1 February 2018

Hezbollah Goes on the Cyber Offensive with Iran’s Help


LEVI MAXEY 

Bottom Line: Maturing under Tehran’s tutelage, Hezbollah’s hackers are quickly learning the art of cyber warfare. The formidable militant organization is increasingly turning its attention to the digital realm to engage in espionage, psychological operations, disruption of critical services and criminal activity to fund its activities on the ground.

Background: Established in 1982 during the Lebanese civil war, Hezbollah is a Shia militant group currently holding 12 seats in Lebanon’s parliament. The group has long been ideologically and logistically supported by Iran’s Islamic Revolutionary Guards Corps (IRGC), particularly the expeditionary Quds Force, which has enabled the group to become one of the more established U.S.-designated terrorist organizations in the world. 
While the group was founded to asymmetrically harass Israel following Israeli incursions into south Lebanon in the 1980s, Hezbollah has grown its military and clandestine operations significantly in recent years. The group has also expanded its mandate beyond Lebanon, with a history of sending operatives to Bosnia, Iraq, Syria, Yemen and beyond. 
Led by Hassan Nasrallah, Hezbollah is reported to have some 50,000 fighters including reservists, as well as an arsenal of between 100,000 and 150,00 short- to long-range missiles at their disposal. 

Hezbollah, meaning “Party of God,” has been an early adopter of innovative media strategies. From its TV channel, Al Manar, Hezbollah has been able to spread its narrative, including highlighting its humanitarian development initiatives in south Lebanon following the 2006 war with Israel. 

Funding for the group reportedly comes from several avenues. The group claims to receive its financial support through a sympathetic Lebanese diaspora stretching from West Africa and Latin America to the United States and Europe. The Iranian state, namely through the IRGC, has provided millions in financing to the group, as well as shipments of arms throughout Syria and operational training. Hezbollah has allegedly also been involved in the mineral trade in Central Africa, drug trafficking spanning Latin America and Africa, and weapons smuggling around the world. 

Issue: Hezbollah has proactively sought to develop its cyber capabilities, expanding its potential disruptive and influential reach into the digital sphere. While the group has long used the internet to disseminate recruitment messaging, propaganda, and operational know-how, it also has begun leveraging it as an attack vector to gain valuable intelligence, undermine the reputation of opponents and hold its adversaries, especially Israel, at risk.

“Hezbollah has used some rudimentary techniques, like sending SMS messages to Israelis, but planting misinformation given some of their previous traditional/non-traditional media savvy shouldn’t be surprising. They have several units involved in psychological warfare and they have a very clear strategy for their propaganda. Further, it is believed that they hijacked several Western IP addresses to project and amplify their message.”

Michael Eisenstadt, Director of Military and Security Studies, Washington Institute for Near East Policy

“Given the importance that Hezbollah attaches to information operations – after all, the May 2000 Israeli withdrawal from Lebanon was brought about in part as a result of a sophisticated psychological warfare campaign that undermined Israeli morale – it would not be surprising if Hezbollah were to engage in cyber-enabled information operations against Israel and other enemies, to gather information or disseminate psychological warfare products.” 

Learning from their Iranian counterparts, Hezbollah’s hackers have attacked Israeli government websites – including their military and foreign ministry sites – with distributed denial of service (DDoS) attacks, seeking to knock them offline during moments of crisis. 

Hezbollah’s hacking operatives conduct psychological operations while working behind pseudonyms of hacktivist collectives, including Anonymous-affiliated branches. In May 2013, the “Syrian Electronic Army” – thought to be hackers from the Assad regime working alongside Iranian and Hezbollah hackers – targeted Israeli critical infrastructure in retaliation for an airstrike conducted by Israel against Hezbollah militants in Syria. Under the moniker of “Islamic Cyber Resistance,” hackers retaliated against the December 2013 assassination of Hezbollah leader, Hassan Laqiss, by leaking documents and sensitive information related to the Saudi military, Binladin Group, and the Israeli Defense Forces (IDF). As with Russia creating plausible deniability through hacktivist fronts for its cyber-enabled psychological operations – such as Guccifer 2.0, CyberBerkut or the Cyber Caliphate – it appears that Hezbollah also seeks to conduct its influence operations behind the veil of hacktivist pseudonyms. 

Iranian proxy support for Hezbollah in the cyber domain not only appears to amplify Hezbollah’s cyber-enabled influence operations through the state-run Fars News Agency, but also assists through the direct training of Hezbollah cyber operators. Since September 2010, Iran has hosted Hezbollah officials for “Cyber Hezbollah” conferences, which reportedly included the attendance of Hassan Abbasi, a political strategist and advisor of the IRGC, according to the European Foundation for Democracy. 

According to a recent report by the Carnegie Endowment for International Peace, Hezbollah – under separate attack infrastructure – has leveraged malware common to the Iranian state-sponsored hacking group known as Magic Kitten, which is reported to have engaged in broad reaching espionage across the Middle East and Europe. This not only suggests intelligence sharing between Hezbollah and Iranian hackers, but also the direct sharing of cyber capabilities. 

