A Department of Justice employee put up a poster of the seven indicted hackers prior to a news conference for announcing a law enforcement action March 2, 2018. (AFP)

By Danny Citrinowicz and Jason M. Brodsky

June 23, 2022

Iran continues to significantly develop its cyber capabilities for a variety of purposes. Only recently it was reported that Tehran had sought to attack Boston Children’s Hospital – an attempt that the director of the Federal Bureau of Investigation called one of the most “despicable” he had ever seen. This incident is another indication of Iran’s boldness in operating cyber tools.

But the majority of Iranian cyberactivity is focused on social engineering for obtaining intelligence information. Tehran has been expanding its use as a tool, mainly through numerous inquiries to various experts on Iran. Iranian intelligence is attempting to obtain their information and assessments, and even trying to lure some to attend international conferences to recruit or kidnap them.

One of the authors of this article was recently contacted via email by someone claiming to be a leading journalist. When the email was met without a response, the same “journalist” called the author personally multiple times asking to schedule a test interview, with the phone number appearing registered from the country in which that media outlet was located.

Further investigation revealed this to likely be a phishing attempt by Charming Kitten, which is an advanced persistent threat actor linked to the Iranian government. There are lessons to be learned from this episode, namely the sloppiness in tradecraft—through persistence and unaffiliated, personal email addresses – of Iranian cyberwarriors. The fact that the Iranian operatives followed up after an email with phone calls demonstrates the aggressiveness with which the Islamic Republic is deploying these tools.

To uncover the Iranian pattern of action, we will focus in this article on the ways Iran uses social engineering tools and their unique characteristics to help possible targets identify that they are under Iranian “attack.” In general, most of the actions being carried out by Tehran are very amateurish and easy to identify, provided those who are subjects of interest to the Iranian government are aware of its tactics.

The use of social engineering tools has greatly expanded in recent years, mainly due to the difficulty of obtaining information from social media platforms in light of heightened awareness and actions taken by these networks aimed at protecting the privacy of their users.

Social engineering has thus become a kind of offensive WEBINT (Web Intelligence) tool that allows for receiving a lot of information about the relevant user.

The central principle when it comes to social engineering is trust. That is, the target will feel safe enough to provide details to the applicant (in this case Iranian intelligence). Iran also understands this principle very well, and therefore it seems that its operatives are working around the clock on these strategies.

If in the past Iran used assets that it established for dedicated operations which were for the most part very easy to identify, today the Iranian trend is to steal the identities of real people and to weaponize them.

That is, they are using the real names of people to approach their targets using emails that are very close to the real name of the stolen identity. This is usually a respectable approach made by a high-ranking expert (to persuade the target to work with him) during which there is an offer for a potential target to collaborate, whether it is via an interview, writing a joint article, or appearing at some conference. This modus operandi can be seen in a recent cyberoperation targeting Israel’s former Foreign Minister Tzipi Livni, where an Iranian hacker posed as an Israeli military official asking her to use her email password to open a document, which would compromise her account.

Most often the goal is to get valuable information from the target and assessments about how he sees the situation in Iran. The same researcher is often showered with praise and seduced by an original idea that often goes “against Iran,” such as “how to destroy Iran from within.”

The approach usually is signed under the name of the same person without his phone number (for fear that the target will call the same person and understand that he was tricked). But as one of the authors recently experienced, Iran-linked operatives are now even leaving phone numbers.

Those who are at the receiving end of such Iranian entreaties should take the following steps: doubt any email they receive regarding possible collaboration, especially when emails are sent from a user’s private address (e.g., via Gmail) and not the institutional domain; doubly verify that the sender is real – through other social media platforms or by calling his/her employer; never provide personal details or open links you receive from this source; and be cautious in the information you make accessible about yourself on social media platforms.

Contrary to popular belief, most of Iran’s successful cyberattacks were not because of its technological capabilities, but because of the very extensive use it makes of social engineering tools. Today there are good technical solutions that can protect companies and people from hacking in the cyber dimension. However, it is very difficult to influence the human factor with these approaches, especially when the email seems credible, the offer to cooperate is so flattering, and it corresponds with the subject’s desire to demonstrate the knowledge he has and share it with others.

This makes the human factor the weakest link in the chain. This is not a new pattern of action, but there has been an acceleration in its use. The higher the awareness of the relevant parties, the more difficult it will be for Iran in its intelligence missions.

In a broad sense, there is a need to increase information sharing between the social networks and state intelligence agencies. This cooperation in the Iranian context can help block those profiles. The phenomenon cannot be prevented, but it can certainly be reduced considerably. Awareness of Iranian behavior in the cyber realm is the best way to counter their practices.


About Track Persia

Track Persia is a Platform run by dedicated analysts who spend much of their time researching the Middle East, in due process we fall upon many indications of growing expansionary ambitions on the part of Iran in the MENA region and the wider Islamic world. These ambitions commonly increase tensions and undermine stability.