Iran’s 2024 Legislative Election: Assessing the Cyber Threat Landscape

Today (1st March 2024), voters are preparing to elect representatives for the Majlis and the Assembly of Experts institutions in the 2024 Iranian Legislative Election. Given the current unstable political climate within Iran and an anticipated record low attendance, it is predicted that this event may prompt Iran-aligned hacktivists to launch Distributed denial-of-service (DDoS) operations to propagate in a bid to spread sentiments in support of Tehran.

In the run up to this election we’ve observed three primary trends. First, hacktivism has emerged as a staple within the context of ongoing geopolitical tensions, with threat actors applying disruptive efforts to influence perceptions without intending serious harm. Second, the surge in hacktivist operations targets nations based on their geopolitical stance and support for regions such as Israel, resulting in a complex digital battleground. Lastly, through a study of these attacks has revealed a detailed landscape of “proportionate” and “disproportionate” hacktivist targeting correlating with support for Israeli, indicating the strategic motivations behind cyber campaigns.

Recent Developments

The lead-up to the election, the Iranian parliament’s voting system has already been targeted by a cyber-attack. This incident, which caused the voting mechanism to malfunction on the 13th February 2024, has been claimed by the hacktivist collective ‘Uprising till Overthrow’. This threat actor group is believed to be affiliated with the Albania-based Iranian opposition group ‘Mujahideen-e Khalq (MEK)’.

This attacked followed two recent cyber events involving the Iranian state-aligned Psychological Operations Group, ‘Homeland Justice’. The grouped targeted the Albanian Government assets and the Albania’s Institute of Statistics (INSTAT), which are presumed to be a response to the presence of Iranian dissident group in the Albanian city of Manza.

Hacktivist Threat Landscape

The hacktivism landscape has developed dramatically in recent times, becoming more intense with recent geopolitical conflicts, such as the ongoing Israel-Hamas war. As the conflict has progressed, a notable development has emerged within the hacktivist threat landscape with Iranian state-backed APT (Advanced persistent threat) units beginning to masquerade as hacktivist threat actors. They have claimed responsibility for attacks against Israeli CNI and air defence systems, including the “Iron Dome”, thereby blurring the lines between cyber activism and cyberterrorism.

Due to the fact that these hacktivist threat actors have emerged, in alignment with the Hamas invasion and without a track record, it is likely this expanded profile has been adopted to convince the public that their attacks are inspired by grassroots movements, intending to boost the morale of their national supporters.

Impacted Sectors

Cyberspace will almost certainly continue to exist as a second front for the ongoing Middle East conflict. The 1st of March elections will likely witness Iran-aligned hacktivists targeting high-profile entities. These targets may include government websites, media outlets, transport hubs and energy infrastructure within Israel and its supporting states, such as the U.K and the U.S.

The pro-Palestinian hacktivist persona, ‘Anonymous Sudan’ deserves particular attention, as it has emerged as a substantial threat to the sectors mentioned above. The group’s offensive efforts, involving their modus operandi of DDoS attacks, are expected to launch with greater volume than usual on the 1st March. The objective of these attacks is to propagate sentiment in solidarity with Tehran.

Mitigation Strategies

It is strongly recommended that both public and private sector businesses implement the following mitigation strategies to enhance their security posture against disruptive hacktivist efforts:

· DDoS Mitigation: Apply DDoS mitigation solutions to combat sudden network traffic surges. These can include load balancing, traffic filtering, and content delivery networks to ensure that company services remain accessible during attacks.

· Attack Surface Management: Update and secure company assets, particularly websites which, are primary targets for web defacement and DDoS attacks. Implement strong authentication protocols, such as multi-factor authentication (MFA), and monitor internet-facing assets for unauthorised access.

· Data Protection: Safeguard sensitive data with encryption, access controls, and regular security audits.

· Employee Training: Train employees to detect markers of social engineering tactics to raise awareness and reduce the risk of hacktivist efforts.

Outlook

Hacktivist operations are anticipated to continue to surge in 2024, in line with key issues such as the ongoing Middle East conflict. Is it likely that nation states will attempt to leverage these campaigns, as they provide plausible deniability and the potential for disruption. Furthermore, the resurgence of DDoS-for-hire services is expected to enhance hacktivist efforts in 2024 as access to more powerful tooling becomes more readily available.

In addition, Tehran-aligned Influence Operations (IO) are likely be launched to stabilise the political climate within Iran, as calls for change may occur following the economic restrictions in place after the ‘Transition Day’ of the JCPOA.

For further details, you can refer to the Quorum Cyber Threat Intelligence Outlook 2024 report, which provides a comprehensive breakdown on which offensive cyber operations will likely coincide with numerous major global events scheduled for 2024, such as presidential and national elections, as well as the Olympic Games in Paris.

 

To find out more regarding the international ramifications of Middle East-centred cyber aggression, you can now sign up to our upcoming (Quorum Cyber Global Cyber Threat Series: Middle East webinar) where we will provide in-depth threat intelligence assessments focusing on the critical topics, including:

• · A chronological examination of geopolitical and cyber incidents following the initial invasion of Israel by on 7th October 2023.
• · An exploration of patterns in Iran-aligned cyber operations, encompassing destructive cyber-attacks, influence operations (IO), and hacktivist campaigns targeting western and regional assets.
• · A detailed overview of the involvement of Iranian proxy groups, colloquially known as the ‘Axis of Resistance’.
• · An analysis of the international ramifications of Middle East-centred cyber aggression across both private and public industry sectors.
• · A forecast on how the high-profile elections slated for May 2024 coincide with a surge in cyber-attacks, reflecting the ongoing Middle East conflict.