Iran-linked hacker group targets Turkey’s cyber network

Iran-linked hacker group targets Turkey’s cyber network
Short Url
Updated 18 February 2022
Follow

Iran-linked hacker group targets Turkey’s cyber network

Iran-linked hacker group targets Turkey’s cyber network
  • With rapprochement underway with Israel and Gulf, more malware attacks can be expected, analyst tells Arab News 
  • Tehran uses cyberwarfare as an extension of its foreign and security policies, claims expert 

ANKARA: Iran has escalated its longstanding cyber campaign against Turkey through state-sponsored hackers, who have targeted high-profile governmental and private websites in the country since November 2021.

Experts believe that the upgraded cyber assault is a reaction against Turkey’s attempts to normalize ties with countries such as the UAE, Saudi Arabia and Israel.

MuddyWater, a hacker group linked to Iran’s Ministry of Intelligence and Security, is allegedly behind these cyber attacks, which involve infection vectors such as malicious PDF attachments and Microsoft Office documents embedded in phishing emails.

These malicious documents were titled in the Turkish language so they would present as legitimate texts coming from the Turkish health and interior ministries.

The malware attack was first observed by CISCO Talos Intelligence Group, one of the world’s biggest commercial threat-focused intelligence teams.

The emails to the target’s enterprise contained a link to a compromised website and used the name of the target institution as a parameter in the URL.

BACKGROUND

MuddyWater, a hacker group linked to Iran’s Ministry of Intelligence and Security, is allegedly behind these cyberattacks, which involve infection vectors such as malicious PDF attachments and Microsoft Office documents embedded in phishing emails.

As part of a tactic known as web bug, the links are used to track when the messages are opened by the endpoint.

When the initial access to the victim is gained, the hacker group collects sensitive information from its network. 

MuddyWater is known for its attacks against government networks across the US, Europe, the Middle East and South Asia for the last two years, with the aim of conducting cyber-espionage for state interests, deploying ransomware and destructive malware and stealing intellectual property that has high economic value. 

“Iran has become an increasingly capable and sophisticated cyber actor since 2007,” Rich Outzen, a retired colonel in the US Army and senior fellow at the Jamestown Foundation, told Arab News. 

“Up to that time, there were cyber attacks and cyber crime emanating from Iran, but little evidence of state direction,” said Outzen. 

“Starting with the suppression of the Green Movement and Iran’s own experience as a target of cyber attacks on its sanctioned nuclear program, the emergence of an ‘Iranian Cyber Army’ under the guidance of the Islamic Revolutionary Guard Corps has been documented,” he said. 

The group is mainly motivated by geopolitical events and designs its hacking attempts based on long-term strategic goals. 

“Iran now regularly conducts data deletion attacks, Distributed Denial of Service attacks, and industrial disruption attacks against targets in the US, Europe, Israel and the Gulf, as well as against domestic targets in Iran,” Outzen said. 

“The attacks on Turkey have been less frequent, but appear to be increasing in the past two to three years. With the rapprochement underway with Israel and the Gulf, more can be expected,” he said.

Last week, Turkey and Israel jointly foiled an Iran-led assassination attempt on a 75-year-old Israeli-Turkish businessman in Turkey after a lengthy intelligence operation that unveiled an Iranian cell. 

The timing of the assassination attempt coincided with Turkey’s discussions to normalize diplomatic relations with Israel, when President Isaac Herzog was set to visit the country soon.

It also came days before Turkish President Recep Tayyip Erdogan’s planned visit to the UAE to boost ties and develop joint cooperation projects for the region. 

This time, the hacker group’s targets in Turkey included the Scientific and Technological Research Council of Turkey.

“Iran uses cyber warfare as an extension of its foreign and security policies,” Jason M. Brodsky, policy director of United Against Nuclear Iran, told Arab News. 

“Iranian tactics include cyber espionage, cyberattacks and foreign influence operations,” said Brodsky.

“Turkey has long been a target of Iranian cyber activity,” he added. 

“For instance in 2015, some reports traced a large power outage in Turkey to Iran. The US government has alleged that the Mabna Institute, which is an Iranian company that has on occasion contracted with Iranian governmental entities to conduct hacking operations, targeted universities in Turkey,” Brodsky said.

Experts advise institutions in Turkey to assess the cyber threat, apply security updates to all their systems periodically, improve the preparedness of their networks against exposure to malicious activities, and develop up-to-date remote access solutions and web-based email access with multi-factor authentication. 

Earlier this year, US Cyber Command attributed MuddyWater’s activities to the MOIS, and it published some samples of malicious codes allegedly used by Iranian hackers to help US allies defending themselves from future intrusion attempts.

According to the US Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”

Brodsky said that, in the current context, Iran’s motives can be multifaceted for economic, intelligence and political reasons. 

“Tehran has broadly been trying to extract a price from regional competitors who are in the process of improving or normalizing relationships with Israel, and such an uptick in Turkey would not be surprising,” he said. 

“That is not to mention that the cyber attacks could be related to Ankara’s very public allegations of Iranian intelligence activity in the country, targeting dissidents and recently an Israeli businessman,” he said.

According to Outzen, sanctions against countries that are allegedly behind these attacks are of limited use because the primary cyber actors of concern for the US and its allies — Russia, China and Iran — are already heavily sanctioned. 

 “The cyber collectives carrying out the attacks often operate at the direction of, but not formally as part of, state apparatus,” he said. 

“Sanctions must be combined therefore with both a campaign of public awareness and cyber security practices that make targets harder to strike, and cyber operations by the US and its allies against the sources of the attacks,” he added.

Outzen added that this is an ongoing, low-level cyber war, which Turkey is now a part of. 

“The key is to both protect (their) own assets, and to pose the malicious actors — in this case Iran — escalating costs for engaging in the attacks,” he said. 

Ties between Turkey and Iran have recently fluctuated, with the countries pursuing an intense geopolitical rivalry in Syria’s northwestern Idlib province and northern Iraq, particularly the disputed Sinjar district. 

Last week, Turkey and Israel jointly foiled an Iran-led assassination attempt on a 75-year-old Israeli-Turkish businessman in Turkey after a lengthy intelligence operation that unveiled an Iranian cell. 

On Jan. 20, Iran abruptly cut natural gas flow to Turkey and the disruption lasted for about 10 days, undermining operations in factories.