Sign in Subscribe
Social Engineering

Iranian Cyber Espionage Campaign Targets Swedish SMS Service in Data Breach

The attack targeted a Swedish company that manages a mass SMS service. According to a preliminary investigation led by the Swedish Security Police (Säkerhetspolisen), the breach was orchestrated by the Iranian Islamic Revolutionary Guard Corps (IRGC).

Iranian Cyber Espionage Campaign Targets Swedish SMS Service in Data Breach
The original image was generated by OpenAI's DALL-E Source: OpenAI (September 2024)

Introduction

On September 24, 2024 a police report reveals a significant data breach that occurred on August 1, 2023 that led to Swedish authorities uncovering a data breach linked to a sophisticated Iranian influence operation. The attack targeted a Swedish company that manages a mass SMS service. According to a preliminary investigation led by the Swedish Security Police (Säkerhetspolisen), the breach was orchestrated by the Iranian Islamic Revolutionary Guard Corps (IRGC) and involved the mass dissemination of SMS messages aimed at inciting violence.

Report Overview

The Iranian cyber espionage group behind the attack exploited vulnerabilities in the SMS provider's systems, gaining unauthorized access. Once inside, the attackers sent approximately 15,000 text messages, many of which called for revenge against Koran burners. These messages, purportedly from a group called "Anzu Team," were part of a broader disinformation and influence campaign designed to destabilize Swedish society by exacerbating religious and social tensions.

Fredrik Hallström, operational manager at the Security Police, confirmed the involvement of the IRGC, stating:

"The aim was to create the image of Sweden as an Islamophobic country and foster societal division."

This incident highlights the increasing aggressiveness of state-backed cyber operations, which leverage technological vulnerabilities to further political and ideological goals. Foreign powers like Iran have a history of using both legal and illegal methods, including cyberattacks, to influence other nations, blackmail governments, or steal sensitive information.

The SMS breach involved exploiting a vulnerability in the mass communication system, allowing Iranian hackers to manipulate the delivery of messages. The attackers used a combination of spear-phishing techniques and known software exploits to infiltrate the company’s networks. Once the hackers gained control, they programmed the SMS service to send messages that aligned with their propaganda efforts.

The methods used in this attack are part of a growing trend where foreign powers seek to hide their involvement through proxy groups or criminal networks. This allows them to maintain plausible deniability while advancing their geopolitical interests.

Insights and Analysis

The attack's objective was to inflame tensions between different groups in Sweden, as noted by senior prosecutor Mats Ljungqvist of the National Security Unit:

"The aim was to further tighten the situation and increase the conflict that prevailed between different groups in society."

Though the investigation identified key Iranian hackers involved, prosecution or extradition efforts were deemed unlikely due to the complexities of international law. However, authorities have not ruled out reopening the investigation should further evidence come to light.

This incident underscores the need for robust cyber defences, particularly for companies managing critical communication services. Swedish authorities urge all sectors of society to reassess their cybersecurity measures in light of increasingly sophisticated state-sponsored threats.

To mitigate the risks of similar attacks, organizations should:

  • Conduct thorough vulnerability assessments.
  • Implement multi-factor authentication and encryption.
  • Maintain a rapid incident response plan to contain breaches as soon as they are detected.

As foreign powers continue to exploit vulnerabilities to pursue their own agendas, Swedish authorities remain vigilant. As Hallström noted:

"Foreign powers exploit vulnerabilities to further their own agenda. We see that they are now acting more and more aggressively, and this is a development that is likely to escalate."

The evolving landscape of cyber warfare demands a proactive approach from both the public and private sectors to safeguard against future threats.

Indicators of Compromise (IOCs)

IndicatorTypeDescription
No specific Indicators of Compromise (IOCs) were provided in the source material.

MITRE ATT&CK Techniques

TacticTechniqueIDDescription
Initial AccessSpearphishing via ServiceT1566.003Gaining unauthorized access by exploiting vulnerabilities in SMS services.
ImpactInfluence OperationT1071.003Sending out SMS messages to create societal division and influence public sentiment.

References

Dataintrång bakom påverkanskampanj
Säkerhetspolisen har bedrivit en förundersökning om grovt dataintrång från främmande makt. Intrånget bedöms vara en påverkanskampanj som genomförts på uppdrag av den iranska regimen.
Säkerhetspolisen
Grovt dataintrång utfört av Iran
Irans säkerhetstjänst har genomfört en specialoperation mot mål i Sverige. Genom ett grovt dataintrång tog hackare över en svensk sms-tjänst och skickade 15 000 meddelanden med uppmaningar om hämnd mot koranbrännare. Enligt åklagare var målet att skapa splittring i det svenska samhället. Det visar en svensk förundersökning som nu är nedlagd.
Åklagarmyndigheten

Read next

Comments ()