Threat-hunter says Iran is stepping up the sophistication of its cyberattacks
In the months since the Oct. 7 attacks on Israel, Iran has increased its cyber-hacking operations, according to Gil Messing, the chief of staff at Tel Aviv-based Check Point Software. The “Click Here” podcast talks to Messing about the latest.
Iran is waging a sophisticated hacking campaign against its rivals across the Middle East and is improving its cyberattacks, according to Gil Messing, the chief of staff at Tel Aviv-based Check Point Software.
“Click Here” spoke with Messing about how he sees an increasingly agile and threatening Iran armed with more advanced strains of malware and backed by hacktivists already applying lessons learned from the cyber battle in Ukraine.
“Click Here”: Let’s start with Israel’s greatest adversary in cyberspace: Iran. How long have you been tracking Iranian hacking groups?
Gil Messing: When have we not? Our mode of operation is that we monitor hundreds of millions of logs every second all over the internet. So, we’re not just monitoring Iran — we’re monitoring any cyberattack that happens anywhere. And when it comes to specific markets in the Middle East, such as Israel, Iran is probably the most prominent cyber-offensive player in the region and one of the biggest in the world.
Do Iranian threat actors have a tell or a specific modus operandi?
Yes, first of all, they’re very focused on specific targets. You could see them mostly in government agencies or ministries. You could see them in companies that host large amounts of data. And what we’ve seen in recent years is that most of these attacks are gradual. They would start by infecting the entity or the target they’re looking for. They could stay inside the network for anything from weeks to months. They’re becoming much more evasive and sophisticated. And I think that the resources they’re putting into this are much more significant. There are at least two government ministries in Iran, the Revolutionary Guards and the Ministry of Intelligence, that have heavily invested in cyberattacks.
When you talk about their growing sophistication, do you mean that they are less about phishing emails and social engineering and more about creating their own malware?
It’s all of the above, actually. Let’s take a real-life example. Many of the attacks that Iran has carried out against targets in the Middle East started off with social engineering — a direct message on LinkedIn, a phishing email, etc. If we go back three years, you will see that they’re always trying to use the local language or English. And their translation was flawed. You could see grammar mistakes [and] spelling mistakes. Now it’s flawless.
How is this sophistication manifesting itself?
Yes, in the past, you could spot [Iranian hackers] easily. Now, I have seen very, very, very high-profile entities with great cybersecurity, in which the malware was undetected for months because it was super invasive. This is not a capability they used to have a year ago. And this is [what] we know. You could just imagine things that we don’t know.
Tell me about the run-up to Oct. 7. What were you seeing that maybe has more meaning in retrospect?
In retrospect, we could see very interesting attacks that started before Oct. 7, which I can’t officially link them to Hamas or to, specifically, the war. But you could see how the same actors were prominent before Oct. 7 and right after Oct. 7. I can’t say I have proof it’s linked, but it’s definitely interesting in retrospect. Oct. 7 wasn’t a turning point for us. We had our guards up and our sense [was] that something was happening a bit before. I want to tell you one specific story that I personally handled. On Friday evening, the day before the attack, one of our researchers called me and said, “Look, there’s a group that says that it’s responsible for electricity shutdowns in a city in the south of Israel. They’ve just published a video claiming responsibility for these attacks.” They said that they’d attacked the electricity company, which was later found to be false. But I know this municipality pretty well, and I reached out and [asked] them about the electricity shutdowns: “Did you have any of those?” [The municipality] said, “Thank you for letting us know. We did have electricity shutdowns in the month before that, [but] we can’t say any system was infiltrated.” Thirty minutes later, I got a text message from the mayor showing me a screenshot of a text he got on his personal phone from the group saying, “Mr. Mayor, we are the ones attacking your city because of the atrocity of your government, and we will attack you more.” Now, this is a municipality. It wasn’t directly targeted on Saturday morning, but it’s around 30 kilometers from the border itself and definitely feels the war quite intensively now. In retrospect, I can’t connect the dots. It might connect, it might not connect. But it definitely happened. If you look at the whole broad sense of attacks happening in Israel, you wouldn’t sense there’s something special going on. But if you look at the more sophisticated ones, you could definitely see — a week or 10 days into the war — a very dramatic increase. It started with 18%. Now it’s over 20% of attacks compared to the time before that. And if you look specifically at the government sector, the military, the defense forces, it’s more than 50% in the time before that. So, this is a very, very, very dramatic increase.
