Recent Iranian Cyber Attacks Show How Geopolitics Drive Cyber Activity

Emilio Iasiello

A recent report has revealed that an Iranian threat actor group dubbed “Agrius” has been operating in Israel since 2020. The group has been linked to cyber espionage activity and has quickly evolved into conducting destructive wiper malware attacks against Israeli targets. What’ more, these attacks have been posing as ransomware attacks in order to mask their true intent. This is not the group’s first foray into executing destructive attacks. In 2019, Agrius group developed wiper malware that targeted a Saudi Arabian organization in possible retaliation for the U.S.-led effort to kill the then-leader of Iran’s Islamic Revolutionary Guard Corps – Quds Force. Since then, the group has refined its wiper malware, and improved its capabilities via a succession of variants until the most recent one used against Israeli and perhaps one entity in the United Arab Emirates that featured a fully-functional ransomware strain. Agrius appears to be a competent group able to develop their own malware and execute offensive activities.

Iranian-linked wiper attacks are not new. Other Iranian cyber groups have been engaged in executing wiper attacks against Middle East targets. In 2012, the implementation of the Shamoon wiper malware garnered attention when suspected Iranian actors targeted Saudi Aramco, destroying approximately 30,000 computer systems. The oil company was again targeted in 2016 with an updated variant of the same malware. Three years later in 2019, Iranian actors executed ZeroCleare, an offshoot of Shamoon, that targeted energy and oil companies in the Middle East believed to be competitors to Iranian companies.

What’s clear is that the cyber weapon appears to be the preferred choice for Iranian actors seeking to achieve a punitive measure against opponents to or competitors of Iranian interests. Disguising it within a ransomware package is a clear attempt of obfuscating true intent. By playing on such fears, the actors may have sought to divert attention away from the destructive aspect of their intended operations. Notable ransomware attacks such as those against Colonial Pipeline, the city of Atlanta, and the global reach of WannaCry have demonstrated the versatility of the malware and garnered worldwide attention, calling into question if such attacks are a national security concern. These actors may have taken a cue from using ransomware to conceal their real motives from their Russian counterparts who executed the NotPetyacampaigns against Ukraine to instill punishment and not collect financial reward.

This new revelation comes on the heels of several other Iranian-linked cyber attacks that have been transpiring for nearly a year. Notably, since mid-2020, both Tehran and Tel Aviv have been engaged in back-and-forth cyber exchanges that have targeted civilian critical infrastructures. While none of these cyber incidents have resulted in any substantial damage, the escalatory nature of these attacks could certainly lead to more punitive repercussions. Iran did attempt to adjust chlorine levels in an Israeli facility that supplied water to Israeli homes could have led to deaths if not detected. Similarly, a successful ransomware and/or wiper attack against a sensitive critical infrastructure target could lead to swift Israeli kinetic – not cyber – retaliation. For example, in 2019, Israeli responded to an attempted HAMAS cyber attack with an airstrike against the building from where the cyber attacks were conducted. This is notable as it shows that a state does not have to respond to an attack in the same medium to respond in proportionality.

While there is no current reporting that Agrius has attacked critical infrastructures, it does raise the question of what prompted the use of disruptive and potentially destructive malware (regardless if ransomware or the wiper were deployed) at a time of already heightened tensions between Iran and Israel? Geopolitics and cyber activity are irrevocably intertwined, further strengthening Agrius connection to Tehran’s interests. Iran has been a long-time supporter of HAMAS providing the group money, weapons, technology, and training to empower it to conduct its own operations against Israel. And while Israeli intelligence believes that HAMAS acted independently of Iranian direction, the latest attacks certainly project confidence from the attackers, which is noteworthy specially given Israel’s recent history of conducting kinetic strikes against perpetrators of cyber attacks. It certainly intimates that Agrius must believe they are well hidden or well protected or some combination of both.

One thing is clear: Agrius certainly does not fear U.S. involvement in coming to Israeli aid. Washington’s anemic response to the 11-day conflict between HAMAS and Israel has projected uncertainty, a condition exacerbated by a surge in anti-Israeli rhetoric by both U.S. government officials and the populace. Compounding matters, Egypt, not the United States, was instrumental in brokering a cease-fire, indicating that Washington may not hold the sway over Tel Aviv it did under the previous Administration. Furthermore, Washington’s focus of trying to get Iran back to the nuclear accord has shown the United States’ willingness to negotiate in Tehran’s favor, including the possibility of removing sanctions that have crippled Iran’s economy.

Such confluence of geopolitical events creates an environment that emboldens already aggressive actors to execute cyber attacks. States trying to understand conditions that preempt cyber strikes should be cognizant of the non-cyber factors in which they are engaged or that occur in their peripheries. Cyber tit-for-tats do not generally operate on a whim or in a vacuum; certain events or series of events naturally serve as catalysts for action.

There are several other Iranian state-affiliated groups and proxies that are prepared to conduct cyber malfeasance.

These reports provide a solid baseline that can inform your decision-making and put our daily reports into better context. Please contact us for questions or comments on any of these reports.

How Changes In China’s Approach To The World Should Change Your Strategy: The situation in China has changed over the last year (see: C-Suite Considerations Regarding Current Geopolitical Tensions). Changes in China’s behaviors include new approaches to diplomacy, new aggressive moves by the Chinese military, new compliance requirements for companies seeking to do business with China, and increased punishment of corporations that are seen to be behaving in ways not supportive of China’s strategic objectives. Cyber threats emanating from China have also continued to evolve, with criminal groups and national level intelligence agencies all leveraging increasing capabilities to gain unauthorized access to data meant to be protected. Meanwhile, many legal, but unfair trading practices are contributing to the rapid rise of China’s economic power and shifting global markets.

OODA on Corporate Intelligence in the New Age: We strongly encourage every company, large or small, to set aside dedicated time to focus on ways to improve your ability to understand the nature of the significantly changed risk environment we are all operating in today, and then assess how your organizational thinking should change. As an aid to assessing your corporate sensemaking abilities, this post summarizes OODA’s research and analysis into optimizing corporate intelligence for the modern age.

C-Suite Considerations Regarding Current Geopolitical Tensions: Something is different in the geopolitical situation today. The reasons are probably a combination of factors that include the pandemic, the rise of the global grid of cyberspace, plus the payoff of years of planning and strategic moves by our adversaries. But whatever the reasons, the world today is more complicated and more dangerous than the world of just a year ago, and in many cases the risks being faced by open societies have never been seen before. The changes are so significant, OODA recommends all business leaders take stock of the geopolitical situation and assess how the nature of these changes should impact your business strategy.

The Intelligent Enterprise Series: Special reports from OODA focused on corporate intelligence

Useful Standards For Corporate Intelligence: Based on lessons learned from the US intelligence community and corporate America

Optimizing Corporate Intelligence: Tips and best practices and actionable recommendations to make intelligence programs better.

A Practitioner’s View of Corporate Intelligence: insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making.

An Executive’s Guide To Cognitive Bias in Decision Making: Cognitive Bias and the errors in judgement they produce are seen in every aspect of human decision-making, including in the business world. Companies that have a better understanding of these cognitive biases can optimize decision making at all levels of the organization, leading to better performance in the market.
Iran Threat Brief:

Iran has been investing heavily in cyber operations and is experienced in conducting both espionage and attack. Iran is undemocratic, with power centered in a Supreme Leader (Ali Khamenei). A President exists but has little power compared to the Supreme Leader. But below them is a vibrant and powerful country of over 81 million. Iranian education systems and scientific pursuits make them a technologically empowered nation that can mount surprisingly sophisticated cyber operations. Iran Threat Brief. Also see: What You Need To Know About Iranian Cyber War Capabilities and Intentions.