Amid reports of Russian hackers influencing elections, Chinese hackers pilfering state secrets, and North Korea launching ransomware attacks and attacking cryptocurrency exchanges, it would be easy to underestimate Iran’s potential as a cyberthreat to the U.S.
On one hand, most analyses describe the Middle Eastern republic’s offensive cyber capabilities as fractured, decentralized, and inferior to those of the U.S., Russia, and China. On the other hand, Iran’s cyber forces are known to be persistent and opportunistic and have become adept at infecting sloppy organizations whose employees and IT professionals don’t follow recommended security practices.
“Tehran’s operations against foreign interests have been mostly espionage and sabotage campaigns against soft targets,” asserts the Carnegie Endowment for International Peace, in the think tank’s January 2018 white paper, “Iran’s Cyber Threat: Espionage, Sabotage, and Revenge.” But when necessary, Iran will also strategically engage in disruptive and destructive attacks, as a retaliatory strike against its perceived enemies, the report continues.
Written by researcher Collin Anderson and Senior Fellow Karim Sadjadpour, the Carnegie document notes that Iranian APT groups — some commanded by the Ministry of Intelligence, others operating under the separate auspices of the Islamic Revolutionary Guard Corps — are committed to targeting Iranian dissenters and political opponents as well as global government and commercial institutions, with an emphasis on Israel, Saudi Arabia, and the U.S.
“This ecosystem is unique, involving diverse state-aligned operators with differing capabilities and affiliations,” the paper continues. “Over the decade that Iranians have been engaged in cyber operations, threat actors seemingly arise from nowhere and operate in a dedicated manner until their campaigns dissipate, often due to their discovery by researchers.”
Many of Iran’s APT groups have overlapping tactics, techniques and procedures, and share resources including malware, infrastructure, and attack methods. Among the more significant ones are:
APT33: Cybersecurity firm FireEye reports that this Iranian threat group, discovered just last year, has been launching hacking and spear phishing attacks against U.S., Saudi and South Korean aerospace and petrochemical companies.
APT34, aka OilRig or Helix Kitten: Focused primarily on the Middle East, the group conducts spying and reconnaissance missions against a large cross-section of industries.
“Helix Kitten appears to be more espionage focused. They have been observed targeting aviation, energy, financials, government, and hospitality,” says Adam Meyers, vice president of intelligence at CrowdStrike. Eyal Sela, head of threat intelligence at Israel-based ClearSky Cybersecurity, added that “OilRig is quite capable, and has succeeded in breaching target organizations, as well as breaching IT providers and pivoting from them into their clients. Unfortunately, we don’t know how often they target organizations in the U.S.”
APT 35, aka Newscaster, NewsBeef or Charming Kitten: This threat actor gained infamy for creating fake journalist accounts on social media platforms in order to socially engineer users into visiting compromised or phony websites that can track visitors and harvest their information. In Feb 2017, researchers observed the group using a fake aerospace company website to presumably target the U.S. defense industry, infecting victims with a Mac spyware program called MacDownloader.
Jacqueline O’Leary, senior threat intelligence analyst at FireEye, tells SC Media that Newscaster was particularly active in 2017, with its sights set on multiple industries across the entire globe. O’Leary said the worldwide scope of Newscaster’s recent campaigns is significant, because normally, “We have observed other Iranian APT groups… focus almost exclusively within particular regions, such as the Middle East.”
Perhaps the most notable malware campaign linked to Iran is the Shamoon/Disttrack disk wiper malware attack that in 2012 destroyed 35,000 computers at Saudi oil company Aramco. Shamoon, which prominently hit Saudi Arabia again beginning in 2016, has since been linked to OilRig and other suspected Iranian actors, including such loosely affiliated APT groups as Rocket Kitten and Greenbug.
“In 2012 they used the Shamoon malware somewhat haphazardly against one target. And in 2016 and 2017 they used the same malware with a few modifications. This time, however, they broadly targeted numerous organizations,” says Meyers, explaining how the Iranian cyberthreat has evolved. “While the tools didn’t change, using them against multiple targets increased the cumulative impact of the tools.”
In early 2017, Shamoon was also linked by researchers to a similar spyware-disk wiper malware targeting Saudi Arabia called StoneDrill, which was also found to have ties with Charming Kitten.
