As Iranian missiles flew over Israel on Thursday, and people scrambled into bunkers, cellphones in the country lit up with a stream of messages.
One from Iran’s Islamic Revolutionary Guards Corps threatened strikes against Israeli citizens and falsely claimed to have killed the Israeli prime minister, Benjamin Netanyahu. Seconds later, another message went out claiming to be from the Israeli authorities that contained a link to a malicious app.
None of the techniques were new, but the combination of a real-world strike, a disinformation push and a cyberattack was different.
“To do it all at the same times is what makes it sophisticated,” said Gil Messing, the chief of staff at Check Point Software, a U.S.-Israeli cybersecurity firm.
Iran has recalibrated its information campaign amid continuing U.S.-Israel attacks, bringing covert social media accounts into the open as it tries to boost perceptions of its military and foster antiwar sentiment in the West, according to researchers studying Iran’s moves.
Israel’s government quickly issued a warning about the malicious app. But the messages appeared to reach hundreds of thousands of Israelis, Mr. Messing said.
On Telegram and other social media platforms, Iran has exaggerated the scale of its retaliation, falsely claiming to have killed scores of American troops and boasting of the threats its proxy groups could pose to the region. The campaign has married cyberattacks with propaganda, and used accounts impersonating Americans, Israelis and others to draw attention to dissent over the war.
“What we are seeing in the influence sphere is really Iran trying to throw every capability at us, toward the conflict,” said Clément Briens, an analyst at Recorded Future’s Insikt Group, which studies cybersecurity and other threats.
Israel’s attack this week on the South Pars gas field shared by Iran and Qatar triggered an outpouring of messaging critical of the Trump administration and sought to link the United States to the attack, despite President Trump’s attempts to distance himself from it, according to a report from Alethea, a firm tracking Iranian messaging and disinformation.
Other information-monitoring firms echoed Alethea’s assessment. Alex Leslie, a senior adviser at Recorded Future, said Iranian messaging about the gas field attack signaled the country’s willingness to retaliate and attempt to widen the war.
“Iran’s messaging around the South Pars strike is framing the attack as a coordinated U.S.-Israel campaign and using it as justification for expanding retaliation against energy infrastructure across the Gulf,” Mr. Leslie said.
The annual U.S. intelligence threat assessment released this week noted Iran’s recent attack on a medical supply company in the United States. “Iran poses a threat to U.S. networks and critical infrastructure in the form of cyberespionage and cyberattacks,” the report said.
Experts say Iran clearly views the current war as an existential threat, which has forced a shift in strategy.
In recent weeks, Iran has been utilizing formerly covert accounts — social media accounts that previously pretended to be American, Israeli or European — to push messages.
“They are burning their capabilities,” Mr. Messing said. “Either because they don’t think they will need it anymore or because it is time to fire whatever they can.”
An account devoted to Scottish independence secretly controlled by Iran shifted its focus to the U.S.-Israeli war, Mr. Briens said. A group of bots controlled by Iran that had previously been used to communicate with would-be overseas saboteurs or spies is now promoting videos of Iranian missile and drone strikes, according to Recorded Future.
A New York Times investigation found that fake images about the war, most of them pushing pro-Iranian themes, have flooded online forums. Many of the videos portrayed crying soldiers. Alethea, another firm that tracks Iranian information operations, noted that “the ‘crying soldier’ trope is a recurrent propaganda format designed to visually communicate psychological defeat.”
Independent researchers like Recorded Future and others said it was difficult to measure how much traction the Iranian accounts had gained.
Mr. Briens said the use of once-covert personas to spread pro-Iran messaging appeared to reflect Iran’s desire to use its most influential social media accounts to reach as wide an audience as possible — even if that meant giving up on a carefully cultivated persona.
“We have seen some Iranian actors cannibalizing their capabilities,” Mr. Briens said. “Personas that were pretending to be Scottish or American or Israeli — since the outbreak of the war we have seen them shift to be very overtly pro Iran.”
Mr. Leslie said Iran was also using its inauthentic social media accounts to push or exaggerate the effectiveness of its cyberattacks.
Last week an Iranian hacking group called Handala said it was responsible for the cyberattack on Stryker, the U.S.-based manufacturer of medical equipment. The group once claimed to be an independent so-called hacktivist organization, but has now acknowledged that it is part of the Iranian government, Mr. Messing said.
Handala said the attack was retaliation for a U.S. missile strike on Feb. 28 that destroyed an Iranian elementary school.
On Thursday the Justice Department moved to seize domain names associated with Handala.
Recorded Future has found that Iran, borrowing a technique from some Russian hackers, is using information operations to make its cyberactivity look potent and potentially more effective than it has been.
“More than two weeks into this war, the digital front is not a single cyber blitz but a layered campaign that fuses disruption, deniable fronts and narrative warfare into one strategic system,” Mr. Leslie said.
Julian E. Barnes covers the U.S. intelligence agencies and international security matters for The Times. He has written about security issues for more than two decades.
The post Iran Combines Real-World Missile Attacks With Online Threats appeared first on New York Times.