And on Oct. 7 itself, what was it like inside Check Point?
The attack started around 6:00 in the morning. I think that by 9:00 or 10:00, our situation room, so to speak, was already open, and we were already in plans of what exactly we were going to do with all of the entities here that we know will be attacked in a war. And [also] how we make sure they’re utilizing all of their cyber capabilities and get their guards up as soon as possible because cyberwarfare is doomed to be part of this war. And again, we’re a very big company with thousands of people in Israel. So, on the one hand, we have our cybersecurity responsibility. On the other hand, we have our professional responsibilities. Thousands of employees — we need to make sure where they are. We have employees who are living in the vicinity or exactly where the attack is taking place. How do we evacuate them? And since Oct. 7, it feels like one very, very, very long day.
Tell me a little bit about the Iranian-backed hacking groups you’re tracking.
There’s about 150 groups that we are monitoring. Out of these 150 groups, there’s between 20 to 30 dominant groups that are carrying out such attacks. And within these 20 to 30 groups, you could see the dramatic entrance of the Iranian-backed, state-sponsored hacking groups — what we call APT [advanced persistent threat] groups. We’re now over 10 groups that we’re monitoring that are creating much more significant cyberattacks in Israel, much more significant data breaches. And now they’re definitely dominating the cyberattacks here in Israel.
Of those 10 or so dominant groups, which are the ones you find yourself tangling with the most?
It depends on the time. Now, the most prominent one is called Cyber Toufan. MuddyWater is a known group that’s very prominent in the cyber landscape. They also go by the name of Scarred Manticore. They’re government-sponsored, and the Iranians are mimicking many of the tactics they see from Russian hackers — anything from the spread of disinformation, creating real attacks but exaggerating with them, creating hacktivist groups and creating channels to direct these hacktivist groups. It’s imitating the Russian methodology, but on a smaller scale.
What about Cyber Toufan … that’s the Iranian gang people are talking about right now.
Rightfully so. Cyber Toufan started their operations around mid-November, a long time into the war. And what was unique about them is [that] as soon as they rose above the noise, so to speak, they issued a press release with a very detailed agenda of who they are, what they want to do. And their target explicitly was to cripple Israel’s economy, and they linked it to specific actions in the war in Gaza. The other thing that they did [was] what I called a wave of echoed attacks, which is basically one attack that was very successful, echoed by a large [number] of victims whose information was leaked on a very clear and consistent pattern, twice a day: once in the morning, once in the evening. They managed to use one of their malware to attack a server and website hosting company in Israel called Signature-IT. And what they did was that they managed to infiltrate their servers, wipe a lot of their servers and exfiltrate data. Cyber Toufan said they have information on over 40 companies, and they chose high-profile ones and started to leak their data from the websites that were hosted on the servers of Signature-IT. This caused the shutdown of websites. Think of an Israeli version of Home Depot that, for over a weekend, didn’t have a website for online shopping and also had millions of customer records being leaked over this Telegram group. Each of these leaks was linked with a description of this company with a bit of exaggeration, why it’s so important to Israel, and also to link it to specific actions that happened in the war. And what was also very interesting: As soon as the ceasefire was announced [in November], they also said, “We’re obliging ourselves to the ceasefire.” From a public awareness perspective, this is probably the group that is engaging most with the public.
There are also reports of prominent and new strains of malware. Your company wrote a report on SysJoker malware. What can you tell us about that?
