The April 2019 Israeli elections between incumbent Prime Minister Benjamin Netanyahu and his competitor Benny Gantz were fraught with tension even before external entities got involved. But when Israel’s internal security service, Shin Bet, revealed that suspected Iranian cyber actors had accessed Gantz’s mobile phone, there was yet another issue to contend with, albeit one not specific only to Israeli elections: interference.

Israeli officials tried to downplay the potential mobile phone exploitation that accessed Gantz’s personal information and contacts, saying it happened several years earlier, and questioning the validity of publishing the information so long after the fact. Shin Bet made no further comments on the situation, and Iran never publicly claimed responsibility.

However, this technique of accessing personal devices or information of political officials and remaining dormant in said systems or devices to collect and exfiltrate as much personally identifiable information (PII) and personal contact history as possible is very much in line with the known tactics, techniques, and procedures (TTPs) of Iranian cyber threat actors. Kompromat, or the idea that compromising material can be used by any foreign and potentially hostile government at any time, knows no time limit or boundary. Some Iranian collectives are known to work slowly, gaining system access and remaining dormant for months or even years as they collect and exfiltrate any and all relevant information. Furthermore, as ardent adversaries, Iran and Israel have been engaged in a silent cyber war for years, which complements their physical proxy battles in places like Syria.

It’s no surprise that Iran might try to interfere in an Israeli election. Tehran continuously works to establish itself as the dominant power in the Middle East and employs cyber attacks against its regional rivals (specifically Israel and Saudi Arabia). Its burgeoning cyber program enables it to act maliciously against its adversaries while maintaining plausible deniability due to obfuscation and pseudo-anonymous technologies.

Iran’s “Kitten” hacking collective (Charming, Helix, Rocket, Refined, and others) is also known as an Advanced Persistent Threat group (APT33, 34, 35, and 39). The various names are how cybersecurity researchers attempt to organize the many groups of hackers that emanate from a specific region. The nickname “Kitten” was given to Iranian groups, while Chinese hacker collectives are known as “Pandas” and Russian ones as “Bears.” Extensive research of the “Kitten” collective has made clear how Iranian hackers use spear-phishing and social engineering on social media platforms like LinkedIn, Facebook, and Twitter to establish trust with an intended victim, build a digital rapport, and then after some time, deliver a final malware-infected document or news story link. This last step depends on the intended victim’s willingness to accept what they think is an innocent piece of information, which usually harvests their credentials and defeats two- or multi-factor authentication that they have set up. This human element is what the cyber actors depend on for the success of their campaign. For Iran, it has proven successful time and again.

Since the 2016 U.S. presidential elections, the fear of interference in global electoral processes has only grown. With campaigning for the 2020 U.S. presidential elections in full swing, in addition to Iran’s proven history of targeting political figures and campaigns, concerns are mounting as November 2020 approaches. This is especially true in light of reports that Iran was already attempting to access the Trump campaign’s email accounts as early as October 2019. While it was unsuccessful, there is a clear need for caution following the incident.

Additionally, the presence of Iranian wiper malware has increased throughout late 2019 and into 2020. This could indicate preparation for destructive cyber incidents coupled with spear-phishing and social engineering, a combination that Iran has employed against political campaigns and associated individuals in the past. The Iranian-developed data-wiping Shamoon malware has been around since 2012, and was last used in 2019. Zerocleare, another malware that completely wipes the data of its victims, debuted in fall 2019. Dustman, the third data-wiping malware attributed to Iran, followed suit in December 2019. All of the malware families share common threads, as they wipe data and cause harm to organizations. The similarities do not indicate a dramatic difference in capability, but do demonstrate an evolving and continuous threat.

Iran’s social engineering, spear-phishing, and malware efforts — as well as its successes — prove that its cyber program is sophisticated and capable of delivering harmful malware while stealing important personal information. As the U.S. 2020 elections approach, proper cybersecurity hygiene must be implemented at every level of every organization that has a vested interest in election security and integrity. Since 2016, Iran has had four years to learn from other entities, such as Russia, while testing and improving its own efforts that could compromise elections. Iran’s efforts are a serious threat, and must be treated as such. 


Steph Shample is a Non-Resident Scholar with the Middle East Institute's Cyber Program and a senior analyst at Flashpoint. The views expressed in this article are her own.

Photo by Amir Levy/Getty Images

The Middle East Institute (MEI) is an independent, non-partisan, non-for-profit, educational organization. It does not engage in advocacy and its scholars’ opinions are their own. MEI welcomes financial donations, but retains sole editorial control over its work and its publications reflect only the authors’ views. For a listing of MEI donors, please click here.