Successful War Leaves Iran With One Option, Cyber
Successful War Leaves Iran With One Option, Cyber
Aside from one disruptive attack, Iran's cyber retaliation against U.S. and Israeli strikes has been largely missing in action. But there are reasons to believe in the longer term the war will result in an enduring increase in Iran's capacity and appetite for cyber mayhem.
Last week the Iranian state-backed group Handala did claim responsibility for a wiper attack on Michigan-based medical device manufacturer Stryker, and said the attack was partly in retaliation for the U.S. bombing of an all-girls school in Iran. In recent days Handala and a range of other pro-Iranian groups have also claimed a series of hacks targeting Israeli or Middle Eastern organizations.
Although the Stryker attack looks like it is causing serious disruption at the target company itself, trouble at just a single organization won't trouble senior U.S. policymakers.
In the short term at least, it looks like Iran's full hacking capability is being suppressed by deliberate military action. Most recently, Seyed Yahya Hosseiny Panjaki, a deputy minister at Iran's Ministry of Intelligence and Security (MOIS), which controls hacking groups including Handala, was killed in strikes. It was reported last week that another Iranian man wanted by the FBI for alleged hacking crimes, Mohammad Mehdi Farhadi Ramin, was also killed. The Islamic Revolutionary Guard Corps (IRGC) cyberwarfare headquarters was also struck early this month.
In addition to the disruption and chaos caused by the war, internet access in Iran has been blocked by the regime. That's not a total show-stopper. Handala migrated to Starlink during Iran's January shutdown, but suffice it to say that life is not easy for Iran's state-backed hackers. It's difficult to see how they could really ramp up destructive attacks against the West anytime soon.
That's the good news, but only in the short term.
America's stated goals in this war are, per the White House, to "obliterate Iran's ballistic missile arsenal and production capacity, annihilate its navy, sever its support for terrorist proxies, and ensure the world's leading state sponsor of terrorism will never acquire a nuclear weapon."
Even if these goals are entirely met, barring regime change, we expect that Iran's leaders will still want to project power overseas and will reach for whatever tools they still have.
Unlike nuclear weapons programs, or ballistic missiles, cyber forces don't require significant industrial capacity and vulnerable supply chains. This makes them far more resilient to conventional attacks. Sure, you can disrupt hacking operations for a short while with bombs, but it is hard to completely destroy capacity without somehow killing all of Iran's hackers. Cyber forces are the cockroaches of state power.
They're not just a tool of last resort, though. Investing in cyber capabilities makes sense for Iran.
It's relatively cheap to build and maintain cyber forces. Compared to reconstituting nuclear facilities, missiles, or even conventional military forces, hackers are cheap, cheap, cheap. That would be attractive for a likely cash-strapped postwar Iran.
There is even a formula for Iran to follow. North Korea has proved it is possible for even the poorest of countries to develop formidable hacking capabilities relatively quickly, if there's political will.
Importantly, cyber operations can also be used to strike globally, allowing Iran to hit American or Israeli organizations on their home turf. Another plus to add to the list.
Granted, cyber operations have limited effects compared to conventional military action. Even the most destructive attacks cause mischief and mayhem rather than raining death from above.
In the context of a postwar Iran, however, that could be seen as a feature rather than a bug. They could provide quick wins with less risk of being bombed in retaliation. Of course, we don't expect that Iran will invest in its cyber capabilities to the exclusion of other options.
As headlines from the Iran war fade, the risk of damaging Iranian cyberattacks will rise.
Good Riddance to Instagram's End-to-End Encryption
Last week Meta quietly announced that it will remove the ability to send end-to-end encrypted (E2EE) direct messages on Instagram in early May. This steps back from a commitment to roll out E2EE messages on Messenger and Instagram by default, but we are fine with it. There is a time and a place for E2EE direct messages, and when it comes to social networks, we believe the downsides outweigh the benefits.
Meta told journalists it decided to remove the feature because "very few people were opting in to end-to-end encrypted messaging in DMs." That messaging is more than a bit self-serving. E2EE chats were not exactly easy to start, and platforms will often opt users into new defaults when it serves their interests. If Meta had wanted greater adoption, it could have driven it.
Predictably, some advocates are arguing that Meta should keep the feature, but even within the company there were genuine concerns about the implications of providing E2EE messaging across its services. This February, Reuters reported that executives had a range of concerns back in 2019, when CEO Mark Zuckerberg announced an initiative to roll out E2EE messaging to Meta's products. Monika Bickert, Meta's head of content policy at the time, wrote in an internal chat that "we are about to do a bad thing as a company. This is so irresponsible."
An internal Meta briefing document from 2019 estimated that if Messenger had been encrypted, the company would have been "unable to provide data proactively to law enforcement in 600 child exploitation cases, 1,454 sextortion cases, 152 terrorist cases [and] 9 threatened school shootings."
The same document estimated that Meta's reporting of child nudity and sexual exploitation imagery to the U.S. National Center for Missing and Exploited Children would have fallen from 18.4 million reports to 6.4 million.
