Iran has developed sophisticated cyberattack and defense capabilities
Iran has been developing cyber warfare capabilities for years and accelerated these efforts following the Stuxnet attack that set back their nuclear weapons program. Several large-scale hacking incidents against Western targets show that Iran is also becoming more adept and confident in conducting offensive cyber attacks to further its revolutionary aims.
[ Page 3 ]
Iran’s cyberwarfare capabilities do not yet seem to rival those of Russia in skill, or of China in scale. The community of high-end hackers in Iran remains relatively small and constrained to some extent by infrastructural limitations resulting from sanctions— and the sheer difficulty of building a robust network in Iran’s physical and political terrain. We have not seen evidence that Iran is capable of penetrating US national security or critical infrastructure systems outfitted with modern, best-practices cyberdefense systems.
The Iranian cyberthreat is not yet unmanageable, but it is growing rapidly. The US must rapidly develop and implement laws, sanctions, systems, and proce- dures to defend against this threat, lest we be surprised some day by a preventable cyber calamity.
[ Page 8-9 ]
Iranian leaders began speaking seriously about soft war in 2008 when they concluded that President George W. Bush was unlikely to attack Iran militar- ily, given the difficulties he faced in Iraq and pressures against war back home.18 Khamenei described soft war in November 2009 as “a mixture of cultural means and advanced communication equipment to spread lies and rumors and cause doubt and divisions among the people.”19 The Iranian Armed Forces General Staff announced the establishment of a national headquar- ters from which to wage soft war in December 2012.20 That announcement was followed in October 2013 with news that Iran was setting up a soft-war headquar- ters in each province.21
The Iranian military identified the Internet as one of the main enemies in this soft war, declaring, “[It is] not an instrument of threat or espionage. It’s a spy itself.” The head of Iran’s Law Enforcement Forces in 2012 called Google an “instrument of espionage.”22 The IRGC called for national mobilization against the Internet threat in 2014, saying, “Amid the soft war, all the society’s strata, including the youths, university students and professors, should strive to confront the enemies’ threats and thwart their plots.” Its spokesman reported that it had developed plans “both to fight and prevent the soft war, and that all soft-power factors have been employed for an all-out confrontation with soft war.”23 This is the framework within which current Ira- nian cyber policy is developed and executed.
[ Page 42 ]
Iran has become a significant player in the cyberattack arena. Its threat is no longer confined to patriotic hackers defacing websites. Individuals, companies, and regime organs have all evolved sophisticated cyberattack capabilities and have developed global infrastruc- ture with which to expand and improve them. These capabilities are more concerning because they do not appear to have been developed primarily for mercenary reasons. They seem, rather, to be used in the service of the security and ideological interests of the regime.
The Iranian attacks against Norse sensors, together with the attacks conducted against JPMorgan Chase, Saudi Aramco, and the Sands Casino, provide a glimpse into the motivations of the hackers. These attacks were clearly not profit-driven. They penetrated three wealthy organizations and sought to destroy data rather than steal intellectual property or money. The attack on Aramco served the interests of the Iranian state directly; the one on Sands seems to have been driven by Iranian nationalism. Significant increases in attack volume on Norse sensors generally correlate with rising tensions with the West and/or perceived attacks or insults to Iran.
[ Page 42 ]
It is also easy to see how the general doctrines and approaches of the Iranian security services and foreign policy organs are being mapped to Iran’s new activi- ties in cyberspace. Iran’s hackers appear to move easily between ostentatious attacks and defacements and very quiet preparations for future operations, just as Iran’s security and intelligence forces do. They main- tain a similar two-track system of responding overtly to perceived attacks against Iran while continuing covert efforts to expand their abilities to conduct future attacks. They seem to prefer to operate as individuals or small groups with plausibly deniable links to the state, just as their militant proxies throughout the region do, as opposed to the overt state control China maintains over its hackers. Iranian hackers rarely claim to be fully independent of the state, like Russian “hacktivists” do, and acknowledge their relationship with state and security entities from time to time. In this respect they are like Shi’a militias in Iraq and Syria, who maintain their nominal independence from Iran while explicitly recognizing their relationships with Tehran, the assistance they receive from Iran, and their loyalty to Iran’s values.108
[ Page 43 ]
The Iranian regime continues to seek effective deter- rents to potential US or Israeli military strikes. Still, it is not confident—rhetoric aside—that it can build its own adequate conventional military defense any time soon. It has, therefore, developed a wide variety of other means by which to threaten to inflict pain on a potential attacker, ranging from the tens of thousands of rockets deployed in Lebanon and Gaza to the thousands of small boats and minelayers supposedly ready to close the Strait of Hormuz, to the missiles able to hit American military facilities throughout the Persian Gulf region. Cyberattack capabilities are obviously a significant addition to this deterrence and escalation- management arsenal, and one that might prove to be extremely cost-efficient in an asymmetric conflict against a major power.
