Wafiq Safa and Iran’s Cyber Outpost in Lebanon

Posted: 13th November 2012

Our recent analysis of the cyber attack against Saudi Aramco highlighted lingering questions about the culprit, and the origins of the attack are yet to be credibly verified. However, rumors of Iranian involvement lead us to the head of Hezbollah’s internal security Wafiq Safa stationed in Beirut.

And despite his security role with Hezbollah, we can actually learn quite a bit about Safa through analysis of open source media including: his reported activity in the lead up to the Saudi Aramco attack as well as during the weeks afterwards, his communication patterns with Lebanese and Iranian officials, and his ties to larger Hezbollah efforts in the cyber world.

The attack on Saudi Aramco took place on August 15, 2012, and above you can see the timeline for Wafiq Safa framed around that date. Activity by Safa before and after the event are not particularly incriminating, but his actions do clearly reveal one thing: regular open communication with the Hezbollah’s political leaders in Lebanon. There’s also a notable gap in those public meetings after the October 19 assassination of Maj. Gen Wissam al-Hassan, who headed the Information Department of the Internal Security Forces, and resulted in country-wide protests against Hezbollah.

Aside from the meetings, you’ll notice the major development of a Hezbollah-launched drone being flown into Israeli airspace early in October. Although the drone was destroyed it allowed Iran to proclaim a advanced military capability, and through Hezbollah, more threatening potential in its range to strike against Israel. The efforts in Beirut are clearly not limited to malware development.

Wafiq Safa’s Political Network

Let’s move forward and look at the names of those identified as attending meetings with Wafiq Safa between July and November this year to draw a network of political connections. Extracted from the above reports of communication with Hezbollah officials we generate this set of connections:

From the above network of connections with Wafiq Safa, a few highlights:

  • September 27, roughly a month after the Saudi Aramco attack: Minister Gebran Bassil says Lebanon is “technically ready” to drill for natural gas in the Mediterranean where reserves are disputed with Israel and Cyprus.
  • September 13: The US Treasury formally charged and imposed sanctions on Hezbollah leader Hassan Nasrallah, and two other members of the organisation — Mustafa Badr Al-Din and Talal Hamiyah — for their material support of Syrian President Bashar al-Assad’s forces.
  • August 21: Interior Minister Marwan Charbel met and subsequently worked closely with Turkish political officials to track down Lebanese pilgrims kidnapped in Syria after visiting Iran.

Hezbollah’s Cyber Ambitions

Let’s also look at the bigger picture: discussion of Hezbollah’s cyber activities and ambitions reported during the last twelve months.

Interestingly, some of the most prominent events on the timeline include the organization of Cyber Hezbollah conferences. The first reportedly took place in September 2010 with Hassan Abbasi, political strategist and adviser of the Iranian Revolutionary Guards, leading the messaging. That same report cites Abbasi as saying:

“Therefore, a cyber-Hezbollah would require that the ‘conspiracy of the enemies be neutralised’. The Cyber-Hezbollah must ‘keep the culture of martyrdom alive’. Abbasi concludes that, with the imminent collapse of the U.S. economy, the Cyber-Hezbollah will be of great importance.”

So, there’s clearly an attempt to organize a defense against attacks on Iranian and Hezbollah interests. And in fact, the day before Saudi Aramco’s systems were hit by the Shamoon virus, Press TV out of Iran noted the impact of sanctions on Iran and Hezbollah as well as claimed that Lebanese banks had been hit by US cyber attacks .

We leave you with a couple questions: do you think that Hezbollah poses a real information security threat to the US and its allies via support from Iran? Or should the real concern and monitoring be focused on their development of drone capabilities that could rapidly destabilize the region should Israel feel threatened? Drop us a note in the comments.