The Iranian Cyber-threat

Amid reports of Russian hackers influencing elections, Chinese hackers pilfering state secrets, and North Korea launching ransomware attacks, it would be easy to underestimate Iran's potential as a cyber-threat to the US.
The Iranian Cyber-threat
The Iranian Cyber-threat

Amid reports of Russian hackers influencing elections, Chinese hackers pilfering state secrets, and North Korea launching ransomware attacks and attacking cryptocurrency exchanges, it would be easy to underestimate Iran's potential as a cyber-threat to the US.

On one hand, most analyses describe the Middle Eastern republic's offensive cyber-capabilities as fractured, decentralised, and inferior to those of the US, Russia, and China. On the other hand, Iran's cyber-forces are known to be persistent and opportunistic, and have become adept at infecting sloppy organisations whose employees and IT professionals don't follow recommended security practices.

“Tehran's operations against foreign interests have been mostly espionage and sabotage campaigns against soft targets,” asserts the Carnegie Endowment for International Peace, in the think tank's January 2018 white paper, “Iran's Cyber Threat: Espionage, Sabotage, and Revenge.” But when necessary, Iran will also strategically engage in disruptive and destructive attacks, as a retaliatory strike against its perceived enemies, the report continues.

Written by researcher Collin Anderson and Senior Fellow Karim Sadjadpour, the Carnegie document notes that Iranian APT groups — some commanded by the Ministry of Intelligence, others operating under the separate auspices of the Islamic Revolutionary Guard Corps — are committed to targeting Iranian dissenters and political opponents as well as global government and commercial institutions, with an emphasis on Israel, Saudi Arabia, and the US.

“This ecosystem is unique, involving diverse state-aligned operators with differing capabilities and affiliations,” the paper continues. “Over the decade that Iranians have been engaged in cyber-operations, threat actors seemingly arise from nowhere and operate in a dedicated manner until their campaigns dissipate, often due to their discovery by researchers.”

Many of Iran's APT groups have overlapping tactics, techniques and procedures, and share resources including malware, infrastructure, and attack methods. Among the more significant ones are: 

APT33: Cyber-security firm FireEye reports that this Iranian threat group, discovered just last year, has been launching hacking and spear phishing attacks against US, Saudi and South Korean aerospace and petrochemical companies. 

APT34, aka OilRig or Helix Kitten: Focused primarily on the Middle East, the group conducts spying and reconnaissance missions against a large cross-section of industries.

“Helix Kitten appears to be more espionage focused. They have been observed targeting aviation, energy, financials, government, and hospitality,” says Adam Meyers, vice president of intelligence at CrowdStrike. Eyal Sela, head of threat intelligence at Israel-based ClearSky Cyber-security, added that “OilRig is quite capable, and has succeeded in breaching target organisations, as well as breaching IT providers and pivoting from them into their clients. Unfortunately, we don't know how often they target organisations in the US.”

APT 35, aka Newscaster, NewsBeef or Charming Kitten: This threat actor gained infamy for creating fake journalist accounts on social media platforms in order to socially engineer users into visiting compromised or phony websites that can track visitors and harvest their information. In Feb 2017, researchers observed the group using a fake aerospace company website to presumably target the US defence industry, infecting victims with a Mac spyware program called MacDownloader.

Jacqueline O'Leary, senior threat intelligence analyst at FireEye, tells SC Media that Newscaster was particularly active in 2017, with its sights set on multiple industries across the entire globe. O'Leary said that the worldwide scope of Newscaster's recent campaigns are significant, because normally, “We have observed other Iranian APT groups… focus almost exclusively within particular regions, such as the Middle East.”

Perhaps the most notable malware campaign linked to Iran is the Shamoon/Disttrack disk wiper malware attack that in 2012 destroyed 35,000 computers at Saudi oil company Aramco. Shamoon, which prominently hit Saudi Arabia again beginning in 2016, has since been linked to OilRig and other suspected Iranian actors, including such loosely affiliated APT groups as Rocket Kitten and Greenbug.

“In 2012 they used the Shamoon malware somewhat haphazardly against one target. And in 2016 and 2017 they used the same malware with a few modifications. This time, however, they broadly targeted numerous organisations,” says Meyers, explaining how the Iranian cyber-threat has evolved. “While the tools didn't change, using them against multiple targets increased the cumulative impact of the tools.”

