“Iran’s Most Sophisticated Cyberattack”. The formula is taken from an alarming report published at the end of 2023 by the cybersecurity company of Israeli origin Checkpoint. This describes how hackers managed to access emails from major targets within governments, armies, economic and financial organizations in Saudi Arabia, Israel, Jordan, Kuwait and even in Oman in recent months. An operation carried out using “tools and tactics that are unlike anything we have seen from the country before”, underlines Check Point, somewhat surprised by its own discovery. Because Iran has always been considered a second-tier cyber power. Far behind other authoritarian regimes such as Russia, China, North Korea, the first two being known in particular for their vast disinformation campaigns in the Western world. To make matters worse, the nicknames given to its largest groups of hackers are rather funny. “Charming kittens”, “Imperial kittens”, “Crazy kittens”… The fault lies in an animal nomenclature established by CrowdStrike, a leading cybersecurity firm, undoubtedly inspired by the breed of Persian cats. Russian bears or Turkish wolves are much more frightening.
“Script kiddies”
Iran owes this poor image in the hacking community in part to a debacle: the “Stuxnet” affair, named after this computer worm designed by the United States and Israel, and which successfully attacked to the uranium enrichment centrifuges of its nuclear program, between 2008 and 2010. If Iran was already interested in cyber at that time, its strategy was then rather focused within its borders. “For the purposes of consolidating the regime,” says Julien Nocetti, associate researcher at Ifri, the French Institute of International Relations and the Geode center (Geopolitics of the datasphere). Iran quickly developed a “closed” network for this purpose. This allows it to easily filter access to the British channel BBC in Persian for example, or to disconnect social networks with a certain granularity. “It is now possible to cut off the Internet on one side of a street in Tehran, the capital, and not on the other,” illustrates Kavé Salamantian, professor at the University of Savoie and specialist in cyberstrategy. Weapons used during the major protests of 2019 or three years later, following the massive revolts that occurred after the death of Mahsa Amini, killed by the “morality police”.
Outside its borders, the rise in power, under the aegis of the Islamic Revolutionary Guard Corps and the Ministry of Intelligence, has been slower. The equivalent of a billion dollars was invested in 2011 to acquire skills and talents. A “Supreme Cyberspace Council” is set up. One of the first Iranian feats of arms, directly attributable to the regime, was the hacking of several thousand computers of the Saudi oil company Aramco in 2012. In response to American economic sanctions and the oil embargo , Iran also carried out cyberattacks during this period against American banks such as JP Morgan Chase and Bank of America. The damage is only reputational. Iran then relies on “script kiddies”, recalls Kavé Salamantian: hackers with poorly developed methods, playing with ready-to-use software that is easy to deploy and, in fact, counter.
Breaking the isolation
The Islamic Republic today seems to want to sit at the big table. By controlling the entire range, or almost, of the cyber threat, through operations of destabilization, disinformation – with the use of artificial intelligence – or sabotage. Not without consequences. In Albania, at the end of 2022, cyberattacks targeting government systems caused the interruption of diplomatic relations between the two states. As the Check Point report shows, Iran has at the same time developed a specialty, cyberespionage, which it has used massively since October 7 against Israel, at war with Hamas in Gaza, according to recent research carried out by Google and Microsoft. This method, combining phishing of important personalities and theft of confidential data, “responds perfectly to its conflictual environment, observes Nicolas Arpagian, expert on strategic issues in cyberspace and author of several works on the subject. The goal is to capture intelligence at added value on financial or scientific data, and thus break the isolation imposed on it by its enemies through their numerous sanctions.”
France is on guard. A memo from Anssi alerted the telecommunications sector at the end of last year. The French cybersecurity watchdog noted a “worrying increase in compromises affecting equipment, particularly routers at the heart of operators’ networks”, and specifically pointed to Iran, alongside China. In January, suspected hackers linked to “Charming Kittens” were also identified in a highly targeted phishing attempt against researchers at universities and research organizations in France and other Western nations. The specter of Iran finally lurks over the theft of personal data of around 200,000 Charlie Hebdo subscribers in early 2023.
So many elements that restore credibility in Iran’s cyber capabilities. Even if the debate continues about his real abilities. Kavé Salamantian recalls the significant exodus, each year, to Switzerland or the United States, of its best engineers. This drain of talent, crippling in its eyes, condemns it for the moment to remain a notch below China or Russia. “Visas granted to Iranian students are perhaps the West’s best cyber defense currently,” he slips. Defensively, huge gaps persist, which Israel took advantage of on December 18 during a cyberattack paralyzing more than half of Iranian gas stations.
Other specialists, on the other hand, see an inevitable improvement in cyber know-how in the country of the mullahs. “The questioning of the nuclear program, the return to power of the ultra-conservatives, the very tense global geopolitical context, the support given to Hamas against Israel and the persistent threats from Tehran against Washington offer the regime opportunities to mobilize its arsenal” , Julien Nocetti list. Little kittens could one day turn into lions.
.