Srsly Risky Biz: The Four Hour Cyber War on Iran

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Okta.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Srsly Risky Biz: The Four Hour Cyber War on Iran

The US-Israeli attack on Iran shows how cyber operations help achieve military goals when aggressors have cyber dominance. But it also highlights the small window of opportunity for them to have a significant impact once war kicks off.

At a press briefing on Monday, Joint Chiefs of Staff Chairman Gen. Dan Caine said US Cyber Command was involved in "coordinated space and cyber operations [that] effectively disrupted communications and sensor networks… leaving the adversary without the ability to see, coordinate or respond effectively".

The overall goal, he said, was to "disrupt, disorient and confuse the enemy". 

An official acknowledgment containing that much detail is new, but this kind of discombobulation attack is becoming the norm for well-planned and orchestrated military operations. Last year, Cyber Command helped blind Iranian air defences in the US strike on the country's nuclear facilities. Cyber operations were also used to cause a blackout during the US raid to capture Venezuelan President Nicolás Maduro in January this year. 

Last week, cyber operations were a key contributor to the assasination of Iran's supreme leader Ali Khamenei. The timing of the decapitation strike against Khamenei, and the beginning of the war, was determined when intelligence officials learnt he would be meeting with senior officials at his compound on Saturday morning. 

The Financial Times (FT) reported that real-time intelligence from compromised traffic cameras, and what it called "deeply penetrated" mobile phone networks, was used to confirm the meeting was going ahead as planned. Sources told FT that nearly all the traffic cameras in Tehran were being monitored by Israel. One particular camera pinpointed where bodyguards and drivers of senior Iranian officials liked to park in Khamenei's compound. 

In addition to providing targeting intelligence, the FT says a cyber operation disrupted the mobile phone system near Khamenei's compound, so his protection detail couldn't receive warnings about an impending attack. 

The ability to pull this off was the result of years of Israeli effort to build a comprehensive intelligence architecture focussed on Tehran. This used information from SIGINT, cyber espionage and HUMINT. 

While cyber-enabled intelligence gathering was instrumental in this attack, Israeli sources told the FT that these feeds become less useful once a war kicks off. They were used for "pattern of life" analysis to determine where targets would be and when. Falling bombs disrupt this pattern and targets have pre-planned counter measures such as heading to underground bunkers.

In a shift from the lethal to the mundane, cyber operations were also used for, ahem, "psychological warfare". That is, to send push notifications directly to Iranian citizens shortly after bombing started.

The Iranian prayer app BadeSaba pushed out messages to users urging them to resist the regime. The first read "help has arrived", while another was targeted at army personnel: "for the freedom of our Iranian brothers and sisters, this is a call to all oppressive forces—lay down your weapons or join the forces of liberation. Only in this way can you save your lives". 

Compared to pinpointing the exact location of the country's supreme leader, this campaign feels inconsequential, sure. But writing on X, Iran cyber specialist Hamid Kashfi pointed out the app is both extremely popular and requests access to the user's location, presumably so it can provide accurate prayer times. We expect that the primary reason the app was compromised was for its intelligence value and that data about its users was raw material for Israel's intelligence machine. If they managed to convince a few soldiers to "lay down their weapons" as well? That's a double win. 

About four hours into the attacks the Iranian regime imposed a country-wide internet blackout. This is the regime's default response to internal dissent, so we doubt this was solely a reaction to adversary cyber attacks and espionage. 

But it suggests that there may be a wartime dynamic that places a cap on the usefulness of cyber operations. The more effective your cyber campaign is, the more likely the victim country is to take drastic measures, like shutting down the internet.

This week the US and Israel had cyber dominance. Compromising traffic cameras, entire mobile networks, and prayer apps is already a ton of pwnage. We'd be surprised if there wasn't a lot more that didn't make its way to newsdesks.

When it came to executing a surprise attack, that cyber dominance paid off in spades. But only for a few hours. 

Risky Bulletin has further coverage examining the likelihood of Iranian cyber retaliation.

The Dull Roar of AI-powered Cybercrime

A range of reports show that AI adoption is, unsurprisingly, making threat actors' standard workflows quicker and easier. The good news for defenders is they don't need to adopt entirely new approaches to counter these attacks. They do need to double down on basic security protections, with a focus on phishing-resistant MFA and combatting compromised credentials. 

Recent reports published by CrowdStrike, ReliaQuest, IBM X-Force, Sophos, and OpenAI highlight AI's impact on the threat landscape.  

There is more than a bit of "ZOMG AI" in many of these reports, but we are here to cut through the hyperbole.

Firstly, the bad news. AI is making phishing easier and more effective, and once threat actors break into networks they are able to move rapidly. 

AI makes it simple for malicious actors to produce articulate messages in multiple languages. These days, the traditional there's-a-typo-in-the-email-don't-click-on-it phishing training exercises won't slow down the Nigerian prince. His emails will be perfect from the get go. 

