As strikes hit Tehran on Saturday morning, millions of Iranians got a strange push notification on their phones. The BadeSaba Calendar prayer app, which has more than 5 million downloads, had been compromised, and the app issued alerts saying, “Help has arrived!” and called for a “People’s Army” to defend their “Iranian brothers,” according to an assessment from cyber intel firm Flashpoint. On Sunday, the app sent with surrender instructions for rank-and-file members of the Islamic Revolutionary Guard and safe locations for protesters to gather.
Then regime loyalists quickly struck back.
According to Flashpoint, what followed on Sunday was the “most aggressive” use so far of what’s known as Iran’s “Great Epic” cyber campaign, which is a loosely coordinated group of cyber operatives under a channel called the “Cyber Islamic Resistance.” Under the group’s umbrella, various cyber attackers have shut down gas stations in Jordan, and led attacks against U.S. and Israeli military providers to destroy data as well as conduct psychological operations mimicking the BadeSaba hack.
The next 48 hours are likely to be a period of “extreme volatility” where hacktivists and proxies “take the lead in escalation to fill the vacuum left by Tehran’s central command,” Flashpoint noted in an update. These actors are allegedly using Telegram and Reddit as a coordination hub, posting screenshots of alleged attacks as proof, although it takes weeks and sometimes months to verify accuracy, said Kathryn Raines, a former NSA expert who is now a threat intel team lead at Flashpoint.
The BadeSaba hack demonstrates the template that Iranian proxy groups could now try to deploy in reverse against Western companies and others. Plus, with Iranian leadership effectively decimated by Saturday’s strikes, the command structure that oversaw Tehran’s cyber operations is essentially gone, said Raines.
“The Iranian leadership vacuum is likely going to lead to more unpredictable, decentralized proxy attacks,” she told Fortune.
In practice, that means aligned hacktivists and proxy groups are making their own targeting decisions, without approval from central authorities. So if a highly aggressive group decides to hit a mid-sized logistics firm because to make a statement, the risk cascades beyond Tehran, Washington, D.C., or New York, said Raines.
“It’s in the hands of a 19-year-old hacker in a Telegram room with really no oversight or direction,” she warned.
Accordingly, U.S. business leaders need to be prepared for continued uncertainty, said Brian Carbaugh, co-founder and CEO of AI-based security firm Andesite and former director of the CIA’s elite Special Activities Center (SAC). Iranians have consistently shown over the years that they are incredibly resilient as a government and resistance force. And given that the regime is bombarding its neighbors, people should expect Iran to continue unleashing their formidable offensive cyber capabilities in addition to other aspects of national power like their missiles and armed proxies around the world, he said.
“Aggressive and creative resistance is baked into the ethos of the Iranian security apparatus and across the Islamic Republic of Iran,” said Carbaugh, who previously served as chief of staff to two CIA directors. “For business leaders and those protecting businesses and making decisions at a very high level, they need to be prepared for this to continue on for some time and for the conflict to take a number of different courses of direction and swerve around the road.”
As U.S. and Israeli attacks degrade Iran’s conventional military capabilities, cyber attacks appear more attractive, said Carbaugh. It’s low-cost to deploy, difficult to attribute, and extremely capable of creating outsized psychological and operational disruption relative to the investment required. Iran has shown that it is capable of emulating and building on cyber attack methods first shown by Russia, for example.
“The Islamic Republic has always had great pride in cyber capabilities within the security services,” said Carbaugh. That pride isn’t likely to evaporate with the loss of senior leadership, and may intensify as other options narrow.
According to Raines, most corporate security plans aren’t ready for attacks like the BadeSaba hack, which pushed a notification to potentially millions of Muslims in Iran who use the app to track daily religious schedules at the moment the strikes were starting.
“Companies aren’t really prepared for what I’ll call nihilistic psychological operations that are really meant to target the mental state and trust of their workforce,” she explained, contrasting them with attacks designed to steal data and disable systems.
It could manifest in businesses like this: Staff in the Gulf region start getting what appear to be urgent messages, perhaps deepfake audio attributed to their regional leader or CEO, or communications purportedly from the company on evacuations. But with local news offline and scant internet service, people will have very little ability to fact check anything.
Few companies have plans in place for what employees’ reality will be in the hours that follow, while risk modeling is often based on state behavior and assumed “red lines” that prevent total war, Raines noted.
For boards and C-suites convening this upcoming week, key questions for security leaders will have to do with the maximum amount of time business functions can be offline before it hits revenue and reputation, she predicted.
“We’re less interested in the block rate, and more interested in recovery time,” said Raines.
Carbaugh said if he were on a board call this week, he would want to know if the business was at an elevated level of risk based on what’s happening in Iran. If the answer is yes, he would want to know what’s being done to mitigate. If the answer is no, he would ask even more questions.
Leaders should find out what steps have been taken to ensure businesses aren’t at risk, figure out how companies have engaged with partners and others to find out how they’re detecting attacks, and how AI is currently being used in doing so, Carbaugh said.
He reiterated that this isn’t a crisis with a near-term resolution, and it translates into cyber risk that won’t immediately dissipate.
“This conflict could take many twists and turns and move in a lot of different directions,” said Carbaugh. “I don’t think this is going to be one we’re going to tidily wrap up and move on from in a few days. This will require constant vigilance and protection of our cyber networks, physical security, and all other assets.”
