Pro-establishment Iranian hackers gaining prominence in the Persian Gulf

News by Jay Jay

The rising capabilities of Iranian hackers came to the fore in 2017 when hacker groups like Helix Kitten, Charming Kitten, and Volatile Kitten launched several crippling cyber-attacks on Saudi Arabian entities.

The rising capabilities of Iranian hackers came to the fore in 2017 when hacker groups like Helix Kitten, Charming Kitten, and Volatile Kitten launched several crippling cyber-attacks on Saudi Arabian entities as well as on political dissidents at home.

Even though hackers based in North Korea, Russia, and China dominated headlines as far as cyber-attacks carried out on organisations in the UK, the European mainland and the United States in the past year were concerned, the new Global Threat Report for 2017 by security firm CrowdStrike has revealed how Iranian hackers ruled the roost as far as cyber-incidents in the Persian Gulf were concerned.

One such Iranian hacker group, dubbed Charming Kitten, used malicious, macro-enabled Microsoft Office documents to deploy an open-source malware named Pupy into devices owned by targeted entities who were mostly dissidents, NGOs, think tanks and political activists.

Cyber-attacks carried out by Charming Kitten included an information gathering operation conducted between April and May last year ahead of the Iranian presidential elections. Those targeted through this operation were mostly entities who were political opponents of the ruling President Hassan Rouhani's party.

In July last year, Charming Kitten also launched cyber-attacks against Iraqi Kurd entities after a majority of Kurds voted in favour of an independent Kurdish state. According to researchers at CrowdStrike, creation of the new Kurdish state was possibly perceived as a threat to the domestic security of Iran.

While Charming Kitten focussed on countering the activities of Iranians who were opposed to Rouhani's regime, another hacker group named Helix Kitten carried out a series of attacks on Saudi Arabian entities in 2017 by leveraging its custom malware implant known as Helminth. 

"Recently, Helix Kitten was observed conducting operations against the Kingdom of Bahrain. A malicious Microsoft Compiled HTML Help (CHM) file mimicking meeting minutes from Bahrain was identified and is suspected of being used to conduct phishing operations against regional entities," said Adam Meyers, VP Intelligence, CrowdStrike.

"Considering the pivotal nature of Bahrain for the security structure of the Persian Gulf (Arabian Gulf), CrowdStrike Intelligence assesses that it is likely that adversaries such as Helix Kitten will continue to focus on themes consistent with Bahrain's ties with Israel to lead intra- and extra-regional operations."  Bahrain is ruled by a Sunni Muslim monarchy (the same as the other GCC states), but the majority of its population are Shia Muslim, the same as Iran.

According to CrowdStrike researchers, Iran has often leveraged pro-Iran hacking groups, thus blurring the lines of state-sponsored cyber-activity. Following a bombing in Tehran by the Islamic State last year, Iranian hackers responded by launching DDoS (distributed denial of service) attacks and defacements on websites affiliated with the Saudi government. Iranian hackers may also have carried out disinformation campaigns on social media to tie Saudi Arabia to terrorist attacks. 

"The apparent timing of the defacement efforts, information operations and statements from Iranian government officials increases the possibility that a coordinated response from state organisations such as the Islamic Revolutionary Guard Corps (IRGC) occurred, although the exact degree of involvement could not be determined," they added.

As per their assessment, the "soft war" doctrine was incorporated into cyber-operations by Iran following the 2009 presidential election and has ever since been used to target and to monitor domestic audiences and silence dissident voices.

Joseph Carson, chief security scientist at Thycotic, told SC Magazine UK that the use of pro-establishment hackers by the Iranian government is not uncommon as almost all countries globally are enhancing both defensive and offensive cyber-capabilities for economic, political and intelligence advantages.

"If we look at cyber-crime globally, it is mostly across the border as this reduces the possibility of getting caught or being prosecuted. So, talks about Iranian hackers being involved is not surprising as most countries globally are doing similar with the only difference being whether it is being carried out by cyber-criminals or state sponsored.

Carson added that to prevent a major catastrophe, governments and nation-states need to work together to ensure that cyber-attribution is possible and hold each other responsible for the actions of criminal organisations carrying out cyber-attacks from within their borders.

He also said that the upcoming Global Centre for Cybersecurity "should focus on establishing cooperation between governments so that attribution is possible in the future and when a cyber-crime is committed, the governments involved should work together similar to how Interpol works today".

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews