Microsoft is warning that Iran is using a new set of preferred techniques that combine its traditional cyberattacks with cyber-enabled influence operations (IO) for greater geopolitical effect.
In a May 2 post on its security blog, Clint Watts, Microsoft’s general manager of its Digital Threat Analysis Center, said the company detected Iran’s IO efforts have been accelerating since June 2022. Most of the country’s operations are run by Emennet Pasargad, which Microsoft tracks as Cotton Sandstorm, which was sanctioned by the United States for attempting to undermine the 2020 U.S. presidential election.
Iran’s operations are primarily focused on Israel, with almost a quarter of its efforts (23%) focused on that specific Middle Eastern country between October and March, followed by the U.S., United Arab Emirates and Saudi Arabia.
Some of its goals include seeking to bolster Palestinian resistance, fomenting unrest in Bahrain and countering the ongoing normalization of Arab-Israeli ties, Watts continued. Iran does this by adopting cyber-enabled IO to embarrass prominent opposition figures by using fake online personas to amplify or hype attacks.
While Iranian threat groups have increased their use of cyber-enabled IO, Microsoft noted a corresponding decline in their use of ransomware and wiper attacks.
The blog post coincided with the release of Microsoft’s Threat Intelligence report on Iran’s cyber-enabled IO, which itself is part of the company’s semi-annual update on nation-state actors in an effort to inform its customers and the global community, Watts wrote.
The report noted that Microsoft linked 24 influence operations to the Iranian government in 2022 compared with seven in 2021.
The update on Iran’s IO follows Microsoft’s update on its naming conventions for nation-state threat groups, where it assigns a “family name” incorporating a weather event. It formerly tracked Cotton Sandstorm as “Neptunium” before adopting the “Sandstorm” taxonomy for Iranian groups, such as Mint Sandstorm, which Microsoft reported in April as quickly adopting proof-of-concept vulnerabilities to exploit before organizations could apply patches.