Srsly Risky Biz: Successful War Leaves Iran With One Option, Cyber

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Sublime Security.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Aside from one disruptive attack, Iran's cyber retaliation against US and Israeli strikes has been largely missing in action. But there are reasons to believe in the longer term the war will result in an enduring increase in Iran's capacity and appetite for cyber mayhem.

Last week the Iranian state-backed group Handala did claim responsibility for a wiper attack on Michigan-based medical device manufacturer Stryker, and said the attack was partly in retaliation for the US bombing of an all-girls school in Iran. In recent days Handala and a range of other pro-Iranian groups have also claimed a series of hacks targeting Israeli or Middle Eastern organisations.

Although the Stryker attack looks like it is causing serious disruption at the target company itself, trouble at just a single organisation won't trouble senior US policymakers. 

In the short-term at least, it looks like Iran's full hacking capability is being suppressed by deliberate military action. Most recently, Seyed Yahya Hosseiny Panjaki, a deputy minister at Iran's Ministry of Intelligence and Security (MOIS), which controls hacking groups including Handala, was killed in strikes. It was reported last week that another Iranian man wanted by the FBI for alleged hacking crimes, Mohammad Mehdi Farhadi Ramin, was also killed. The Islamic Revolutionary Guard Corps cyber warfare headquarters was also struck early this month. 

In addition to the disruption and chaos caused by the war, internet access in Iran has also been blocked by the regime. That's not a total show-stopper. Handala migrated to Starlink during Iran's January shutdown, but suffice it to say that life is not easy for Iran's state-backed hackers. It's difficult to see how they could really ramp up destructive attacks against the West any time soon. 

That's the good news, but only in the short term. 

America's stated goals in this war are, per the White House, to: "obliterate Iran's ballistic missile arsenal and production capacity, annihilate its navy, sever its support for terrorist proxies, and ensure the world’s leading state sponsor of terrorism will never acquire a nuclear weapon". 

Even if these goals are entirely met, barring regime change, we expect that Iran's leaders will still want to project power overseas and will reach for whatever tools they still have. 

Unlike nuclear weapons programs, or ballistic missiles, cyber forces don't require significant industrial capacity and vulnerable supply chains. This makes them far more resilient to conventional attacks. Sure, you can disrupt hacking operations for a short while with bombs, but it is hard to completely destroy capacity without somehow killing all of Iran's hackers. Cyber forces are the cockroaches of state power. 

They're not just a tool of last resort, though. Investing in cyber capabilities makes sense for Iran. 

It's relatively cheap to build and maintain cyber forces. Compared to reconstituting nuclear facilities, missiles or even conventional military forces, hackers are cheap, cheap, cheap. That would be attractive for a likely cash-strapped post-war Iran. 

There is even a formula for Iran to follow. North Korea has proven it is possible for even the poorest of countries to develop formidable hacking capabilities relatively quickly, if there's political will. 

Importantly, cyber operations can also be used to strike globally, allowing Iran to hit American or Israeli organisations on their home turf. Another plus to add to the list.

Granted, cyber operations have limited effects compared to conventional military action. Even the most destructive attacks cause mischief and mayhem rather than raining death from above. 

In the context of a post-war Iran, however, that could be seen as a feature rather than a bug. They could provide quick wins with less risk of being bombed in retaliation. Of course, we don't expect that Iran will invest in its cyber capabilities to the exclusion of other options. 

As headlines from the Iran war fade, the risk of damaging Iranian cyber attacks will rise. 

Good Riddance to Instagram's End-to-end Encryption 

Last week Meta quietly announced that it will remove the ability to send end-to-end encrypted (E2EE) direct messages on Instagram in early May. This steps back from a commitment to roll out E2EE messages on Messenger and Instagram by default, but we are fine with it. There is a time and a place for E2EE direct messages and when it comes to social networks, we believe the downsides outweigh the benefits.

Meta told journalists it decided to remove the feature because "very few people were opting in to end-to-end encrypted messaging in DMs". That messaging is more than a bit self-serving. E2EE chats were not exactly easy to start, and platforms will often opt users into new defaults when it serves their interests. If Meta had wanted greater adoption, it could have driven it.

Predictably, some advocates are arguing that Meta should keep the feature, but even within the company there were genuine concerns about the implications of providing E2EE messaging across its services. This February, Reuters reported that executives had a range of concerns back in 2019, when CEO Mark Zuckerberg announced an initiative to roll out E2E messaging to Meta's products. Monika Bickert, Meta's head of content policy at the time, wrote in an internal chat that "we are about to do a bad thing as a company. This is so irresponsible".

An internal Meta briefing document from 2019 estimated that if Messenger had been encrypted the company would have been "unable to provide data proactively to law enforcement in 600 child exploitation cases, 1,454 sextortion cases, 152 terrorist cases [and] 9 threatened school shootings".

The same document estimated that Meta's reporting of child nudity and sexual exploitation imagery to the US National Center for Missing and Exploited Children would have fallen from 18.4 million reports to 6.4 million.  

The key problem here is that bad people do bad things on social networks. Vulnerable people are harmed. E2EE makes it more difficult for platforms to mitigate those harms, especially when it comes to scanning messages or forwarding them to appropriate authorities. 

