Accelerated deal, France warns Iran as Khamenei orders nuclear progress

ANKARA: Iran has stepped up its long-running cyber campaign against Turkey through state-sponsored hackers, who have been targeting prominent government and private websites in the country since November 2021.

Experts believe the enhanced cyberattack is a backlash against Turkey’s attempts to normalize relations with countries such as the United Arab Emirates, Saudi Arabia and Israel.

MuddyWater, a hacker group linked to Iran’s Ministry of Intelligence and Security, is believed to be behind the cyberattacks, which involve infection vectors such as malicious PDF attachments and Microsoft Office documents embedded in emails. phishing emails.

These malicious documents were titled in the Turkish language so that they were presented as legitimate texts from the Turkish Ministries of Health and Interior.

The malware attack was first observed by CISCO Talos Intelligence Group, one of the largest commercial threat-focused intelligence teams in the world.

The emails to the target’s company contained a link to a compromised website and used the target institution’s name as a parameter in the URL.

In a tactic known as web bugging, the links are used to track when messages are opened by the endpoint.

When the initial access to the victim is gained, the hacker group collects sensitive information from their network.

MuddyWater is known for its attacks on government networks in the United States, Europe, the Middle East and South Asia over the past two years, with the aim of carrying out cyber espionage for the interests of the state, to deploy ransomware and destructive malware and steal intellectual property that has high economic value.

“Iran has become an increasingly competent and sophisticated cyber actor since 2007,” Rich Outzen, a retired US Army colonel and senior fellow at the Jamestown Foundation, told Arab News.

“Up to that point, there were cyberattacks and cybercrimes emanating from Iran, but little evidence of state leadership,” Outzen said.

“Starting with the suppression of the Green Movement and Iran’s own experience as a target of cyberattacks against its sanctioned nuclear program, the emergence of an ‘Iranian Cyber ​​Army’ under the leadership of the Revolutionary Guard Corps Islam has been documented,” he said. .

The group is primarily driven by geopolitical events and designs its hacking attempts based on long-term strategic goals.

“Iran now regularly conducts data suppression attacks, distributed denial of service attacks, and industrial disruption attacks against targets in the United States, Europe, Israel, and the Gulf, as well as against targets nationalities in Iran,” Outzen said.

“Attacks on Turkey have been less frequent, but seem to be increasing over the past two or three years. With the ongoing rapprochement with Israel and the Gulf, more can be expected,” he said.

Last week, Turkey and Israel jointly foiled an Iranian-led assassination attempt on a 75-year-old Turkish-Israeli businessman in Turkey after a long intelligence operation exposed an Iranian cell.

The timing of the assassination attempt coincided with Turkey’s talks to normalize diplomatic relations with Israel, when President Isaac Herzog was due to visit the country soon.

It also came days before Turkish President Recep Tayyip Erdogan’s scheduled visit to the UAE to strengthen ties and develop joint cooperation projects for the region.

This time, the targets of the hacker group in Turkey included the Scientific and Technological Research Council of Turkey.

“Iran uses cyber warfare as an extension of its foreign and security policy,” Jason M. Brodsky, policy director for United Against Nuclear Iran, told Arab News.

“Iranian tactics include cyber espionage, cyber attacks and foreign influence operations,” Brodsky said.

“Turkey has long been the target of Iranian cyber activity,” he added.

“For example, in 2015, some reports traced a major power outage in Turkey to Iran. The US government has alleged that the Mabna Institute, which is an Iranian company that has sometimes contracted with Iranian government entities to conduct hacking operations, has targeted universities in Turkey,” Brodsky said.

Experts advise Turkish institutions to assess the cyber threat, periodically apply security updates to all their systems, improve the readiness of their networks against exposure to malicious activity, and develop security solutions. up-to-date remote access and web-based email access with multi-factor authentication.

Earlier this year, US Cyber ​​Command attributed MuddyWater’s activities to MOIS and released samples of malicious code allegedly used by Iranian hackers to help defend US allies against future intrusion attempts.

According to the US Congressional Research Service, MOIS “conducts national surveillance to identify opponents of the regime. It also monitors anti-regime activists abroad through its network of agents stationed in Iranian embassies.

Brodsky said that in the current environment, Iran’s motivations can be multifaceted for economic, intelligence and political reasons.

“Tehran has largely tried to get a price tag from regional competitors that are improving or normalizing relations with Israel, and such a rise in Turkey would not be surprising,” he said.

“This does not mean that the cyberattacks could be linked to Ankara’s very public allegations of Iranian intelligence activity in the country, targeting dissidents and recently an Israeli businessman,” he said. declared.

According to Outzen, sanctions against the countries allegedly behind these attacks are of limited use because the main cyber actors of concern to the United States and its allies – Russia, China and Iran – are already heavily sanctioned.

“The cyber collectives that carry out the attacks often operate under the direction of the state apparatus, but not officially within it,” he said.

“Sanctions must therefore be combined with both a public awareness campaign and cybersecurity practices that make targets harder to hit, and cyber operations by the United States and its allies against the sources of the attacks.” , he added.

Outzen added that this is an ongoing, low-level cyberwar, of which Turkey is now a part.

“The key is both to protect (their) own assets and to have the malicious actors – in this case Iran – raise the costs to engage in the attacks,” he said.

Ties between Turkey and Iran have fluctuated recently, with the countries pursuing an intense geopolitical rivalry in Syria’s northwest Idlib province and northern Iraq, particularly the disputed district of Sinjar.

Last week, Turkey and Israel jointly foiled an Iranian-led assassination attempt on a 75-year-old Turkish-Israeli businessman in Turkey after a long intelligence operation exposed an Iranian cell.

On January 20, Iran abruptly cut off the flow of natural gas to Turkey and the disruption lasted around 10 days, undermining operations at the factories.

Previous Russia's attack on Ukraine is imminent, in our view; Oil slides 2% as talks with Iran offset Ukraine crisis
Next Promise of Turkey-UAE rapprochement for the Middle East