US launches cyber-attack on Iranian weapons systems

News by Rene Millman

Iranian military computer systems were struck in a cyber-attack by the US government in response to shooting down of a US drone. Should private sector also hack back if targetted in counter-response?

Iranian military computer systems were struck in a cyber-attack by the US in response to shooting down of a US drone.
The strikes happened last Thursday, launched by US Cyber Command, disabling systems controlling rocket and missile launchers, officials told AP. Two attacks targeted Iran’s Islamic Revolutionary Guard Corps computer systems and were in retaliation for the shooting down of a US drone and attacks on oil tankers in the region. 
According to sources familiar with the attacks, these were launched  to disable Iranian defences ahead of a US air strike and probably won’t be able to be used again. 
The report said that the attacks were successful, but there is no independent indication of damage to Iranian systems.
The BBC reported that the cyber-attack had been in the works for several weeks as a response to mine attacks on tankers in the Gulf of Oman. The US Department for Homeland Security warned that Iran was stepping up attacks on the US.
AP reported that hackers under the control of Iran have been targeting US government agencies, as well as sectors of the economy, including finance, oil and gas, through spear phishing attacks. It is not known if hackers gained access to any US networks.
Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, said the Iranian attacks used "destructive 'wiper' attacks".
"What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network," he said.
The attacks come as the US looks to impose further sanctions on Iran to prevent the country from obtaining nuclear weapons. The US pulled out of a 2015 nuclear deal with Iran last year and reinstated sanctions which have had an economic hit on Iran.
The US Cyber Command was granted new powers last year under the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which also gave the defence secretary the ability to run "clandestine military activity" to counter cyberattacks.

Just last week a report claimed that Cyber Command and the U.S. military took advantage of those new powers by ramping up a secret programme that inserted malware into Russia's power grid, but didn’t brief President Trump over concerns that he might shutter the programme or leak information about it to foreign governments.

"The digital strike against Iran is a great example of using #CyberCommand as a Special Ops force, clearly projecting US power by going deep behind enemy lines to knock out the adversary’s intelligence and command-and-control apparatus," said Phil Neray, vice president of industrial cyber-security for CyberX.

Dave Weinstein, CSO at Claroty felt that this was a great example of when and how cyber operations should be deployed in response to kinetic operations.  "It is both proportionate and limiting from a collateral damage perspective.  Furthermore, it serves deterrence value because it demonstrates not only to Iran but to other adversarial observers that the US is both capable and willing to project cyber-force in a tailored fashion.  It's also noteworthy that the US reportedly targeted what can be considered a strictly military target.  As international norms of cyber-space evolve, it's important to demarcate military from civilian targets, particularly as it relates to dual-use infrastructure.  Finally, this operation illustrates the advantages of cyber-space as an attractive alternative military domain to sea, air, or land -- especially for conducting retaliatory strikes."

But it is not clear if civilian facilities will be kept out of retaliation. Henry Harrison, CTO and co-founder of Garrison, told SC Media UK that the good news is that UK and US national security organisations have comparatively strong cyber-defences for their weapon systems and we would not expect Iran to be able to carry out comparable attacks in reverse.

"However, that means that if Iran is minded to retaliate in the cyber-arena, it is more likely to target civilian infrastructure and services - often owned and operated by private sector businesses," he said.
"The key question is whether our critical infrastructure operators should be adopting the same sort defensive techniques that our national security sector uses - which in many ways are quite different to the way that mainstream civilian organisations are protecting themselves today."

Earlier this month the US reintroduced the Active Cyber Defense Certainty Act (defeated in 2017) to amend the US Computer Fraud and Abuse Act and allow use of "limited" defence measures by private companies to monitor, identify, and stop hackers.

Active defence techniques that would be allowed include beaconing technology to "follow the bread crumbs" back to the source of an attack. Defence techniques would need to be reviewed in advance by the US Federal Bureau of Investigations.

At that time (prior to the recent US government attacks) Alex Rice, CTO of HackerOne, said in an email to SC Media UK about the hack-back proposals: "This section is worrying: "Congress holds that active cyber-defence techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber-activity."

"Attribution is hard, and any legislation that assumes it can be done at scale with a high degree of confidence is suspect.

"Until we can agree on terms like "qualified defender," "high degree of confidence," and "extreme caution" hacking back will inevitably lead to collateral damage and misguided defenders could wind up facing jail time for an inadvertent misstep over an invisible line. We can't wait for legal precedent to be established here.

"This proposed vigilantism doesn’t work in any other societal structure for a reason. Today, the best digital offence for companies is a good defence, and this is where American companies should invest their resources."

Another issue highlighted by Sam Curry, chief security officer at Cybereason, is that nothing can be definitively proven in cyber. "Even if cyber activities produce kinetic effects, like disrupted pipelines, sabotaged uranium enrichment or interrupted communications. Both sides can claim victory regardless of outcomes and appear strong. Now we’re learning how cyber will get used in more hostile conflicts for the theatre of diplomacy.

"Iran claims a firewall stopped 33 million attacks, which is a useless claim because real attacks aren’t stopped by firewalls. The US claims that the President stopped a retaliation because 150 lives would be at stake, which translates to either a "look at my big gun that I didn’t use" style of threat or realisation that shooting down a drone regardless of air space isn’t really an act of war.

"Regardless of the rhetoric and duel of press releases, both the US and Iran are actually top cyber-powers. The posturing over who did what in the Straights of Hormuz is really only a reflection of failures on other fronts and high tension. Rest assured conflict is happening, but nothing either nation has said at this point is pointing to anything new or significant happening in the cyber-domain."

There has been a history of cyber-attacks between the US and Iran. In 2010, the Stuxnet virus interrupted a  uranium enrichment facility in Iran. In 2012, Iranian hackers unleash a virus on 30,000 computers owned by state-owned oil company Saudi Aramco that deleted data.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews