The exchange of bombs and missiles in the Middle East between Iran and its foes has been paused for more than a week now. Iran’s hackers, however, have remained active on the digital battlefield.
Iran has continued its cyberspace operations since the cease-fire with the United States began on April 8, according to Western cybersecurity experts and former U.S. intelligence officials. In doing so, Tehran is trying to keep up pressure on the United States and Israel but also positioning itself to mount a bigger retaliation if peace talks do not resume.
Since the war began in late February, Iran has combined real-world attacks, disinformation and a mix of low-level and more advanced cyberattacks to create confusion in Israel. In the United States, it temporarily caused a global, companywide shutdown at a major medical-equipment supplier, Stryker, scoring a major success that surprised some security analysts.
A group affiliated with Iranian intelligence also took responsibility for the release of emails and photographs stolen from a personal account of Kash Patel, the F.B.I. director.
Now in the cease-fire, Iran is tactically shifting from overt demonstrations meant to undermine support for the U.S.-Israel campaign toward quieter efforts to prepare for what might come next. This new phase of cyberspace operations includes a greater focus on espionage.
Iran has continued to target individuals in the United States and Israel who are either government officials or linked to the government. Its hackers have also stepped up its efforts to penetrate critical infrastructure, attempting to get access to water and power systems in the Middle East and the United States as part of an effort to prepare for future operations that would cause societal pain, experts said.
Iran’s cyberoperations have generally been less effective or sophisticated than those from China or Russia, which have for years launched large-scale espionage campaigns against the United States and penetrated some of America’s most sensitive infrastructure.
But Iran’s dispersed network of hackers has long used cyberattacks to project power across the Middle East and to challenge — or at least annoy — the United States. And Iran’s hackers are considered less predictable than their Chinese and Russian counterparts, especially when their government feels threatened.
“This is a time, more than ever, we should worry about Iran,” said Evan Peña, a co-founder of the cybersecurity firm Armadin. “In cyberwarfare there isn’t really a cease-fire.”
Mr. Peña said that if the cease-fire or negotiations collapsed, Iran would want to be in a strong position to retaliate, potentially by attacking critical infrastructure in the United States. Tehran has done so in the past but generally with limited impact. More than a decade ago, Iranian hackers targeted a small dam in upstate New York, but by happenstance the dam’s sluice-gate controls had been taken offline for maintenance, much to the relief of U.S. investigators at the time.
Iran, Mr. Peña said, is going to be more aggressive and devote more resources to trying to get access to American companies as the war rages on.
“I am not saying they have gotten in, but I do believe they are trying to get in,” he said. “The motive is, hold your position in the network. Should you find a way in, if something doesn’t go the way Iran wants it to go, then they are going to make a disruption.”
Josh Zweig, the chief executive of Zip Security, which secures small and midsize enterprises, said Iran was specifically looking for less well-defended targets, like municipal-run water and energy facilities.
He also said small firms that make investment decisions for wealthy individuals and families have been targeted.
With both kinds of attacks, the goal is to gain leverage, Mr. Zweig said.
“They’re going after individuals in and around the government — not through official channels but through their personal networks: service providers, contractors, the kinds of organizations that handle sensitive day-to-day information,” Mr. Zweig said.
Some security experts have said they have observed an overall drop in Iranian cyberoperations in the United States since the cease-fire took hold. Iran-linked hacking groups have been less active in claiming credit for attacks, suggesting a desire to more quietly embed undetected within networks for potential future leverage.
And some cybersecurity experts said the overall number of attempted cyberattacks has fallen, at least in the United States.
Much of the activity against the United States has taken the shape of rudimentary denial of service attacks, which attempt to knock websites offline by spamming them with junk traffic, said Cynthia Kaiser, a senior vice president at the cybersecurity firm Halcyon and a former senior cyber official at the F.B.I.
But in Israel, Handala, a hacking group affiliated with the Iranian government that claimed credit for both the Stryker attack and the breach of Mr. Patel’s emails, has continued its campaign, according to Ms. Kaiser and other experts.
The group masquerades as an independent hacktivist collective but is controlled by the Ministry of Intelligence and Security, Iran’s chief spy agency, according to U.S. officials.
It has hacked and leaked accounts tied to the former head of the Israel Defense Forces, Herzi Halevi, and released documents about intelligence analysts who work for an Israeli intelligence agency.
The group also recently claimed responsibility for hacking government entities in Dubai, in the United Arab Emirates.
“They are basically doxxing a few dozen individuals — the fact they are doing it, they are basically saying they will continue with the cyberwar,” said Gil Messing, the chief of staff at Check Point, an Israeli-American cybersecurity firm. “They want to make sure that everyone is aware that they are continuing and will continue to target Israel.”
Mr. Messing said Iran stepped up hacking activity against Israel after their war last year and is likely to continue that pattern now. Check Point, he said, had observed a 10 percent increase in cyberoperations linked to Iran across the Gulf region since the cease-fire took hold, and a 15 percent increase against Israel.
“After the cease-fire agreement, they are escalating their cyber efforts,” Mr. Messing said. “Often we see that digital-based attacks are more prominent when the physical front is more silent.”
Julian E. Barnes covers the U.S. intelligence agencies and international security matters for The Times. He has written about security issues for more than two decades.
The post Despite Cease-Fire, Iran’s Hackers Haven’t Logged Off appeared first on New York Times.
