Sweden Accuses Iranian “Anzu” Group of 2023 Cyberattack Amid Religious Tensions

• Sweden accused Iran of sending 15,000 messages demanding revenge against Quran burners.
• The country’s officials believe a hacker group with ties to the Iran Revolutionary Guards was behind the 2023 cyberattack.
• Iran’s embassy in Stockholm dismissed these allegations as unfounded.

Sweden has officially named Iran as the orchestrator of a cyberattack targeting a local text messaging service. The Swedish Security Service (Sapo) disclosed that Iranian intelligence infiltrated the service to dispatch 15,000 messages urging retaliation against those involved in Quran-burning incidents.

The attackers, identified as the group Anzu, allegedly operated under the aegis of Iran’s Revolutionary Guards (IRGC). They gained unauthorized access to sensitive data, including passwords and usernames, before sending threatening communications.

The cyberattacks occurred during the summer of 2023, coinciding with a series of controversial Quran burnings in Sweden. These incidents incited outrage among Muslim-majority countries and raised security alarms within Sweden. 

Fredrik Hallstrom of Sapo highlighted the connection between the attackers and the Revolutionary Guards, emphasizing the dual objectives of targeting individuals and exacerbating existing threats against Sweden. This incident triggered concerns about foreign entities exploiting domestic tensions to destabilize the nation.

Despite Iran’s embassy in Stockholm dismissing the allegations as unfounded, Swedish authorities assert that their investigation provides substantial evidence implicating Iranian actors in the cyber activities. Prosecutor Mats Ljungqvist noted the complexity of pursuing legal action due to international law challenges regarding extradition.

This incident is part of a broader spectrum of accusations against Iran, with Swedish authorities pointing to Tehran's engagement with criminal networks in Sweden for hostile acts. Sweden’s Justice Minister Gunnar Strommer underscored the gravity of state-sponsored cyberattacks aimed at destabilizing or polarizing the country.

The fallout from these religiously motivated tensions has adversely affected Sweden’s diplomatic relations, leading to protests and violent reactions, including the torching of Sweden’s embassy in Iraq. Swedish prosecutors have since charged individuals with incitement, reflecting the severe legal and international implications of the Quran-burning events.

The cyberattack attributed to Iran marks a critical point in understanding the complex interplay between state-sponsored cyber activities and international diplomacy. It raises important questions about the security infrastructure's ability to defend against foreign threats seeking to exploit socio-political divisions.

The Iranian Islamic Revolutionary Guard Corps has been linked with various groups, such as APT33, which targeted the U.S. and U.A.E. with a new custom multi-stage backdoor.

Iranian state-backed threat actor APT42, which targets high-profile accounts of both political campaigns connected to the upcoming U.S. presidential election, was also associated with the IRGC.

The U.S. State Department identified 6 IRGC-linked Iranian security officials reportedly responsible for the cyberattacks on U.S. water utilities in 2023.