Attaching E2EE directly to a social network is particularly concerning because, as Meta's Global Head of Safety Antigone Davis acknowledged in a 2019 email, Facebook "allows pedophiles to find each other and kids via social graph with easy transition to Messenger". In other words, connecting a social network with E2EE messaging makes it easy for predators to find targets and directly initiate messages that are impenetrable to platforms.

It makes sense to keep E2EE messaging separate from social networks and apps that appeal to children and teens. Meta's not alone here. Just this month TikTok told the BBC it would not be introducing E2EE messaging because of safety concerns. The company said the technology would prevent police and safety teams from viewing messages. 

Different apps present different safety and privacy concerns. E2EE messaging is great when you want to place a premium on privacy, but it doesn't need to be incorporated into every single app or service. 

That's what Signal is for, after all.

Everyone Has President Trump's Phone Number

Over the years we've written about the smartphone dilemma: Politicians must use them but they are a horrendous security risk.

It is interesting to see President Donald Trump is employing a counterintuitive strategy. Rather than keeping his personal phone number private and limiting calls, Trump is doing the exact opposite. His phone number is an open secret in Washington and is traded amongst journalists. Even worse, he answers without screening calls. As a result he has done more than 30 telephone interviews in the weeks since the start of the Iran war. 

The one weird counterintelligence trick that mitigates foreign eavesdropping, however, is that Trump's calls have absolutely no intelligence value. Per Semafor: 

In a series of nine phone interviews about the war in Iran, Trump gave nine different, vague answers that offered little insight about when the White House may actually end the war. On Feb. 28, he said the war could be over in two or three days. A day later, he told ABC that it would actually be four or five weeks, most likely. On March 2, he told Jake Tapper that the US was "a little ahead of schedule" of its 4 week window. But two days later, he told Time magazine it had "no time limits."

We wonder if he's employing that same strategy in calls to friends and associates. 

We can imagine the Chinese intelligence reports: "The President stated the US has won the war and it will end some time between next Tuesday and never". 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Grants for open source security: The Linux Foundation has announced USD$12.5 million in grants "to strengthen the security of the open source software ecosystem". The announcement is a bit vague on what the grants will be used for, although it does mention bringing "maintainer-centric AI security assistance". 
2. Meta fights scammers: Last week Meta said it removed 159 million scam ads and took down nearly 11 million Facebook accounts in 2025, in its fight against scammers. It also introduced new tools on Facebook, Messenger and WhatsApp to help protect against scams. That's all good, but we think the news should be placed in context next to a Reuters report from last year alleging that Meta was making bank from scam ads. Bad press and the threat of regulation drives investments in safety and security.
3. Ransomware is shifting focus to data extortion: A new Google Threat Intelligence report indicates that ransomware actors are increasingly focussing on data extortion rather than using malware that encrypts systems to lock them up. Google's head of cybercrime intelligence, Genevieve Stark, told CyberScoop that some very effective cybercrime groups including Scattered Spider and ShinyHunters are "almost all just focusing on data-theft extortion right now". 

Sponsor Section

In this Risky Business sponsor interview, Catalin Cimpanu talks with Alex Orleans, Head of Threat Intelligence at Sublime Security, about the increase in email attacks leveraging Zoom invites and other video conferencing tools.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss how bombing Iran changes incentives for Iranian hacker groups. Destroying other ways that Iran might project power could force it to double down on cyber capabilities.

Or watch it on YouTube!

From Risky Bulletin:

EU finally imposes more cyber sanctions: The European Union on Monday imposed sanctions on three hacking groups and two individuals for cyberattacks on its member states.

Sanctions were imposed on Iranian cyber contractor Emennet Pasargad for its hack of French satirical magazine Charlie Hebdo, the 2024 Paris Olympic Games, and a Swedish SMS service.

This is the same group that also meddled in the 2020 US Presidential Election and was later sanctioned three times by the US as well, in 2021, and September and December 2024.

Emennet works under Iran's Islamic Revolutionary Guard Corps (IRGC) and has carried out both stunt-hacks and influence operations.

In addition, the EU also imposed sanctions on two Chinese cyber contractors.

[more on Risky Bulletin]

Meta disrupts Mexican cartels: Meta's security team has suspended thousands of accounts last year that were tied to Mexican and other Latin American drug cartels.

The Facebook and Instagram accounts were used to recruit youth for drug trafficking and drug dealing, to advertise drugs, and to organize violence and extortion operations.

Meta says it used AI to detect the coded language typically used by cartels and also to identify photos of drugs posted on its platforms. Human reviewers also confirmed the findings before accounts were removed.

[more on Risky Bulletin]

Another residential proxy provider falls as authorities continue crackdowns: American and European law enforcement agencies have seized the infrastructure of a residential proxy provider named SocksEscort; the latest of such a crackdown against proxy providers over the past years.

The service had been running since 2021 and rented access to more than 369,000 different IP addresses across its lifetime.

According to the FBI, Europol, and Dutch Police, SocksEscort was a front for a malware operation that infected modems and home routers. Lumen's Black Lotus Labs linked it to a botnet it discovered in 2023, named AVRecon.

[more on Risky Bulletin]