What CISOs can learn about insider threats from Iran's human espionage tactics

Israel's arrest of four women recruited to spy for Iran reveals how an adversary might recruit an insider to act on its behalf.

2 man with binoculars data breach research spy
Getty Images

Over the last few months, there has been an uptick of espionage revelations concerning Iran and its interest in collecting information against regional adversaries as well as Iranian ex-pats whose views are divergent to those of the current regime. It is important for CISOs to understand the human side to the Iranian offensive efforts to gather information of interest.

Iran recruits eyes within Israel

In mid-January Israel’s Shin Bet (internal security service) revealed four Israeli women had been arrested for espionage, having been successfully recruited by Iranian intelligence via Facebook. The women, all of Iranian descent, were contacted by an individual who identified himself as Rambod Namdar, who claimed to be a Jewish man living in Iran. The modus operandi is one that has been seen many times before: Establish contact via a social network and then daisy-chain the contact to a seemingly more secure communication medium, in this case, WhatsApp.

Shin Bet revealed that this specific operation resulted in the women being paid thousands of dollars over the course of five years.

According to the BBC, one of the women was identified as a 40-year-old woman who lived in the suburbs of Tel Aviv and who was tasked with taking photos of the U.S. Embassy, the interior of the social affairs ministry, and other buildings. Another was identified as a 57-year-old from Beit Shemesh who elicited information and documents from her son, whom she had encouraged to serve in Israeli military intelligence. A third set up a honeytrap configuration in her home, complete with surreptitious video, where she gave “personal massages” to clients from within the Iranian community in Israeli where she would elicit information. Her efforts included targeting a member of the Israeli Parliament.

Iran targets military and energy

Contemporaneously with the above in 2019, a former Israeli cabinet minister (energy and infrastructure), Gonen Segev, was sentenced to prison for 11 years for spying on behalf of Iran. Segev had apparently volunteered to the Iranians while in Nigeria in 2012 and then having made two clandestine trips to Iran where he was trained in a covert communications system that allowed him to communicate with Iranian intelligence in a secure manner.

Similarly, late-November 2021, Omri Goren Gorochovsky, the personal housekeeper for the Israeli minister of defense Benny Gantz, was arrested for collaborating with Iran to compromise the minister’s electronic devices. Gantz, who had unincumbered access to the devices within the minister’s residence, had sent photos of the home, office, computer, mobile phone, tablet, router, IP addresses and more. Shin Bet noted that Gorochovsky was “not exposed to classified materials.” Upon review, it was learned that Gorochovsky was a known felon, a fact that was not picked up by the background check.

Does Iran seed sources?

Then we have the ongoing case in Sweden of two brothers of Iranian descent who have been arrested. One of the brothers, Peyman Kia, is charged with aggravated espionage, according to the Swedish Security Service (SÄPO). Kia was an officer with SÄPO, the Office for Special Information Gathering (KSI) and Swedish Military Intelligence and Security Service (MUST). Pia became a naturalized Swedish citizen in 1994. His linguistic faculty in Persian and knowledge of the middle east made him a treasured and sought-after resource for the Swedish intelligence community.

Insider threat takeaways for CISOs

These are the takeaways that percolate to the forefront for CISOs, as one can easily extrapolate the government espionage experiences to the commercial world where an unscrupulous insider or competitor would use similar techniques.

  1. The use of social networks to spot, assess, develop, and then recruit sources for information is an ongoing threat. Use of professional networks like LinkedIn where individuals splay before the world their professional acumen and current work projects is but one example. The leveraging of Facebook as was the case of the four Israelis arrested serves to emphasize that all espionage is personal. The Iranian officer who handled the four Israelis leveraged the virtual personal relationship to achieve his operational goals.
  2. Background checks are important and non-negotiable. Gorochovsky was a known felon with a rap sheet that included prison time. His access to the minister’s home provided the active criminal mind with ample opportunity to figure out how to best monetize his access. Even if it was a case of giving an individual another chance, that chance should have included close and continuous vetting. Gorochovsky, the insider, leveraged that access and chose Iran as the avenue by which he could achieve a payday.
  3. Even trusted insiders break trust. Did Iran seed a source into Swedish intelligence? While details on this ongoing case continue to be shared piecemeal, a timeline on when Kia began to collaborate with Iranian intelligence has not been shared. Thus, it is possible that from the get-go Kia and his sibling’s emigration to Sweden was part of a long-term plot to garner access to Swedish government entities on behalf of Iran.

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022