The legacy of Stuxnet, the power of diplomacy
Of course, this is not a one-sided affair. Based on widely accepted reports, the U.S. set a cyber warfare precedent in 2007 when it allegedly collaborated with Israel to launch the Stuxnet worm attack that physically sabotaged Iranian nuclear facilities, impeding its nuclear program. Additionally, the U.S. reportedly drew up a contingency plan dubbed Nitro-Zeus that involved launching cyberattacks against Iran’s critical infrastructure in the event of military aggression from the Middle Eastern regime.
So when the U.S. accused Iranian hackers of launching Operation Ababil, a 2012-13 DDoS campaign targeting and disrupting U.S. online banking operations, Iran’s Deputy Foreign Minister Hossein Jaberi Ansar essentially called the U.S. hypocritical, according to the Carnegie white paper, which notes that Iran “has used reports of destructive incidents [against its assets] to portray itself as a victim of foreign aggression, deflect attention away from its own actions, and boast of its ability to neutralize potential attacks.”
Ultimately, the financial sector DDoS attacks resulted in the in-absentia federal indictments of seven men connected to the Iranian government and the Islamic Revolutionary Guard. One of these individuals, Hamid Firoozi, was also charged with hacking into the control system of a New York dam.
Fortunately, in more recent years, Tehran — under the dual leadership of Supreme Leader Ayatollah Khamenei and reformist President Hassan Rouhani — has shied away from launching major disruptive cyberattacks against the U.S. Some analysts believe that the nuclear accord reached in October 2015 under the diplomacy of President Barack Obama (known as the Joint Comprehensive Plan of Action, or JCPOA) may be a factor in this decision, as Iran does not wish to scuttle a mutually beneficial relationship that allows the country to pursue a regulated nuclear program while facing reduced sanctions.
With that said, if President Donald Trump nixes or hobbles the deal, the threat could intensity.
“We believe that the stances adopted and actions taken by the U.S. will likely influence the degree to which Iranian cyberthreat activity targets U.S. entities,” says Kelli Vanderlee, manager at FireEye. “Should the U.S. pull out of the JCPOA or seek to impose sanctions unrelated to the Iranian nuclear program, we suspect that Iran would take actions to retaliate against the U.S. using cyberattacks.” And even if the U.S. preserves the agreement, it is still possible that rogue elements within the Khamenei-allegiant IRGC “may attempt to disrupt Rouhani’s efforts by targeting Western entities with cyberthreat activity,” she added.
It’s also possible that Iranian cyber groups eased up on attacking the U.S. simply because they shifted their attention toward regional foes.
“While the JCPOA is something that corresponded with a decrease in offensive cyber operations targeting the west, the decrease also overlapped with increased regional tensions in Syria and Yemen, which pitted Iran against the GCC and Saudi Arabia,” suggests Meyers. “This is more likely the source of the decrease as offensive cyber elements may have been reprioritized.”
Martin Libicki, a senior management scientist at the global think tank organization RAND Corporation, and a professor at the Pardee RAND Graduate School agrees. “I get the sense that by reducing tensions, [JCPOA] has caused Iran to step back a bit in carrying out gratuitous attacks on the United States,” says Libicki. “But the shift to Saudi Arabia as a target may be more important.”
“It’s not clear whether any of that changes if the U.S. backs away from the deal,” Libicki adds, but, “I think the chances of changing the deal are zero.”
For countries like Iran that have far fewer military resources than the U.S., having a robust cyber program is one way to flex its muscle and stay relatively competitive. Still, experts concur that the U.S. possesses a very strong cyber advantage.
“While cyber gives the attacker certain benefits, to date we have not seen any capability that changes the balance,” says Sela. “Iran’s cyber operations mostly stay in the realm of espionage and annoyance, and have not yet turned into a physical threat.”
The United States is a multi-attribute superpower: military, economic, and diplomatic. Cyberspace doesn’t change that,” states Libicki. As for ongoing U.S. relations with Iran, “I know of no case in which a country has changed its foreign policy out of fear that going ahead with some operation or action would result in great costs being levied upon them from cyberspace.”
Still, it’s important for the U.S. to prepare for any realistic possibility. To that end, Carnegie report authors Anderson and Sadjadpour recommend that the U.S. continue enhancing its infrastructure defenses, apply sanctions to nations that aid Iranian offensive cyber operations and maintain its policy of naming and shaming offenders.