As Iran likely to redirect its offensive cyber campaigns where it hurts
Scrapping the Iran nuclear deal could lead to an increase in the number of cyber attacks against the US, former government officials and security experts have told The Washington Post.
The Joint Comprehensive Plan of Action (JCPOA), an agreement reached after several years of painstaking negotiations, promised to curtail Iran’s nuclear program in exchange for dropping sanctions on Iranian exports.
A campaign promise
Signed in July 2015, not just by Iran and the US, but also China, Russia, France, the United Kingdom and Germany, the agreement saw Iran take two-thirds of its nuclear centrifuges offline, eliminate most of its uranium reserves and fill its plutonium production reactor with concrete. The country also agreed to be inspected to monitor its compliance.
Even prior to his investiture, US president Donald Trump was averse to the deal, stating it did not succeed at blocking Iran’s ability to develop nuclear weapons, and made scrapping it (or replacing it with a much more stringent version of the text) one of his campaign promises.
Unless European governments and China can reach their own agreement with Iran, the decision could increase the risk of escalating conflict in Syria and general worldwide instability caused by the country’s development of nuclear weapons. Trump’s decision to re-impose sanctions on Tehran has also raised fears that government-backed hackers will retaliate with cyber operations against organizations in the United States.
A number of former government officials from the Obama administration and security experts stated that prior to the pact, Iran had carried out several serious cyber attacks against the US, and that since JCPOA had been signed, these had been steered towards Iran’s other foes, including Israel, the UAE, Jordan, Turkey and Saudi Arabia.
But rather than hoping to damage critical infrastructure in the US, they suggest, attacks may be perpetrated as a show of force – a threat of sorts.
A level playing field
The Iranian government started its cyber operations program in 2009, and is said to have begun launching attacks on Western institutions in 2011.
In 2012, following Obama’s removal of Iran from the SWIFT international payment network, the Iranian government reportedly authorized a series of DDoS attacks on the financial services companies in the US that took place regularly – this campaign lasted more than a year.
DDoS, or distributed denial of service attacks, involve flooding websites with traffic, often redirected from unsecured devices, in order to bring those websites offline. The project was codenamed “Operation Ababil” by its creators, after a failed Pakistani military operation attempted in the 1980s.
The attacks were found to have been carried out by hackers with close ties to the Iranian government, including the Islamic Revolutionary Guard Corps, the ideologically-driven intelligence and security branch of the Iranian army. Around the same time, a water dam near New York was targeted by the same group.
Another cyber attack allegedly hit Sands Corporation in Las Vegas in 2014, causing “significant network damage,” after the company’s CEO, Sheldon Adelson, said that the US should fire a nuclear warning shot at Iran to force it to dismantle its nuclear program.
Some intelligence experts suggested the attacks might be seen as retaliation for Stuxnet, the malicious computer worm developed by the US and Israel which caused substantial damage to Iran’s nuclear centrifuges.
A tiered, ideologically-driven approach
Levi Gundert, Sanil Chohan and Greg Lesnewich, threat intelligence experts and members of Insikt Group, obtained extensive information from a former Iranian hacker and founder of one of Iran’s first security forums, which they say was corroborated by other sources. They stated that “Iran is likely to respond by launching cyber-attacks on Western businesses within months, if not faster,” with likely victims being “banks and financial services, government departments, critical infrastructure providers, and oil and energy.”
In an extensive report, the group explored the correlations between Iran’s cyber criminals, security forums and the government itself.
Researchers describe a “quasi-capitalistic system” in which “Iranian cyber operations are administered via a tiered approach, where an ideologically and politically trusted group of middle managers translate intelligence priorities into segmented cyber tasks which are then bid out to multiple contractors,” to ensure that the Ayatollah’s ideology is adhered to, and that the ground work is performed by highly skilled individuals.
Meanwhile, security forums are thought to be used by contractors for staffing and knowledge-sharing purposes.
According to Insinkt, there are “over 50 estimated contractors vying for Iranian government-sponsored offensive cyber projects,” all of which are compartmentalized into bite-sized jobs to dissuade any potential “defectors and traitors.”
Iran’s Nasr Institute, Kavosh Security, the Imam Hossein University (IMU), Mersad Company and the ITSecTeam (ITSEC) have all been accused of being contracted to perform cyber operations by the Iranian government.
Profiling of these groups’ Internet activity allegedly detected indicators of attempts of intellectual property theft, propaganda dissemination, and cyber espionage.