Fake jobs, hidden malware: Iran’s cyber spy playbook

Dubai: Iranian hackers posed as job recruiters to target software engineers in the aviation sector as part of an elaborate espionage campaign during the US-Israeli war with Iran, cybersecurity researchers told CNN on Friday.

The Iranian operatives also targeted a US oil and gas firm, along with organisations in Israel and elsewhere in the Gulf, according to researchers at Palo Alto Networks’ Unit 42.

Compromising aviation, oil and gas companies could, in theory, allow Iran to track flight manifests to the Middle East or better understand how US energy firms are dealing with volatile oil markets. It is the kind of asymmetric threat US intelligence officials have warned about since the US and Israel launched strikes on Iran in late February.

The hacking effort involved fake job postings and video conferencing software infected with malicious code. In one case, the operatives impersonated a US airline. The campaign highlighted the lengths to which Tehran-linked hackers have gone to collect intelligence that could be useful for the regime’s survival during the conflict.

Unit 42 researchers told CNN that, based on their findings, they do not believe the hackers successfully breached any of the aviation, oil or gas firms targeted. They said some other organisations may have been compromised in the broader global campaign, but declined to identify them.

With Iran lacking missiles and drones capable of striking the US mainland, American officials have been watching for signs of Iranian cyber intrusions into critical infrastructure during the war. CNN reported last week that Iranian hackers were also among the top suspects in a series of breaches involving fuel station tank-monitoring systems in the US, activity that raised safety concerns among officials.

Much like North Korea

The Aviation Information Sharing and Analysis Center, a global group representing airlines, airports and other aviation organisations, said the alleged Iranian spying effort was not unexpected.

“We have been expecting attacks as a consequence of the war,” the group’s president, Jeffrey Troy, told CNN. “In the bigger picture, we have seen fake IT worker schemes and attempts to get credentials by abusing the help desks at companies.”

Iranian hacking groups have previously targeted airlines, in some cases to track dissidents abroad.

CNN said it had requested comment from the Iranian mission to the United Nations, while the FBI declined to comment.

In the latest campaign tracked by Unit 42, the hackers targeted software engineers with deep access to company networks. Researchers said the operation showed that, much like North Korea, Iran is increasingly trying to infiltrate high-tech sectors by posing as recruiters or prospective employees.

One of the fake job postings created as part of the campaign posed as a US airline hiring a “senior software engineer” and appeared to have been generated using artificial intelligence, according to Unit 42. The listing used familiar corporate language, including references to “collaborating with cross-functional teams to deliver innovative platforms.”

The Israel Defence Forces claimed in March to have struck a compound housing Iran’s “Cyber Warfare headquarters”, though it remains unclear whether any operatives were killed.

Researchers said that while some parts of Iran’s cyber infrastructure appeared to have been disrupted during the war, other teams continued operating at a high pace.

The Iranian group identified by Unit 42 had shown “no signs of slowing down” despite the conflict and continued “to orchestrate sustained, adaptive global cyber campaigns”, the researchers said.