Keep your cyber tools close, your history books closer.
For some, the signing of the July 2015 Iran nuclear deal might appear as a “watershed moment” for abating the flow of Iran’s malicious cyber operations against Western institutions. A more clear-eyed analysis offered by Kate Brannen in Just Security, explains that although these cyber operations “dropped off” following the signing, Iran’s cyber espionage activities and use of hacking groups like APT33 continued.
But to what extent has Iran weaponized cyberspace, and how might it retaliate with malicious cyber operations following the US’ withdrawal from the Joint Comprehensive Plan of Action (JCPOA)?
Based on Iran’s cyber targeting history and the Trump Administration’s recent announcement that it will restore economic penalties against Iran’s energy industry, Western energy and financial institutions are at a heightened risk as targets for disruption and espionage.
As observed from Operation Ababil and Shamoon, Iran’s cyber targeting pattern appears to be striking “like-for-like” industries. The Carnegie Endowment Institute’s 2018 report on Iran’s Cyber Threat also characterized this pattern as a “tit-for-tat cycle of covert destructive attacks and symbolic retaliation[s.]”
First, let’s take a thumbnail sketch of Iran’s ‘weaponization’ of cyberspace:
As the Islamic Republic of Iran began asserting itself on the world stage, following the 1979 revolution, the advent of information and communications technology (ICT) presented a unique set of challenges and opportunities to Tehran. For instance, how should the authoritarian government regulate access to ‘subversive’ content that runs counter to the ideological spirit of Iran’s Islamic Revolution? Since Iran first connected to the Internet in 1992, the state has learned how to regulate and monitor domestic ICTs. Internet usage rules were promulgated by Iran’s Supreme Council of the Cultural Revolution, “including mandatory filtering and surveillance of sites considered politically, culturally, and religiously subversive.” Apart from domestic surveillance, Iran has waged aggressive cyber operations against other countries.
In 2011 Ayatollah Ali Khameini established a Supreme Council of Cyberspace to oversee operations. In terms of organization, Iran has three entities that engage in cyber operations: First, the Basij is “a civilian paramilitary organization” managed by the Islamic Revolutionary Guard Corps (IRGC). Next is the IRGC’s Cyber Division, and lastly the Passive Defense Organization. The state also relies upon ‘cyber proxies’ to further its agenda. Over the past several years, Tehran has supplied technical training and assistance to bolster Syria’s cyber capabilities and supported Cyber Hezbollah’s campaigns against Israel and Lebanon. In terms of malware development, Iran has launched three major viruses: Madi (2012); Shamoon (2012); and Shamoon 2 (2016); and also been the target of several offensive cyber campaigns including Flame, Duqu, Wiper, and Stuxnet.
With that historical backdrop, how might Iran retaliate in cyberspace following the U.S. withdrawal from JCPOA?
Following the United States’ withdrawal from the JCPOA, Recorded Future projected that “the businesses likely to be at greatest risk are in many of the same sectors that were victimized by Iranian cyberattacks between 2012 and 2014 include banks and financial services, government departments, critical infrastructure providers, and oil and energy.”
Lending further credence to this threat was the sobering discussion amongst senior U.S. officials at the 2018 Aspen Security Forum: “Iran is making preparations that would enable denial-of-service attacks against thousands of electric grids, water plants, and health care and technology companies in the United States, Germany, the U.K. and other countries in Europe and the Middle East.”
In fact, Iran has already conducted network reconnaissance on critical infrastructure; for instance, in 2013 Iranian hackers infiltrated the command and control system of New York’s Bowman Avenue Dam.
Making Behavioral Pattern Threat Predictions
We can glean additional behavioral patterns from examining Iran’s past distributed denial-of-service (DDoS) attacks against U.S. financial institutions and burgeoning ability to threaten U.S. aerospace security.
Per a 2015 congressional statement by former Director of National Intelligence James Clapper, “Iran very likely views its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence.”
Let’s examine the facts.
Firstly, Iran’s DDoS attacks against US banks in Operation Ababil were in response to U.S. economic sanctions. A SWIFT Institute Report on cyber threats to financial institutions also highlights Iran’s pattern of targeting U.S. organizations; noting that the “2012 and 2013, disruptive attacks by nation states took center stage with the Operation Ababil DDoS attacks on U.S. banks by Iran[.]” In 2013, the New York Times reported the DDoS attacks on US banks were the handiwork of Iran’s cyber forces and “most likely in retaliation for economic sanctions and online attacks by the United States.”
Secondly, in response to the 2009 Stuxnet virus, which destroyed Iran’s Natanz uranium enrichment plant, Iran struck back with Shamoon; a virus which harmed the networks of the energy company Saudi Aramco, a leading supplier of crude oil to the world. Moreover, the New York Times reported that some intelligence officials claimed that Iran waged these attacks in retaliation against the West’s attacks on Iranian systems and economic sanctions. Granted, the attack on Las Vegas’ Sands Casino in 2014 might initially appear as an aberration from this pattern, as the hackers directed a political message at American billionaire Sheldon Adelson. However, given the timeline of imposing economic sanctions against Iran, and that Adelson’s Sands Las Vegas Corporation is one of the world’s largest gaming companies, this $40 million dollar breach was also a high-profile strike on the American economy. Overall, Iran’s cyber targeting efforts appear to be symbolic in targeting commensurate industries.
Past actions: A lesson for the future
The Pentagon’s 2018 Cyber Strategy Report Summary declares it will “defend forward” by attacking state-sponsored malicious cyber activity at is source, even for activity that does not constitute armed conflict. Despite the mounting concerns about Iran’s record of cyber operations, however, the word ‘Iran’ only appears in one glancing reference. (“Other actors, such as North Korea and Iran, have similarly employed malicious cyber activities to harm U.S. citizens and threaten U.S. interests.”). Additionally, the White House’s 2018 National Cyber Strategy offers little more on this issue, acknowledging that “[w]e are vulnerable to peacetime cyber attacks against critical infrastructure, and the risk is growing that these countries [identifying Russia, Iran and North Korea] will conduct cyber attacks against the United States during a crisis short of war.” Going forward, as the Federal Government collaborates with ICT providers and other private sector industries in sharing more threat and vulnerability information, a stronger emphasis should be paid to teaching behavioral and predicative threat analysis techniques. It is impossible to foresee every threat, but an emphasis on teaching these techniques should feature more prominently in this cross-sector dialogue to promote industry awareness and unity of strength.
Why? Cyber threat “history doesn’t repeat itself, but it often rhymes.”
Thus, as U.S. Cyber Command embarks on writing its “Fifth Chapter,” and Homeland Security Secretary Kirstjen Nielsen recommends a ‘hit-back-harder’ cyber strategy, studying the history of Iran’s weaponization of cyberspace can fortify these agencies threat planning posture.
While a good Cyber Mission Force Team understands the opponent’s operational capabilities and tools, a great team distinguishes itself by also leveraging its cultural knowledge of the opponent. Without sufficient cultural awareness and historical context, U.S. cyber operations will not anticipate attacks or deploy countermeasures to maximum effect. Building a country-calibrated cyber strategy will better protect networks and ‘defend forward’ against cyber threats.