Iran is recruiting Russian cybercriminals and engaging in other creative partnerships that blur the lines between state and criminal cyber activities to advance its geopolitical objectives in its ongoing war with the US and Israel.
As part of these activities, Iran has once again revived Pay2Key, an Iranian state-backed ransomware operation, by recruiting affiliates from Russian cybercriminal forums, according to a report from KELA’s Cyber Intelligence Center published this week. Iran is using Pay2Key “as a punitive arm of the Iranian state,” to attack “high-impact US targets,” according to the report.
This strategy includes deploying “pseudo-ransomware” attacks and acting as an initial access broker (IAB) for ransomware groups to target US entities for cyber disruption and financial gain. KELA researchers explained that pseudo ransomware attacks use encryption but are actually destructive activities typical of wiper malware.
These recent moves are part of a larger strategy by Iran to weaponize cybercrime techniques and recruit criminal hackers to gain an advantage in the current war that began with the joint US-Israel attack on Iran on Feb. 28, according to KELA. These activities — and how they blur the lines between state and criminal activity — pose a unique threat to organizations by not only causing business disruption, but also by causing an “attribution nightmare” that poses a significant legal and operational risk, according to KELA.
“If a company falls victim to a successful ransomware or extortion event, identifying the true threat actor is no longer just an IT problem — it is a critical compliance issue,” according to the report. Indeed, victims risk sanctions violations and severe legal and financial penalties if ransom payments inadvertently go to state-linked entities, such as those under sanctions by the US Treasury’s Office of Foreign Assets Control (OFAC).
Old and New Cyberwarfare Strategies
The resurgence in Pay2Key activity is similar to what happened last July in the wake of the June’s 12-day conflict against Iran last year, in which the US and Israel targeted and destroyed Iran nuclear facilities. At that time, Pay2Key re-emerged to target Western organizations and offer higher payouts for attacks that meet Iran’s geopolitical goals.
Iran is engaged in similar profit-sharing now with Pay2Key affiliates that they recruit online, increasing the affiliate’s cut from 70% to 80% if they successfully execute attacks against designated “enemies” of Iran — that is, the US and Israel.
“This bounty system perfectly illustrates the hybrid threat: Iran is effectively outsourcing geopolitical retribution to the global cybercrime talent pool, creating a powerful, scalable force multiplier for its state operations,” the KELA report stated.
At the same time, Iran has a new cyber trick in the form of destructive smokescreens that leverage ransomware-style encryption to disguise data destruction, sabotage, or political retribution. In these attacks, the Iran-backed APT Agrius is using the Apostle malware, which has been retrofitted from its original data wiper form to function as a ransomware variant.
“Wrapping destructive wipers in the guise of financial extortion allows actors to obscure their geopolitical motives and complicate incident response,” according to KELA.
Blurred Offensive Lines Demand New Defense
KELA researchers said the ongoing conflict has “fundamentally shifted the threat landscape” and led to Iran’s deliberate blurring of lines between state-sponsored cyber warfare and opportunistic cybercrime. Indeed, Iran has stepped up its cyber offensive considerably since the war began, an arena where it has more of an advantage over its adversaries than the physical battle space.
“The same state apparatus that sponsors purely destructive or hacktivist campaigns is deeply intertwined with the cybercriminal underground,” according to the report.
This paradigm shift also signals a change for defenders, which now must account for financial, operational, and geopolitical risk simultaneously by implementing foundational resilience measures alongside proactive controls, KELA said in the report.
Recommended defensive actions including some common measures such as patching and monitoring edge devices, implementing phishing-resistant MFA, and maintaining offline backups and incident response readiness.
Organizations also should segment IT and operational technology (OT) systems as well as harden access controls to defend against an increasing complex threat from Iranian-backed actors. Maintaining threat-intelligence monitoring also can significantly improve an organization’s visibility into adversary infrastructure and compromised credential markets, according to KELA.
