December 11, 2013 • Chris
While Iran’s Revolutionary Guards have been busy arresting opposition activists for alleged seditious online activities, hacker groups with supposed ties to the Iranian government have been noticeably inactive of late.
Regular readers and threat intelligence analysts will recall our observations on the timing of operations by three Iran-linked hacker groups. The temporal correlation of campaigns by the al-Qassam Cyber Fighters (QCF), Parastoo, and Iranian Cyber Army suggested coordination and/or shared resources.
We’re now finding those groups subdued since around the time Iran’s President Hassan Rouhani took office on August 3. The last reported incidents attributed to any of the three organizations were low-impact DDoS attacks by QCF on August 14 and August 15.
After those mid-August attacks using Brobot, QCF’s known attack vector, the groups completely fell off the radar. There were no recognized attacks during the run-up to Iranian nuclear negotiations in Geneva on October 15, and based on open source information, none of the groups have resumed operations.
See interactive view here
Even hacks attributed more generally to non-specific Iranian actors or government-backed teams have fallen off. Outside of the WSJ-reported attack on an unclassified US Navy network during September there’s been little cyber activity of note linked back to Iran during the past few months.
State-backed cyber operations won’t cease, but the reasons for this lull in Iran-linked hacktivist activity are unclear. Could it be the result of a policy decision by the new administration to rein in groups not officially part of the military apparatus? Or should it be chalked up entirely as an attempt to play nice during nuclear negotiations?
One of Parastoo’s successful hacks was against the IAEA, which resulted in the disclosure of satellite photos, documents, and email addresses, and economic sanctions against Iran were widely cited as the driving force behind QCF’s Operation Ababil. With this is mind, going dark during high impact discussions on the issue seems a shrewd tactic.
Will these groups resume operations under the same monikers? We’ll carefully watch as the following events come and go during the next six months:
Follow those and other emerging events by bookmarking the Recorded Future timeline of forecasts for Iran-related nuclear events in 2014, and we’ll post an update on this analysis should more information emerge.