Iranian cyberattacks targeting U.S. and Israeli entities

Iranian nation-state threat actors are targeting entities based in the U.S. and Israel, according to research that Google published Tuesday.

According to a report about cyberwarfare surrounding the ongoing Israel-Hamas war that began in October, "Iran aggressively targeted Israel and the United States in the years leading up to Hamas' attack on October 7" and has continued to do so in the months since. Related to the war itself, Iran has targeted Israeli individuals and organizations with destructive malware, as well as intelligence collection activities and public influence campaigns. Intelligence collection activities also targeted entities in the U.S.

Google described malicious activity from several Iranian state-sponsored actors, such as APT42, "Dustycave" and "Dune." As for ongoing activity directed at the U.S., the report mentioned the November cyberattack against the Municipal Water Authority of Aliquippa in Pennsylvania in which a threat actor known as "Cyber Av3ngers" -- thought to be backed by Iran's Islamic Revolutionary Guard Corps -- claimed responsibility.

The report noted that the actor compromised a machine that regulated water pressure at the facility and contained components developed or created by an Israeli-owned company. In a December advisory, CISA explained that Cyber Av3ngers was compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) in water and wastewater utilities. The threat actor used default passwords for the PLCs, which were publicly exposed on the internet, to gain access and deface the PLCs' control panels with a message that said, "You have been hacked. Down with Israel. Every equipment 'made in Israel' is Cyber Av3ngers legal target."

The attack on the Municipal Water Authority of Aliquippa heightened concerns about threats to critical infrastructure. CISA published an incident response guide for organizations in the water and wastewater utility sector.

During a Monday press briefing, Sandra Joyce, vice president of Mandiant at Google Cloud, said Iran's hacking efforts against the U.S. and Israel have had mixed results, using Cyber Av3ngers' Pennsylvania attack as an example. She said the group made claims that it had full access to water facilities in the U.S. and leaked internal docs to make it appear as though that were true. In this case and others, she said, Iran used influence operations to make it seem as though its activities had a greater impact than they did.

"All these incidents really are information operations. The goal here, obviously, is to undermine confidence in the government and essential services, but also to exaggerate the impact of these groups," Joyce said. "They do this by targeting critical services and services that are very visible ... and they do this by exaggerating those effects."

Google also noted phishing activity conducted by Iranian state-sponsored group APT42. The research claimed that the timing and targets "suggested a specific interest in Israeli and US decision making related to the conflict." The campaign targeted nongovernmental organizations, media and policy work associated with higher education.

"In November 2023, APT42 conducted phishing activity against several high-profile users based in Israel and the US, including current and former government officials, diplomats, and individuals who work on US-Israel relations," the research read. "This activity is in line with the group's normal operations, but is nonetheless notable for its focus on individuals who are likely to possess insights into the inner thinking and decision making of the US and Israeli governments."

For example, Google researchers said one actor, an information operations group referred to as "Marnanbridge," was conducting hack-and-leak campaigns -- in which threat actors obtain sensitive information and release it to the public -- targeting Israel. The tech giant said the organization was likely connected to Iranian company Emennet Pasargad, an organization the U.S. government previously sanctioned for attempting to influence the 2020 presidential election.

Joyce referenced this activity as part of the briefing; during the last presidential election, Marnanbridge sent threatening emails to voters claiming to be from far-right group the Proud Boys. "The reason that we mentioned this is that this is a major global election year," she said. "And these groups who have done these sorts of things in the past, they're active now. And we should be keeping an eye on them, especially during this year."

Despite the mixed results of Iranian cyberattacks, Google and Mandiant officials emphasized that Iran has committed significant resources to its state-sponsored hacking efforts. Shane Huntley, senior director of Google's Threat Analysis Group, said the threat groups have demonstrated that they can deploy cyberattack capabilities very quickly.

"We see this as a tool of first resort. We don't see cyber as something that comes later," Huntley said during the press conference. "It's something that comes early, and something that can exist with kinetic attacks or without."

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.