In early 2017, Shamoon was also linked by researchers to a similar spyware-disk wiper malware targeting Saudi Arabia called StoneDrill, which was also found to have ties with Charming Kitten. 

The legacy of stuxnet, the power of diplomacy

Of course, this is not a one-sided affair. Based on widely accepted reports, the US set a cyber-warfare precedent in 2007 when it allegedly collaborated with Israel to launch the Stuxnet worm attack that physically sabotaged Iranian nuclear facilities, impeding its nuclear programme. Additionally, the US reportedly drew up a contingency plan dubbed Nitro-Zeus that involved launching cyber-attacks against Iran's critical infrastructure in the event of military aggression from the Middle Eastern regime.

So when the US accused Iranian hackers of launching Operation Ababil, a 2012-13 DDoS campaign targeting and disrupting US online banking operations, Iran's Deputy Foreign Minister Hossein Jaberi Ansar essentially called the US hypocritical, according to the Carnegie white paper, which notes that Iran “has used reports of destructive incidents [against its assets] to portray itself as a victim of foreign aggression, deflect attention away from its own actions, and boast of its ability to neutralise potential attacks.”

Ultimately, the financial sector DDoS attacks resulted in the in-absentia federal indictments of seven men connected to the Iranian government and the Islamic Revolutionary Guard. One of these individuals, Hamid Firoozi, was also charged with hacking into the control system of a New York dam.

Fortunately, in more recent years, Tehran — under the dual leadership of Supreme Leader Ayatollah Khamenei and reformist President Hassan Rouhani — has shied away from launching major disruptive cyber-attacks against the US Some analysts believe that the nuclear accord reached in October 2015 under the diplomacy of President Barack Obama (known as the Joint Comprehensive Plan of Action, or JCPOA) may be a factor in this decision, as Iran does not wish to scuttle a mutually beneficial relationship that allows the country to pursue a regulated nuclear program while facing reduced sanctions.

With that said, if President Donald Trump nixes or hobbles the deal, the threat could intensify.

“We believe that the stances adopted and actions taken by the US will likely influence the degree to which Iranian cyber-threat activity targets US entities,” says Kelli Vanderlee, manager at FireEye. “Should the US pull out of the JCPOA or seek to impose sanctions unrelated to the Iranian nuclear program, we suspect that Iran would take actions to retaliate against the US using cyber-attacks.” And even if the U.S. preserves the agreement, it is still possible that rogue elements within the Khamenei-allegiant IRGC “may attempt to disrupt Rouhani's efforts by targeting Western entities with cyber-threat activity,” she added.

It's also possible that Iranian cyber-groups eased up on attacking the US simply because they shifted their attention toward regional foes.

“While the JCPOA is something that corresponded with a decrease in offensive cyber operations targeting the west, the decrease also overlapped with increased regional tensions in Syria and Yemen, which pitted Iran against the GCC and Saudi Arabia,” suggests Meyers. “This is more likely the source of the decrease as offensive cyber-elements may have been reprioritised.”

Martin Libicki, a senior management scientist at the global think tank organisation RAND Corporation, and a professor at the Pardee RAND Graduate School, agrees. “I get the sense that by reducing tensions, [JCPOA] has caused Iran to step back a bit in carrying out gratuitous attacks on the United States,” says Libicki. “But the shift to Saudi Arabia as a target may be more important.”

“It's not clear whether any of that changes if the US backs away from the deal,” Libicki adds, but “I think the chances of changing the deal are zero.”

For countries like Iran that have far fewer military resources than the US, having a robust cyber program is one way to flex its muscle and stay relatively competitive. Still, experts concur that the US possesses a very strong cyber-advantage.

“While cyber gives the attacker certain benefits, to date we have not seen any capability that changes the balance,” says Sela. “Iran's cyber-operations mostly stay in the realm of espionage and annoyance, and have not yet turned into a physical threat.”

The United States is a multi-attribute superpower: military, economic, and diplomatic. Cyber-space doesn't change that,” states Libicki. As for ongoing US relations with Iran, “I know of no case in which a country has changed its foreign policy out of fear that going ahead with some operation or action would result in great costs being levied upon them from cyber-space.”

Still, it's important for the US to prepare for any realistic possibility. To that end, Carnegie report authors Anderson and Sadjadpour recommend that the US continue enhancing its infrastructure defenses, apply sanctions to nations that aid Iranian offensive cyber-operations, and maintain its policy of naming and shaming offenders. 

FROM THE - March 2018 Issue of SCMagazine US »