Iranian hackers embedding themselves in the global cybercrime ecosystem

Iranian government-linked cyber actors have enhanced engagement with the global cyber crime ecosystem to improve their operational capabilities and complicate attribution, cyber security company Check Point said.

 

The cyber security company said in an analysis published Tuesday that Iranian state-sponsored cyber actors, notorious for targeting Israeli and western entities with cyber attacks for espionage or to cause disruption, are increasingly associating with the worldwide cyber criminal ecosystem rather than using hacktivist and criminal personal to mask their identity.

 

The increasing engagement with the wider community helps Iranian hackers, prominently those associated with the Iranian government’s Ministry of Intelligence and Security, expand operational reach and enhance technical capability.

 

Check Point said the increasing engagement mirrors the Iranian government’s decades-long kinetic operations where it engaged with external criminal networks to conduct surveillance, kidnappings, shootings, and assassinations, thereby increasing its reach, effectiveness and deniability.

 

The firm said the same logic is now being applied in the cyber domain. "The emphasis is not only on imitating cyber criminal behaviour, but on associating with the cyber criminal ecosystem itself: drawing on its infrastructure, access brokers, marketplaces, and affiliate-style relationships," it said.

 

Check Point cited the use of Rhadamanthys, a commercial infostealer deployed by a Iranian hacker group using the pseudonym Handala in attacks on Israeli entities. Rhadamanthys is a popular cyber crime tool due to its complex architecture, active development, and frequent updates, and Handala paired it with its custom wiper malware to increase the effectiveness of its attacks.

 

Another Iranian hacker group named MuddyWater which, according to U.S. authorities, acts on the instructions of the Iranian government’s Ministry of Intelligence and Security, has also begun linking its operations to several cyber crime clusters of activity. The new tactic has led to misattribution and flawed pivoting and helped it mask its true aims and purposes.

 

MuddyWater is among principal Iranian cyber crime groups and routinely targets government and private-sector organisations across telecommunications, defense, and energy sectors in support of Iranian intelligence objectives. Over the years, cyber security researchers and governments have attributed multiple cyber espionage and malicious operations in the Middle East to the cyber criminal group.

 

"For some Iranian actors, cyber crime is no longer just a cover for state-directed activity," Check Point said. "The pattern is not limited to the appearance of criminal behaviour, but includes the use of criminal malware, ransomware branding, and affiliate-style ecosystems in support of strategic objectives. This reflects a clear shift from simply imitating cyber criminals to actively leveraging the cyber crime ecosystem.

 

"This shift matters because it delivers clear operational benefits. For MOIS-linked actors in particular, engagement with criminal tools and services enhances capabilities while complicating attribution and fueling confusion around Iranian activity. Taken together, the cases discussed here show that cyber crime has become not just camouflage, but a practical operational resource."