So, this malware was seen a few years ago, I think it was 2016 or 2017, [and it came from] a threat actor from Gaza, which ultimately means Hamas. It had certain possibilities of espionage. And then we didn’t see them for a few years. [In late 2023], we saw the development of this malware that is used in the same pattern but in a more sophisticated way. Hamas has very significant cyber capabilities, not on the scale of Iran, but still not one you would think of as an organization of this size. They have people working for them from all over the Middle East and, more specifically, in Turkey, but they also have hackers working for them from the Gaza Strip. I think an interesting point to mention is that in the physical warfare that’s happening in Gaza, you could see an effect on Hamas’s cyber capabilities. You would see them as less effective, less prominent. So, you could see how physical warfare affects their capabilities on the ground. But the real-life cyberwarfare, which is happening in parallel or in the midst of actual wars, there’s not too many of them happening in the world, thankfully. And the ones that do are a very strong greenhouse for more ideas, more capabilities and more knowledge for the hackers.
Is there one thing that’s happened since Oct. 7 that really sticks with you?
One of the attacks was actually targeting the families of kidnapped children, mothers and fathers. They sent them a designated text message saying, “Hi, Mister or Miss, with a specific name, we have captured your son or daughter.” It was all tailor-made. “If you want to communicate with them, press this link.” The link led to a web page, and it had a description saying in very good English, “This is a platform for you to communicate with your loved ones. Write here your name, your email, and the message you want to send them, and click here.” And hopefully, families thought they were suspicious and they didn’t click it. But if you would click it, then you could see that this was another way to basically exfiltrate information by injecting a virus or malware from the people who were victims of this attack.
How long after the kidnappings did that happen?
About a month. They took time to do it. Again, this attack was not successful. And again, as experts in cybersecurity, this is not the most advanced cyberattack we’ve seen. But on a human level, it’s pretty harsh.
What helped you prepare for this onslaught in the cyber realm? Were there lessons from past conflicts in Israel or elsewhere?
One is the Russia-Ukraine war. The same trends we saw in cyberwarfare in [Ukraine], we see here. Anything from the wave of hacktivist groups to state-sponsored attacks, wipers, ransomware, and whatnot. It’s a very wide range [of targets], from critical infrastructure and high-profile targets all the way to the ordinary citizens who will be intimidated by direct cyberattacks, like scams and phishing or even getting text messages alerting you that we’re coming to kill you. We can definitely see similarities, but I think that the phenomena are more distinct here. So, you could see the roots of it in the Russia-Ukraine war, but now you can see a development of this. It’s not necessarily a technological development. Let’s take DDoS attacks. There’s a lot of DDoS attacks against Russia, against Ukraine, against countries supporting Russia or Ukraine. So, if it took us a couple of weeks to get there in Ukraine, here it took days. At the same time, the magnitude is now [double]. And also in terms of terrorizing people and alarming them, if you could see some examples that happened also in Russia or Ukraine, specifically more in Ukraine, now you could see more of those happening here.
Why do you think threat actors have been able to scale up operations so quickly?
I think it goes back to the attacks that I’ve talked about that happened before the war. Some of the data dumps that were leaked by hackers on Israeli targets before the war, you could see that information [from] these data breaches was used by hackers to create the attacks they’re doing now. So, if a hacker had a phone number, a name and an email from a previous attack on a specific company, now you would see the hackers using the exact same email, name and phone number to create a more designated attack against the person they were targeting. The recycling of previous hacks is the basis of new attacks. Also, whatever happens in one war is being imitated and, to some extent, improved in a different war. And I’m sure that in the next war, somebody else will learn from the lessons of this war and try to be better and greater.
This interview has been edited for length and clarity.
The World is an independent newsroom. We’re not funded by billionaires; instead, we rely on readers and listeners like you. As a listener, you’re a crucial part of our team and our global community. Your support is vital to running our nonprofit newsroom, and we can’t do this work without you. Will you support The World with a gift today? Donations made between now and Dec. 31 will be matched 1:1. Thanks for investing in our work!