The Evolution of Cyber Crime Among Iranian Actors

Key Points

1. Rising Engagement with Cyber Crime: Iranian-associated actors are increasingly tapping into the cyber crime ecosystem, utilizing criminal tools and operational models to further state objectives.

2. Historical Use of Cyber Crime as Cover: While Iranian entities have previously masked destructive operations behind hacktivism, there is a noticeable shift toward direct engagement with criminal activities.

3. Focus on MOIS Affiliates: This trend is most evident among groups linked to the Ministry of Intelligence and Security (MOIS), such as Void Manticore (a.k.a. “Handala Hack”) and MuddyWater, who have shown consistent interactions with criminal tools and services.

4. Operational Advantages: Engaging with the cyber criminal ecosystem bolsters their operational capabilities and complicates attribution, resulting in increased confusion surrounding Iranian threat activity.

Introduction

For years, Iranian intelligence services have adapted their strategies to navigate the complex landscape of international relations and conflict. While they have historically used criminal intermediaries for operations in the physical realm, this pattern is now surfacing in the digital domain. State objectives are increasingly pursued through the use of criminal tools, services, and frameworks, particularly among actors tied to the Ministry of Intelligence and Security (MOIS).

Initially, Iranian hackers often obscured state agendas through the guise of ordinary cyber crime, frequently masquerading as ransomware groups. Recent trends reveal a deeper involvement in the cyber crime ecosystem, moving beyond mere imitation to align with actual cyber criminals. This evolution indicates that, for some MOIS-affiliated actors, cyber crime has escalated from being a façade to a vital operational asset.

Background – MOIS and Criminal Activity

The Iranian regime has long recognized the value of aligning with criminal networks. These affiliations have historically provided the regime with not just reach and deniability, but also the capability to engage in violent acts while maintaining plausible deniability.

One stark example involved the narcotics trafficking network led by Naji Ibrahim Sharifi-Zindashti, which was reported to operate under MOIS’s directive to target dissidents. A parallel narrative unfolds in Sweden, where Iranian interests have allegedly leveraged criminal networks to conduct violent acts against perceived threats, including actions linked to Israeli and Jewish targets.

In light of these past behaviors, indications of MOIS’s involvement in the cyber domain suggest a strategic extension of their operational playbook. Rather than merely replicating criminal activities, these actors are engaging with the criminal ecosystem itself, utilizing its infrastructure, access brokers, and affiliate networks.

Case Studies: Void Manticore and MuddyWater

Void Manticore (Handala) and Rhadamanthys

Void Manticore is notable for its aggressive operations against targets such as Israel and Albania, often under the guise of hacktivism. The group has employed the “Handala” persona and, revealingly, has also engaged with commercial infostealers like Rhadamanthys, which is available on darknet platforms. This infostealer is appreciated for its robust architecture and adaptability, used in conjunction with custom wipers in phishing campaigns targeting Israeli organizations.

MuddyWater – Tsundere Botnet and Castle Loader

MuddyWater has garnered recognition for its focused cyber espionage campaigns across the Middle East. Linked directly to MOIS, this group has been associated with various cyber crime clusters, which has led to misattributions and confusion in the threat landscape.

The emergence of the Tsundere Botnet highlights this connection, exhibiting a mix of techniques involving Node.js and JavaScript, with its activity showing code-signing practices that overlap with known MuddyWater methodologies.

Additionally, MuddyWater’s links to CastleLoader demonstrate another layer of complexity. While some observers speculate about possible affiliations with CastleLoader’s operations, the evidence suggests that both may have utilized shared code-signing certificates, hinting at interconnectedness rather than direct collaboration.

The Iranian Qilin Affiliates

A significant recent incident involved a cyber attack on the Israeli Shamir Medical Center, initially framed as a ransomware incident linked to a group named Qilin. However, further assessments pointed to Iranian-affiliated operators as the true perpetrators behind the attack. Qilin operates on a ransomware-as-a-service model, allowing affiliates to carry out intrusions while cloaking intentions in the criminal ecosystem.

This incident reflects an ongoing campaign by MOIS and affiliated actors against Israeli healthcare facilities, leveraging the complexities of the cyber criminal marketplace for operational efficacy and strategic advantage.

Closing Thoughts

The trajectory of Iranian involvement in cyber crime signifies a departure from traditional methods of concealment toward an interactive engagement with the cyber criminal world. This shift not only enhances their operational capabilities but also intensifies the challenges of attributing and countering Iranian cyber threats. With actors like Void Manticore and MuddyWater at the forefront, the implications surrounding this evolution are both profound and complex.