyberattack claims.³²

Nascent AI adoption for influence operations 
MTAC observed Iranian actors using AI-generated images and videos since the outbreak of the Israel-Hamas war. Cotton Sandstorm and Storm-1364, as well as Hezbollah and Hamas-affiliated news outlets, have leveraged Al to enhance intimidation and develop images denigrating Netanyahu and Israeli leadership.

1. Burgeoning collaboration 
Weeks into the Israel-Hamas war, we began seeing examples of collaboration among Iran-affiliated groups, enhancing what the actors could achieve. Collaboration lowers the barrier to entry, allowing each group to contribute existing capabilities and removes the need for a single group to develop a full spectrum of tooling or tradecraft.

We assess that a pair of MOIS-linked groups, Storm-0861 and Storm-0842, collaborated on a destructive cyberattack in Israel in late October and again in Albania in late December. In both cases, Storm-0861 likely provided access to the network prior to Storm-0842 executing wiper malware. Similarly, Storm-0842 executed wiper malware at Albanian government entities in July 2022 after Storm-0861 gained access.

In October, another MOIS-linked group, Storm-1084, may also have had access to an organization in Israel where Storm-0842 deployed the “BiBi” wiper, named after the malware’s re-naming of wiped files with the string “BiBi.” It is not clear what role Storm-1084 played, if any in the destructive attack. Storm-1084 conducted destructive cyberattacks against another Israeli organization in early 2023 enabled by another MOIS-linked group Mango Sandstorm (a.k.a. MuddyWater).³³

Since the outbreak of war, Microsoft Threat Intelligence has also detected collaboration between an MOIS-linked group, Pink Sandstorm, and Hezbollah cyber units. Microsoft has observed infrastructure overlaps and shared tooling. Iranian collaboration with Hezbollah on cyber operations, although not unprecedented, poses a concerning development, that the war might draw these groups across nation lines even closer together operationally.³⁴ As Iran’s cyberattacks in this war have all been combined with influence operations, there is the additional likelihood that Iran improves its influence operations and their reach by leveraging native Arabic speakers to enhance the authenticity of its inauthentic personas.

2. Hyper focus on Israel 
Iranian cyber actors’ focus on Israel intensified. Iran has had a longstanding focus on Israel, which Tehran views as its main adversary alongside the United States. Accordingly, based on Microsoft Threat Intelligence data, in the past few years, Israeli and US enterprises have almost always been Iran’s most common targets. Leading up to the war, Iranian actors focused most on Israel followed by UAE and United States. Following the breakout of the war, that focus on Israel spiked. Forty three percent of Iranian nation state cyber activity tracked at Microsoft targeted Israel, more than the next 14 targeted countries combined.

We expect the threat from Iran’s cyber and influence operations will grow as the Israel-Hamas conflict persists, particularly amid the rising potential for escalation along additional fronts. While Iranian groups rushed to conduct, or simply fabricate, operations in the early days of the war, Iranian groups have slowed their recent operations allowing them more time to gain desired access or develop more elaborate influence operations. What the phases of war outlined in this report make clear, is that Iranian cyber and influence operations have slowly progressed, becoming more targeted, collaborative, and destructive.

Iranian actors have also grown increasingly bold in their targeting, most notably in a cyber strike against a hospital and testing Washington’s red lines seemingly unconcerned about repercussions. The IRGC’s attacks on US water control systems while opportunistic were seemingly a clever ploy to test Washington by claiming legitimacy in attacking equipment made in Israel.

Ahead of US elections in November 2024, the increased collaboration among Iranian and Iranaffiliated groups portends a greater challenge to those engaging in election defense. Defenders can no longer take solace in tracking a few groups. Rather, a growing number of access agents, influence groups, and cyber actors makes for a more complex and intertwined threat environment.