Phishing messages are also becoming far more personal. This week a Trend Micro blog detailed its development of a tool that automatically converts information scraped from LinkedIn into tailored spear phishing messages. We haven't found evidence this technique is being used in the wild, but it took Trend a day to set up a prototype. It's just a matter of time. 

Conducting open source research to inform targeted phishing is not new, but has previously been a niche reserved for capable actors, willing to put in a lot of work for the chance of a big payoff. Think high-value business email compromise (BEC) or cyber espionage actors. Automating the process will dramatically lower the barrier to entry. Competent, targeted phishing will become common, even for "low-value" targets.  

OpenAI's report indicates that scammers are already zoning in on more niche target demographics. One romance scam targeted wealthy Indonesian men. Another targeted American men, who worked in the medical field, were in their 40s, and liked to talk about golf online. The scammers used generative AI to produce supporting material such as images or websites. They used LLMs for both translation and to add an authentic tone to their false personas. Messages were supplied to ChatGPT by the scammers, likely following manipulation playbooks that are developed empirically over time.

But AI's not just for phishing. 

Once inside a victim network, threat actors are now able to move laterally much faster than before. CrowdStrike reported that it took an average of just half an hour for intruders to move from their initial point of access to elsewhere in the victim's network. This is down from 48 minutes last year and almost 100 minutes in 2021. This long-term downward trend is not solely due to the rise of AI, but it does reflect increasing automation enabled by AI assistants. 

Finally, the speed of data exfiltration has also dramatically increased. CrowdStrike credited the current record to a group it calls Chatty Spider which targets law firms. It attempts to exfiltrate data to Google Drive just four minutes after gaining illegitimate access to a workstation. Entire intrusions often lasted less than an hour. Similarly, ReliaQuest said the fastest data theft it saw began in six minutes. In 2024, that record was four hours.

There is some good news here. Threat actors aren't doing anything novel. They are utilising AI to implement the same techniques they always have. But they're doing it much faster, which means they can squeeze a lot more badness into their usual 9-5.

This means that from a defender's perspective AI-related threats don't require any sort of magic bullet. Defenders need to lock down basic hygiene and do more of the same, but more quickly. And phishing-resistant MFA has got to be part of the answer here.

It should be easy, really! Or at least easier than rolling incident response afterwards.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Ransomware attacks up but payments flat: Blockchain analysis company Chainalysis expects the final tally for 2025 ransomware payments will approach USD$900 million, up from $892 million in 2024 despite 50% more claimed attacks. They attribute this to a range of factors including improved incident response and more effective international action. The Record has further coverage. 
2. Spyware executives sentenced in Greece: The CEO of spyware vendor Intellexa  and three other executives have been sentenced to at least eight years prison by a Greek court. Intellexa sells Predator spyware, which was involved in a large political scandal when dozens of Greek politicians were found to have been targeted by the spyware. 
3. Action against The Com: Europol has announced that 30 members of The Com have been arrested under Project Compass. The Com is a particularly nasty online community that Europol describes as a "decentralised extremist network targeting minors and vulnerable individuals both online and offline". Some of its members have become key players in the spectacularly effective youth hacking groups including Lapsus$, Scattered Spider and other offshoots. 

Sponsor Section

In this sponsored interview Casey Ellis chats to Harish Peri, SVP and general manager for AI security at Okta, a cloud-based identity and access management company. The pair chat about the fact that AI is forcing enterprises to relearn the basics around identity security, and how Okta for AI Agents can help.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how the use of cyber operations in the war in Ukraine has evolved over time.

Or watch it on YouTube!

From Risky Bulletin:

Procurement docs show China's use of AI for cyber: An analysis of procurement documents reveal that China is pushing for the integration of AI tools into its military, intelligence, and cyber operations. In the cyber realm, the PLA is using AI to detect intrusions, enhance cyber operations, and for disinformation campaigns. It is also experimenting with AI to ingest and analyze large quantities of data, pilot unmanned combat vehicles, and hit targets on its own. Beijing also wants to use AI to assist and accelerate decision-making because CCP officials are afraid the PLA's chain of command might be overmatched in a real battlefield. [Foreign Affairs]

LLMs can deanonymize internet users based on their past comments: A team of academics has developed large language models (LLMs) that can deanonymize internet users based on past comments or other digital clues they have left behind.

The new method works even if targets use different pseudonyms across multiple platforms. It can link real identities to hidden accounts and online activity, and vice versa.

The LLMs basically work by analyzing past activity and creating user profiles. Once enough data points are available, connections can be made between similar profiles based on shared vocabulary and other clues revealed online, such as locations, hobbies, age, and so on.

[more on Risky Bulletin]

Russian man investigated for extorting Conti ransomware group: Russian authorities have arrested a Moscow resident for posing as an FSB intelligence officer to extort and demand payments from members of the Conti ransomware group.

Ruslan Satuchin was detained in October of last year and has remained in custody after authorities extended his arrest warrant in December.

According to Russian news outlet RBC, the suspect contacted a Conti member in September of 2022, claiming he could prevent the FSB from investigating them for a bribe.

[more on Risky Bulletin]