Iranian Hacktivists Quiet Amid Nuclear Negotiations

December 11, 2013 • Chris

While Iran’s Revolutionary Guards have been busy arresting opposition activists for alleged seditious online activities, hacker groups with supposed ties to the Iranian government have been noticeably inactive of late.

Regular readers and threat intelligence analysts will recall our observations on the timing of operations by three Iran-linked hacker groups. The temporal correlation of campaigns by the al-Qassam Cyber Fighters (QCF), Parastoo, and Iranian Cyber Army suggested coordination and/or shared resources.

We’re now finding those groups subdued since around the time Iran’s President Hassan Rouhani took office on August 3. The last reported incidents attributed to any of the three organizations were low-impact DDoS attacks by QCF on August 14 and August 15.

Iranian Hacktivists Go Silent

After those mid-August attacks using Brobot, QCF’s known attack vector, the groups completely fell off the radar. There were no recognized attacks during the run-up to Iranian nuclear negotiations in Geneva on October 15, and based on open source information, none of the groups have resumed operations.

Pause in Iranian Hacker Activity

See interactive view here

Parallel Slowdown in State Activity

Even hacks attributed more generally to non-specific Iranian actors or government-backed teams have fallen off. Outside of the WSJ-reported attack on an unclassified US Navy network during September there’s been little cyber activity of note linked back to Iran during the past few months.

Iran Attacker Timeline
Cyber Events Referencing Iranian Actors as Attacker

Why Are Things Quiet?

State-backed cyber operations won’t cease, but the reasons for this lull in Iran-linked hacktivist activity are unclear. Could it be the result of a policy decision by the new administration to rein in groups not officially part of the military apparatus? Or should it be chalked up entirely as an attempt to play nice during nuclear negotiations?

One of Parastoo’s successful hacks was against the IAEA, which resulted in the disclosure of satellite photos, documents, and email addresses, and economic sanctions against Iran were widely cited as the driving force behind QCF’s Operation Ababil. With this is mind, going dark during high impact discussions on the issue seems a shrewd tactic.

Will these groups resume operations under the same monikers? We’ll carefully watch as the following events come and go during the next six months:

  • Late December/Early January: Nuclear agreement reached by the P5+1 nations takes effect.
  • January 21, 2014: IAEA talks in Tehran.
  • Early February, 2014: IAEA to get “managed access” to the Gchine mine for first time in nearly a decade.
  • Early April, 2014: Iranian officials to meet oil companies in London to offer contract terms.
  • May 2014: US, Israel to hold large-scale joint military exercise.
  • Late May, 2014: Six-month negotiation period on nuclear deal ends.

Follow those and other emerging events by bookmarking the Recorded Future timeline of forecasts for Iran-related nuclear events in 2014, and we’ll post an update on this analysis should more information emerge.