Iran, like most world powers, has a substantial group of government-supported hacker that do all the usual dirty work in cyberspace for the state. This includes espionage, meddling in elections, spear phishing, stealing credentials, deploying ransomware, and sometimes even breaking into critical infrastructure and water utilities. Moses told The Registerthat Amazon had learned some interesting things about the Iranians.
“Each of the different threat actors has a different goal,” Before Russia invaded Ukraine the Kremlin’s state-backed and state-permitted malware crews switched to wiper malwarewhich permanently destroyed data to support the invasion. Moses said that Iran’s cyber warriors have not done the same. Moses added. Moses said Amazon’s threat intelligence team has not detected any destructive cyberattacks after the armed conflict started. He said. He said that this could indicate a desire for continued access to critical networks or systems in the future, depending on what happens with the military component.
In most cases, the activity has increased, but it’s always been of the same kind, whether it’s financial gain or theft of intellectual properties. Moses will not reveal which Tehran-linked cyber-crews are being discussed, as Amazon does not disclose its threat-group taxonomy. The CISO noted that “we intentionally, internally, name them differently.”
Another aspect of Iran’s cyber-attack strategy that has surprised Moses so far is its lack of interest in AI. He said
“We haven’t seen as much as the migration towards gen AI or agentic AI from some of those threat actors,” .
It is unusual, because other gangs Amazon tracks, nation-states and financially motivated, “are doing agentic handoffs” use different AI agents to carry out each part of an attack chain. Once it has identified the vulnerabilities, the agent then passes the work on to another agent who will exploit the flaw. This process continues until the criminals reach their goal.
“That’s becoming, dare I say, normal,” Moses said. Agentic AI gives attackers an advantage
AWS uses tens and thousands of sensors to monitor criminals’ attempts to connect to decoys in honeypots.
“In the past, we would put a newly vulnerable instance out there and within 90 seconds it’s scanned and within three minutes somebody will attempt to take it over,” Moses said. “That timeline is changing significantly because of chained agentic AI capabilities.”
Amazon is now able to see attackers trying to hijack the vulnerable instance. “in near-real time,” Moses stated, and credited AI agents with the faster attacks. This means network defenders are left with less time to protect organizations. He explained. “You start off with the first, it selects what is next based on its outcome, and you chain them together to get to the outcome that you predetermine, everything from gaining access to if you are a criminal actor, trying to glean any financial capabilities out of that, or if you are a nation state actor, establishing a beachhead and performing reconnaissance from there.”
- Cyber-weapons in the Israel-Iran Conflict may hit the US.
- AWS locks up cloud security and enforces 100% MFA for root users.
- AWS stirs up the MadPot, busting bot baddies, and eastern espionage.
- Amazon red-teams Alexa+ to prevent your kids from ordering fifty pizzas.
“We attribute that back to the ability for non-software developers to get into the space, and either use agents or AI generated code,” He said. “You have a whole new generation of script kiddies using these tools but they aren’t just fumbling their way through things, they have gen AI upleveling them.”
There is a silver lining to all of this. AWS uses AI agents and chains them to complete different parts of attacks during its red-teaming exercise to protect its customers and infrastructure. Moses said, “It is this agentic war that’s going on.” (r)
