# Pro-Iran Hackers Align Cyber with Kinetic War Aims
A recent report has shed light on the sudden surge in cyber-threat activity from pro-Iran hacking groups that coincided with the 12-day war against Israel earlier this summer. SecurityScorecard, a leading cybersecurity firm, analyzed 250,000 Telegram messages to uncover various activities including intelligence gathering, propaganda, and direct attacks on critical infrastructure and public entities.
The report revealed that a diverse range of groups, including state-backed hackers, proxies, and loosely connected collectives of "ideologically aligned hacktivists" supporting Iran's war aims, were involved in this cyber activity. This coordinated effort was observed alongside more traditional state-sponsored attacks by APT group Tortoiseshell (also known as Cuboid Sandstorm, Yellow Liderc, and Imperial Kitten).
Only a few days after the conflict between Israel and Iran escalated, pro-Iran hackers began purchasing domain names from NameCheap that revolved around themes of the conflict. These domains included nowsupportisrael[.]com, supportisraelfunding[.]com, and stoprirannukes[.]com. The hackers then purchased virtual servers to host these domains and used the Evilginx phishing framework to lure Hebrew-speaking victims with petition forms offering support for Israel while focusing on the October 7th attack when Hamas attacked Israel in 2023.
To further manipulate their targets, pro-Iran hackers deployed the RemCosRAT remote access Trojan malware to selected individuals. The report noted that threat actors involved in this conflict displayed varying degrees of sophistication and alignment with the Islamic Revolutionary Guard Corps (IRGC). This underscores the importance of understanding the difference between state-sponsored and opportunistic groups in the context of increasingly complex and interlinked cyber and kinetic conflicts.
The SecurityScorecard report emphasizes the need for employee awareness about the dangers of phishing and social engineering, particularly during times of conflict. It also advises organizations to assess whether they might fall within the scope of a targeted campaign by asking their security vendors to review their defenses.
This incident highlights the evolving nature of cyber warfare and the need for businesses and individuals to be vigilant in protecting themselves against pro-Iran hacking groups.
### Key Takeaways:
* Pro-Iran hackers have been linked to increased cyber activity during the 12-day war between Israel and Iran. * State-backed hackers, proxies, and hacktivists were involved in this coordinated effort. * Domain names related to the conflict were purchased by pro-Iran hackers, followed by phishing attacks using the Evilginx framework. * Remote access Trojan malware was deployed to selected targets. * The report emphasizes the importance of understanding the difference between state-sponsored and opportunistic groups in cyber and kinetic conflicts.