By using fictitious front groups to impede attribution, the attackers turned one of the Iranian regime’s own disinformation tactics against it

On July 2, 2020, an explosion hit one of Iran’s key nuclear sites in Natanz. The blast severely damaged an aboveground workshop, where pieces of advanced centrifuges are assembled before they are transferred underground for enriching uranium for possible industrial and military uses. The incident was one in a recent series of mysterious and seemingly random blasts and fires across Iran, including strategic military sites, natural reserves, and populated urban areas. In some ways, the attack was reminiscent of past incidents that pointed to Iran as the potential culprit. This time, however, Iran had become the target. Was someone trying to send a message?

Iranian state-affiliated media initially attempted to downplay the impact of the blast, insisting that the damage was minor. However, later estimates by Iranian officials suggest that the financial damage was significant and that the incident had delayed advanced centrifuge production by several months. Nevertheless, satellite imagery and evaluations by outside experts claim a setback of one or two years. Speculations about the source of the attack have been surging. Yet the big question remains unanswered: who did it?

The New York Times cited an unnamed Middle Eastern intelligence official assessing that Israel was behind the plot. However, Israeli officials have denied any involvement. Iran’s Supreme Council of National Security — its top security body — cryptically stated that it had identified the cause but refused to attribute the attack publicly due to security concerns. The decision was interpreted as Iran’s unwillingness to retaliate, at least in the short term. Nonetheless, Noor News, the media affiliate of Iran’s Supreme Council on National Security, warned Israel of “crossing redlines,” vowing a firm response.

In addition to speculation about a foreign source, a seemingly domestic actor has also claimed responsibility for the possible act of sabotage. Hours before the explosion was publicly announced, a few journalists at BBC Persian and other media outlets received a statement accompanied by a video file, ostensibly prepared by an unknown domestic dissident group named “Homeland Cheetahs.” The statement was imbued with vivid nationalistic terms and symbols. The group did not express allegiance to any of the known political opposition factions, such as the Mujahedeen-e-Khalq (MEK) and the monarchists, or the fringe QAnon-inspired Restart. Instead, they described themselves as “anti-regime individuals from Iran’s security and intelligence apparatus.” The motivation to damage an aboveground facility was, according to the message, that Iran’s disinformation apparatus could not deny the incident and propagate lies to conceal it. The group promised more blasts in other key facilities in the coming days and months. But for now, they seem to have gone quiet.

The Homeland Cheetahs debut, however, was not unprecedented in the Middle East. Several unknown groups have previously claimed responsibility for acts of espionage and sabotage in the region. In particular, de facto arms of the Iranian government have repeatedly employed similar methods for obfuscating attribution and avoiding responsibility.

A previous incident in Natanz, first discovered in 2010, unleashed Iran’s ambition for conducting cyber-enabled extra-territorial espionage and sabotage operations. The Natanz site was reportedly targeted by a U.S. and Israeli covert cyber operation, dubbed “the Olympic Games.” Stuxnet, the brainchild of the operation, was a computer worm that sabotaged about 1,000 centrifuges in just a few months in 2009. It sought to delay Iran’s nuclear program and deter it from developing a nuclear weapon. Stuxnet’s impact was not only physical, however. It tipped Iran toward more aggressive use of network intrusion to inflict damage on the strategic infrastructure of its adversaries. Furthermore, Iran began to apply its disinformation toolkit to deceive and hinder attribution of cyberattacks.

In August 2012, a cyber-attack targeted Saudi’s national oil company, Aramco. The attack involved malware dubbed “Shamoon” that automatically erased the data of 30,000 business devices. Two little-known groups, “Cutting Sword of Justice” and “Arab Youth Group,” claimed responsibility for the attack. The announcements brimmed with anti-Saudi and anti-Israeli sentiment. Shamoon attackers sought justice for the oppressive and corrupt measures of Al-Saud, the current ruling family of Saudi Arabia. U.S. intelligence and cybersecurity researchers attributed the attack to Iran. But Iran has consistently denied any connection to the Aramco incident, orchestrating the state-affiliated media to amplify its denial.

Almost three years later, the Cutting Sword of Justice reemerged amid the Yemen conflict. In March 2015, the Saudis and their allies launched Operation Decisive Storm, a military offensive in Yemen to combat the threat of Houthi militias and curtail Iran’s influence. It was the first of many foreign interventions in the ongoing Yemen conflict. In May 2015, a multi-faceted cyberattack hit Saudi Arabia. The computer networks of the Saudi Ministry of Foreign Affairs were breached, and tranches of stolen documents leaked to WikiLeaks and the now-defunct website wikisaleaks.com. The hack-and-leak operation was designed to spill allegations of corruption and hypocrisy against Saudi Arabia, undermine its relationship to allies, and thwart the Saudi strategy in Yemen.

A little-known group, “Yemen Cyber Army,” claimed responsibility for the attack. The group described itself as the “Cutting Sword of Justice,” comprising a “Yemeni youth community” united against the Saudi regime. Again, the description and anti-Saudi messaging flashed back to Shamoon attackers posing as the Arab Youth Group. The operation was extensively covered by Fars News, the Islamic Revolutionary Guard Corps (IRGC)’s key media affiliate, and PressTV, the English language branch of the Islamic Republic of Iran Broadcasting (IRIB, aka the state-run broadcaster). The operation, known as WikiSaudiLeaks, has not been conclusively attributed. However, Iranian threat actors remain the most likely culprit, given multiple technical and non-technical indicators.

These events and the recent explosion in Natanz have employed fictitious front groups in an orchestrated effort to impede attribution of a destructive incident. Using fronts offers plausible deniability and leaves ample room for interpretation and public distraction. Whoever set up the Homeland Cheetahs plot was most likely aware of the history of misleading fronts associated with Iran. More so, the perpetrators may have signaled to Iran’s disinformation apparatus that such ploys could fire back.

Recent events also highlight an important plot twist. The use of fictitious front groups is no longer limited to the cyber domain. Physical acts of sabotage are also apparently fair game. Unlike the Cutting Sword of Justice and Yemen Cyber Army, the Homeland Cheetahs claimed responsibility for a carefully executed explosion at a nuclear facility. The plot sought to preempt and disrupt Iran’s efforts to shape and mislead the public narrative about the incident. In other words, the plot was designed as a blow to the Iranian disinformation gimmicks, often utilized against Iran’s adversaries.

The recent case of sabotage is unlikely to deter Iran from pursuing its nuclear program. But it does send a message that Iran disinformation ploys can be turned against their makers in unprecedented ways. It remains to be seen how Iran responds to this not-so-subtle lesson.

Simin Kargar is a Nonresident Fellow with the Digital Forensic Research Lab.

Follow along for more in-depth analysis from our #DigitalSherlocks.