In American strategic thinking, a US military attack on Iranian soil could be a proportionate response to an Iranian attack on an American military base in Bah- rain or Qatar. The Iranians likely do not see things that way. For them, the proportionality would be meeting an attack on their homeland with an attack on ours— but such an attack will be beyond their conventional military capabilities for a long time to come. For Iran, a cyberattack is a promising avenue by which Tehran could bring any future conflict to American soil, espe- cially since it offers a way to do so that is graduated and potentially unattributable and may or may not involve casualties and the destruction of physical infrastructure.
Nonkinetic cyberattacks cooperatively developed, financed and launched by the U.S. and Israel did delay the Iranian nuclear program for five or more years, says the U.S. defense specialist, but the eventual outing of the “Stuxnet” cyberattack and “Flame” cyber-reconnaissance programs allowed Iran to start organizing its cyberdefenses.
To defend against cyberattacks, the Iranian government has begun installing a network that is separate from the Internet to better control information flow, according to a report by the University of Pennsylvania's Center for Global Communications Studies. Critical government and military agencies are expected to be on the network by the end of the month, according to the Washington Post. Project researchers say they already have evidence of a filtering capability. The technology is provided by China's Huawei corporation, the investigation finds.
“But it's a fencing match [that is standard in the world of electronic warfare],” the U.S. specialist says. “Now that they know our secret sauce [with discovery of the Stuxnet and Flame cyberintrusions], they've made it much harder to do.”
Previous research conducted by AEI’s Critical Threats Project and Norse Corporation has highlighted the growing cyberthreat posed by Iran and suggested that the regime might exploit the nuclear deal to increase investment in its cyber infrastructure and gain access to more effective technology.18 The sixth FYDP confirms this assessment. Khamenei calls for aggressively investing in Iran’s cyber infrastructure so that “Iran will become a top regional country.”19 Khamenei also calls for increasing technology cooperation with other states, “gaining technology,” and transforming Iran into “the regional leader in electronic government.”20 These are not new proposals articulated in the FYDP, but they echo comments made by numerous other senior officials.21 They also reflect realities in the regime’s existing security strategy. A robust cyber capability protects Iran’s critical infrastructure against attack while supporting the regime’s deterrence against the United States and its regional allies.22
Over the last two years, U.S. banks and government agencies have enjoyed a notable respite from malicious Iranian cyber activity. The timing of this drop-off happens to coincide with the signing of the nuclear deal with Iran in 2015. Now with U.S. President Donald Trump threatening to walk away from the nuclear deal, cybersecurity experts say it is likely Iran could resume its attacks against Western targets should Trump actually follow through with his threat.
[ More ]
Iran has gradually improved its offensive cyber abilities and developed more advanced ballistic missiles since signing an accord last year to curb its nuclear program, the U.S. Defense Department said.
The Islamic Republic now has a “substantial inventory of missiles capable of reaching targets throughout the region, including U.S. military bases and Israel,” according to an unclassified summary from a Pentagon assessment of Iran’s military prowess.
[ More ]
The Obama administration is preparing to publicly attribute a 2013 cyber attack against a New York dam to Iranian hackers, according to U.S. officials familiar with the investigation.
[ More ]
The Obama administration is planning to publicly blame Iranian hackers for a 2013 cyber attack against a small dam in New York state, three sources familiar with the matter told Reuters.
[ More ]
Four months after a historic accord with Tehran to limit its atomic ambitions, American officials and private security groups say they see a surge in sophisticated computer espionage by Iran, culminating in a series of cyberattacks against State Department officials over the past month.
[ More ]
Iran’s powerful Revolutionary Guard military force hacked email and social-media accounts of Obama administration officials in recent weeks in attacks believed to be tied to the arrest in Tehran of an Iranian-American businessman, U.S. officials said.
[ More ]
Cyberattacks against the U.S. by Iranian hackers have eased noticeably since nuclear talks intensified last year, but there is no sign that Iran’s leaders plan to scuttle their cyberweapons program, National Security Agency Director Adm. Michael Rogers said.
[ More ]
The evidence from the Norse report, along with analyses by American intelligence agencies, strongly suggests that Iran has made much greater use of cyberweapons over the past year, despite international sanctions. The attacks have mostly involved espionage, but a few, like the Sands attack, have been for destructive purposes.
[ More ]
A newly disclosed National Security Agency document illustrates the striking acceleration of the use of cyberweapons by the United States and Iran against each other, both for spying and sabotage, even as Secretary of State John Kerry and his Iranian counterpart met in Geneva to try to break a stalemate in the talks over Iran’s disputed nuclear program.
[ More ]
There is a rising anxiety amongst US public and private sector mandarins surrounding Iran’s apparent digital prowess, as evinced by a new report that uncovered at least 16,000 systems controlled by Iran outside of its borders, 2,000 of which were
infected machines of businesses in the US, Israel and other nations of interest.
[ More ]