The key problem here is that bad people do bad things on social networks. Vulnerable people are harmed. E2EE makes it more difficult for platforms to mitigate those harms, especially when it comes to scanning messages or forwarding them to appropriate authorities.
Attaching E2EE directly to a social network is particularly concerning because, as Meta's Global Head of Safety Antigone Davis acknowledged in a 2019 email, Facebook "allows pedophiles to find each other and kids via social graph with easy transition to Messenger." In other words, connecting a social network with E2EE messaging makes it easy for predators to find targets and directly initiate messages that are impenetrable to platforms.
It makes sense to keep E2EE messaging separate from social networks and apps that appeal to children and teens. Meta's not alone here. Just this month, TikTok told the BBC it would not be introducing E2EE messaging because of safety concerns. The company said the technology would prevent police and safety teams from viewing messages.
Different apps present different safety and privacy concerns. E2EE messaging is great when you want to place a premium on privacy, but it doesn't need to be incorporated into every single app or service.
That's what Signal is for, after all.
Everyone Has President Trump's Phone Number
Over the years, we've written about the smartphone dilemma: Politicians must use them, but they are a horrendous security risk.
It is interesting to see that President Trump is employing a counterintuitive strategy. Rather than keeping his personal phone number private and limiting calls, Trump is doing the exact opposite. His phone number is an open secret in Washington and is traded among journalists. Even worse, he answers without screening calls. As a result, he has done more than 30 telephone interviews in the weeks since the start of the Iran war.
The one weird counterintelligence trick that mitigates foreign eavesdropping, however, is that Trump's calls have absolutely no intelligence value. Per Semafor:
In a series of nine phone interviews about the war in Iran, Trump gave nine different, vague answers that offered little insight about when the White House may actually end the war. On Feb. 28, he said the war could be over in two or three days. A day later, he told ABC that it would actually be four or five weeks, most likely. On March 2, he told Jake Tapper that the US was "a little ahead of schedule" of its 4 week window. But two days later, he told Time magazine it had "no time limits."
We wonder if he's employing that same strategy in calls to friends and associates.
We can imagine the Chinese intelligence reports: "The President stated the U.S. has won the war and it will end some time between next Tuesday and never."
Three Reasons to Be Cheerful This Week:
- Grants for open-source security: The Linux Foundation has announced $12.5 million in grants "to strengthen the security of the open source software ecosystem." The announcement is a bit vague on what the grants will be used for, although it does mention bringing "maintainer-centric AI security assistance."
- Meta fights scammers: Last week, Meta said it removed 159 million scam ads and took down nearly 11 million Facebook accounts in 2025, in its fight against scammers. It also introduced new tools on Facebook, Messenger, and WhatsApp to help protect against scams. That's all good, but we think the news should be placed in context next to a Reuters report from last year alleging that Meta was making bank from scam ads. Bad press and the threat of regulation drives investments in safety and security.
- Ransomware is shifting focus to data extortion: A new Google Threat Intelligence report indicates that ransomware actors are increasingly focusing on data extortion rather than using malware that encrypts systems to lock them up. Google's head of cybercrime intelligence, Genevieve Stark, told CyberScoop that some very effective cybercrime groups including Scattered Spider and ShinyHunters are "almost all just focusing on data-theft extortion right now."
Risky Biz Talks
In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq discuss how bombing Iran changes incentives for Iranian hacker groups. Destroying other ways that Iran might project power could force it to double down on cyber capabilities.
From Risky Bulletin:
EU finally imposes more cyber sanctions: The European Union on Monday imposed sanctions on three hacking groups and two individuals for cyberattacks on its member states.
Sanctions were imposed on Iranian cyber contractor Emennet Pasargad for its hack of French satirical magazine Charlie Hebdo, the 2024 Paris Olympic Games, and a Swedish SMS service.
This is the same group that also meddled in the 2020 U.S. presidential election and was later sanctioned three times by the U.S. as well, in 2021 and in September and December 2024.
Emennet works under Iran's IRGC and has carried out both stunt-hacks and influence operations.
In addition, the EU imposed sanctions on two Chinese cyber contractors.
Meta disrupts Mexican cartels: Meta's security team has suspended thousands of accounts last year that were tied to Mexican and other Latin American drug cartels.
The Facebook and Instagram accounts were used to recruit youth for drug trafficking and drug dealing, to advertise drugs, and to organize violence and extortion operations.
Meta says it used AI to detect the coded language typically used by cartels and also to identify photos of drugs posted on its platforms. Human reviewers also confirmed the findings before accounts were removed.
Another residential proxy provider falls as authorities continue crackdowns: American and European law enforcement agencies have seized the infrastructure of a residential proxy provider named SocksEscort, the latest such crackdown against proxy providers over the past years.
The service had been running since 2021 and rented access to more than 369,000 different IP addresses across its lifetime.
According to the FBI, Europol, and Dutch Police, SocksEscort was a front for a malware operation that infected modems and home routers. Lumen's Black Lotus Labs linked it to a botnet it discovered in 2023, named AVRecon.
