Iran's Evolving Cyber-Enabled Influence Operations to Support Hamas

When the war between Israel and Hamas began on Oct. 7, 2023, Iranian cybergroups immediately surged to provide support to Hamas. These Iran-backed and Iran-affiliated actors combined influence campaigns with disruptive hacks, a method Microsoft calls "cyber-enabled influence operations" — which has become Iran's go-to strategy. 

While initial activity appeared to be reactive and opportunistic, these efforts have grown more sophisticated and complex as the conflict continues. Actions taken by individual groups have become more coordinated, and the scope of these activities has broadened internationally, adding to the confusion and lack of trust in information coming from the region.

To achieve their goals, the Iranian groups employ four key influence tactics, techniques, and procedures (TTPs). How and when they use each approach offers insight into the strategies in use. Understanding this mindset can help defenders prepare for and adapt to the continuing onslaught of misleading information. 

TTPs Driving Iran's Strategy

Iran's approach to influence operations is designed to achieve multiple goals of intimidation, destabilization, and retaliation, along with undermining international support for Israel. Its TTPs include impersonation, activating target audiences; text messaging and emails; and using state media to increase its influence. Looking at these activities individually reveals how they also work in concert to reinforce the campaign.

Impersonation

Iran has developed a number of increasingly convincing personas used in these online operations. Using these false identities, Iran-backed and adjacent groups spread misleading stories and threats over social media, emails, and texts. These impersonations are becoming more convincing over time, which allows the groups to create fake activist personas on both sides of the political spectrum. What isn't entirely clear, however, is whether they are working directly with Hamas or strictly for their own purposes.

Activating Target Audiences 

A repeated motif for Iranian groups is to recruit targeted individuals to help spread the false messages. This lends a veneer of truth to the campaign, as now friends and neighbors see people they know promoting the fabrications as legitimate.

Text and Email Amplification 

While social media is crucial to spreading the groups' propaganda and false information, bulk texting and emails are becoming more central to their efforts. One Iranian group, Cotton Sandstorm, has used this technique since 2022, over time sharpening its capabilities. The messages often take credit for cyberattacks that didn't actually happen or falsely alert recipients about physical incursions by Hamas combatants. In addition to false identities, in at least one case they used a compromised account to enhance the authenticity of the messages.

Leveraging State Media 

When Iran-affiliated groups make false statements about cyberattacks and war updates, media affiliated with the Islamic Revolutionary Guard Corps (IRGC) sometimes spread and exaggerate these stories further. They will often cite nonexistent news sources to support the claim. Other Iranian and Iran-aligned outlets further amplify the story, making it seem more plausible despite the lack of evidence.

Microsoft Threat Intelligence has spotted another concern emerging since hostilities began in October: the use of artificial intelligence (AI). AI-generated images and videos spread false news stories or create negative images targeting key public figures. It's expected that this tactic will continue to grow in importance as Iran's cyber-enabled influence operations expand.

Extending the Global Reach of Influence Efforts

We began seeing collaboration among Iran-affiliated groups at the beginning of the war. This enables each group to contribute existing capabilities and removes the need for a single group to develop a full spectrum of tooling or tradecraft. 

By mid-November, Iran's cyber-enabled influence operations related to the war extended beyond Israel to countries and organizations that Iran views as supporters of Israel, including Bahrain, the UAE, and the US. An attack against Israeli-built programmable logic controllers (PLCs) in Pennsylvania took a water authority offline in November. In December, a persona that Microsoft Threat Intelligence believes to be an Iran-affiliated group said that data was leaked from two American companies. The group took credit for data deletion attacks against these companies a month earlier.

Iranian groups use a number of cyber-enabled influence methods to achieve their objectives. Microsoft Threat Intelligence observed that the IRGC group called Cotton Sandstorm used as many as 10 online personas to run multiple methods over the last half of 2023, often taking more than one of these routes simultaneously:

Cyber methods:

Influence methods:

As long as the conflict continues, Iran's cyber-enabled influence operations will likely not only grow, but also become more cooperative and destructive. While these groups will continue to exploit opportunities, their tactics are increasingly more calculated and coordinated. A thorough understanding of these techniques, bolstered by comprehensive threat intelligence, can give defenders an edge in identifying and mitigating these attacks wherever they appear.

— Read "Iran surges cyber-enabled influence operations in support of Hamas" and get insights from Microsoft Threat Intelligence experts on the Microsoft Threat Intelligence Podcast.