Wafiq Safa and Iran's Cyber Outpost in Lebanon

November 13, 2012 • Chris

Our recent analysis of the cyber attack against Saudi Aramco highlighted lingering questions about the culprit, and the origins of the attack are yet to be credibly verified. However, rumors of Iranian involvement lead us to the head of Hezbollah’s internal security Wafiq Safa stationed in Beirut.

And despite his security role with Hezbollah, we can actually learn quite a bit about Safa through analysis of open source media including: his reported activity in the lead up to the Saudi Aramco attack as well as during the weeks afterwards, his communication patterns with Lebanese and Iranian officials, and his ties to larger Hezbollah efforts in the cyber world.

Click for Live View

The attack on Saudi Aramco took place on August 15, 2012, and above you can see the timeline for Wafiq Safa framed around that date. Activity by Safa before and after the event are not particularly incriminating, but his actions do clearly reveal one thing: regular open communication with the Hezbollah’s political leaders in Lebanon. There’s also a notable gap in those public meetings after the October 19 assassination of Maj. Gen Wissam al-Hassan, who headed the Information Department of the Internal Security Forces, and resulted in country-wide protests against Hezbollah.

Aside from the meetings, you’ll notice the major development of a Hezbollah-launched drone being flown into Israeli airspace early in October. Although the drone was destroyed it allowed Iran to proclaim a advanced military capability, and through Hezbollah, more threatening potential in its range to strike against Israel. The efforts in Beirut are clearly not limited to malware development.

Wafiq Safa’s Political Network

Let’s move forward and look at the names of those identified as attending meetings with Wafiq Safa between July and November this year to draw a network of political connections. Extracted from the above reports of communication with Hezbollah officials we generate this set of connections:

Wafiq Safa Lebanon Political Allies

From the above network of connections with Wafiq Safa, a few highlights:

Hezbollah’s Cyber Ambitions

Let’s also look at the bigger picture: discussion of Hezbollah’s cyber activities and ambitions reported during the last twelve months.

Hezbollah Cyber Organization – Click for live view

Interestingly, some of the most prominent events on the timeline include the organization of Cyber Hezbollah conferences. The first reportedly took place in September 2010 with Hassan Abbasi, political strategist and adviser of the Iranian Revolutionary Guards, leading the messaging. That same report cites Abbasi as saying:

“Therefore, a cyber-Hezbollah would require that the ‘conspiracy of the enemies be neutralised’. The Cyber-Hezbollah must ‘keep the culture of martyrdom alive’. Abbasi concludes that, with the imminent collapse of the U.S. economy, the Cyber-Hezbollah will be of great importance.”

So, there’s clearly an attempt to organize a defense against attacks on Iranian and Hezbollah interests. And in fact, the day before Saudi Aramco’s systems were hit by the Shamoon virus, Press TV out of Iran noted the impact of sanctions on Iran and Hezbollah as well as claimed that Lebanese banks had been hit by US cyber attacks.

We leave you with a couple questions: do you think that Hezbollah poses a real information security threat to the US and its allies via support from Iran? Or should the real concern and monitoring be focused on their development of drone capabilities that could rapidly destabilize the region should Israel feel threatened? Drop us a note in the comments.