It is also possible that Hezbollah’s hackers piggyback off of Iranian cyber operations, using the access provided by Iran’s hacking to probe the networks themselves. Close cooperation between Hezbollah’s hackers and the Iranian state-sponsored company ITSec Team – which has had employees both indicted and sanctioned by the U.S. for their involvement in the DDoS attacks on U.S. banks between December 2011 and December 2012 – suggests such joint operations take place. 

At the same time, Hezbollah has been known to develop and maintain its own hacking toolsets. A 2015 report from the Israeli cybersecurity firm Check Point laid out a Lebanon-based politically motivated cyber espionage campaign targeting institutions in Israel, Lebanon, Saudi Arabia and beyond since late 2012. Dubbed “Volatile Cedar,” the subtle and targeted espionage campaign used a custom malware implant called Explosive, which is thought to be the work of Hezbollah’s hackers. It is possible that Iran might be unwilling to provide their entire toolkit of hacking capabilities to Hezbollah – either for operational security reasons or to maintain the ability to monitor their proxy without being detected – perhaps forcing Hezbollah to create its own custom malware. 

“Hezbollah has conducted sporadic cyber attacks on Israeli critical infrastructure during periods of tension, such as the Israel-Hamas war in summer 2014. These attacks were apparently intended to harass and send a warning to Israel; indeed, none of these attacks disrupted or damaged Israeli critical infrastructure or government operations. Iran appears to be building up Hezbollah’s cyber capabilities to employ the group as a cyberspace proxy, just as it has often used it as a terrorist and irregular warfare proxy in the physical domain, and it has shared cyber tools and know-how with Hezbollah within several years of their introduction in the Islamic Republic.”

“Hezbollah forces train in Iran and Iranians – even before the war in Syria regularly trained and even set out Hezbollah’s strategy in many areas, including cyber. Iran has invested heavily in its cyber capabilities and the IRGC even boasted that Tehran’s cyber defense forces number over 100,000. While some exaggeration may be inherent in the Iranian claims, the cyber buildup by Iran has also led to its support for its proxies, like Hezbollah, in the cyber realm. There were reports in 2015 that “Volatile Cedar” was a malware campaign linked to Hezbollah, although it had an espionage objective – not necessarily destructive.”

Response: While the sophistication of Hezbollah’s hacking capabilities continues to grow, the group does not present as much of a disruptive cyber threat to its adversaries – namely Israel – as a nation-state such as Iran does. At the same time, Israel and others will likely see a growing presence of Hezbollah operating in cyberspace and may take further steps to stem their activity. 

In September 2017, the IDF engaged in a 10-day military exercise exploring various scenarios of a potential Hezbollah offensive against the country. While many involved kinetic attacks, the drill also included bolstering Israeli resilience to cyber disruption of their military communications and the cyber theft of highly classified intelligence. It appears as if the Israeli government is planning for how to mitigate the impacts of an eventual Hezbollah cybersecurity breach and continue to operated in a contested communications space. 

“There’s obviously a lot we don’t know about clandestine or covert activities by these states. Israel and the U.S. have robust cyber defense capabilities, and the Gulf States are building theirs. The Israelis and the Gulf States are extremely concerned about Iranian capabilities and view Hezbollah as their cyber proxy — to be confronted and potentially neutralized.”

Anticipation: Cyber capabilities present a new tool that expands Hezbollah’s already established strategy. As such it is likely that the militant group will continue to conduct clandestine intelligence collection through cyberspace against its opponents, including political rivals within and outside of Lebanon. Perhaps more notably, however, will be Hezbollah’s growing capacity to disrupt critical infrastructure and its propensity in cybercrime.

“Cyber operations could figure prominently in a future Hezbollah-Israel war. Like most modern states, Israel’s critical infrastructure and military is heavily reliant on information technology in almost everything they do. Hezbollah is almost certainly examining the use of cyber to disrupt Israeli rocket and missile defenses, unmanned aerial and naval systems, and critical infrastructure. Given that Israel will likely strike elements of the Lebanese infrastructure that facilitate Hezbollah military operations such as roads, power grids and communications, Hezbollah will likely try to respond in kind both in the physical and cyber domains.” 

Given the group’s reliance on illicit funds – and its proclivity towards engaging in transnational organized crime – it is likely Hezbollah’s hackers will turn to cybercrime as a source of revenue. Recent incidents such as the WannaCry ransomware and the leaking of military-grade hacking tools released online by the Shadow Brokers – as well as a number of others toolsets available over the darknet – may drive Hezbollah to engage in broad spectrum ransomware campaigns to disrupt its adversaries and generate additional revenue streams. 

“Hezbollah has become another cyber actor in a crowded region — a potential disruptor and a criminal force. They can support Iranian operations against Israel and the Gulf states in that way and they can build their capabilities by participating or observing Iranian probing of critical infrastructure and other vulnerable areas. Dismissing Hezbollah’s cyber potential is not advisable. Given that cyber tools are so readily available, we must assume that Hezbollah is availing itself of them and being “mentored” by Iran. Israel is obviously a key target, but I would also note that Hezbollah needs capital — and they have used all forms of crime to raise funds. I assume that they will adapt cyber capabilities to conduct criminal activities – including ransomware. We are not seeing a lot of public attribution of Hezbollah’s cyber crime, but we should not dismiss the possibility.”

No comments: