Modern field guide to security and privacy

Cyber-war: In deed and desire, Iran emerging as a major power

Iran is being recognized in the US intelligence community and in cyber-security firms protecting corporate America as having vaulted into the top 10 of the world’s offensive cyber-powers.

Rick Wilking/REUTERS
A map is displayed on one of the screens at the Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colorado. After years as a cyber also-ran, Iran is becoming a major threat in the rapidly evolving era of cyber-conflict.

As high-level international talks in Vienna over Iran’s nuclear program edged closer to a deal last fall, something curious happened – massive cyber-attacks that had hammered Wall Street bank websites repeatedly for about a year slowed to a near stop.

While banking industry officials were relieved, others wondered why those Iran-linked “distributed denial of service” attacks that had so regularly flooded bank websites with bogus Internet traffic were shut off like a faucet. One likely reason, say US experts on cyber-conflict: to reduce friction, at least temporarily, at the Vienna nuclear talks.

Yet, even as the “distributed denial of service” attacks abated for apparently diplomatic reasons, overall Iranian cyber-spying on US military and energy corporation networks has surged, these experts say.

Iran was fingered last fall, for instance, for infiltrating the US Navy Marine Corps Intranet. It then took the Navy nearly four months to root out the Iranian hackers infesting its largest unclassified computer network, the Wall Street Journal reported in February.

This litany of Iranian activity is evidence, say experts, that after years as a cyber also-ran, Iran is morphing swiftly into a major threat in the rapidly evolving era of cyber-conflict.

That shift is causing a growing recognition – from the halls of the US intelligence community to the cyber-security firms protecting corporate America – that Iran has vaulted into the ranks of the world’s top-10 offensive cyber-powers.

“Iran represents a qualitatively different cyber-actor,” says Ilan Berman, vice president of the American Foreign Policy Council, a Washington think tank. “They’re not stealing our intellectual property en masse like China, or using cyber-space as a black market like the Russians do. But what Iran does use cyber for, including elevating its retaliatory capabilities abroad, makes it a serious threat.”

Intent to do damage

While Iran is still not a true “cyber-superpower” on a par with the US, China, and Russia, it is the intensity, variety, and destructiveness of Iran-linked cyber-incursions over the past five years that led to its reappraisal.

“Until recently, the US intelligence community thought about America’s serious cyber-adversaries mainly as a duopoly – Russia and China,” says a cyber-expert who asked not to be named in order to preserve ties with federal agencies. “The Vienna process is causing Iran to rein in its cyber-activities, at least temporarily. Iran’s capabilities may be rudimentary in many ways, yet what it lacks in sophistication it more than makes up for in intent” to do damage.

Iran was suspected, for instance, to have been the hand behind a computer virus that wrecked 30,000 Saudi Aramco computers in 2012. A similar attack hit RasGas, a Qatari energy company, that same year.

Even though these attacks were considered relatively crude, Iran’s capabilities are believed to be growing rapidly, thanks to ample funding from its government – $1 billion in 2011 with continuing large annual expenditures – and easy access to Russian, Chinese and black market cyber-tools and expertise, experts say.

The Aramco incident, while not remotely as sophisticated as the landmark Stuxnet attack on Iran’s nuclear fuel refining facilities in 2009, was “second only to Stuxnet as a disruptive cyber-attack and showed the progress of Iranian capabilities,” according to a recent study by James Lewis, a cyber-conflict expert with the Center for Strategic and International Studies in Washington.

“They’ve put in place the structures, strategy – and have acquired software tools from the black market,” Dr. Lewis says in an interview. “They have groups whose job it is to hack. They’ve worked through the organization, the training, and strategic issues that let them use cyber-tools against their opponents.”

Another prong of Iran’s cyber-development is directed inward.

One of Iran’s most sophisticated hacks in 2011 infiltrated a Dutch company in order to steal digital certificates. Those certificates, used for secure online communications, were later reported to have been used by Iranian authorities to hack e-mail and communications of its own citizens.

“We’ve seen persistent activity by the Iranians, not only in cyber-espionage, but in attacking dissidents at home, infiltrating government and military targets, energy companies and the financial sector,” says Dmitri Alperovitch, cofounder and chief technical officer of the cyber-security firm CrowdStrike. “Most of that activity has continued pretty much unabated.”

Response to Stuxnet

For their part, Iranians say it took the US-linked Stuxnet attack to spur Tehran in 2009 to press for advanced cyber-war capability, Hossein Moussavian, a research scholar at Princeton and a former diplomat who served on Iran’s nuclear negotiations team, said in an appearance a year ago at Fordham Law School.

“The US, or Israel, or the Europeans, or all of them together, started war against Iran,” he told the audience. “Iran decided to have … to establish a cyber-army, and today, after four or five years, Iran has one of the most powerful cyber-armies in the world.”

Indeed, not unlike China, Iran appears to be developing its offensive cyber-capabilities as part of an asymmetric tool that can reach around the globe to counterbalance its relatively weak conventional forces, says Mr. Berman, of the American Foreign Policy Council. Notably, it seems more than willing to engage in damaging cyber-attacks wherever those might help achieve its goals on the world stage, he says.

That includes an uptick in Iran’s cyber-espionage sophistication – including the infiltration of the US Navy’s intranet network.

"It was a real eye-opener in terms of the capabilities of Iran to get into a Defense Department system and stay in there for months," a former US official told the Journal regarding the Navy intranet spying campaign. "That's worrisome."

A major part of Iran’s new capabilities are geared toward signaling the US, letting it know whether it is unhappy – or possibly smiling.

In that vein, massive Iran-linked “distributed denial of service” attacks had hit flooded bank websites with bogus Internet traffic about every three months since the fall of 2012. But as high-level international talks over Iran’s nuclear program edging closer to a deal late last fall, the huge bombardment stopped.

Iran and six world powers – the US, Britain, France, Russia, China, and Germany – reported agreement in January on a timetable for negotiating a comprehensive pact that would end the stalemate over Iran’s nuclear program.

DDoS attacks were 'a harbinger'

Of course DDoS attacks, like those against the big US banks, are not typically considered sophisticated attacks – more like protests that gum up the works than damaging attacks, experts note. Yet some say these were far bigger and more sophisticated than generally assumed.

“This operation took down some of the most admirable companies on Wall Street that had deployed some of the most sophisticated defensive technology – and the attackers were able to take down almost all of that,” says Carl Herberger, vice president of security solutions at Radware, an Israeli security firm that has investigated the denial of service attacks. “That’s a harbinger.”

Indeed, Wall Street’s respite from DDoS attacks could prove short-lived. If tensions resume or talks fail, cyber-attacks of all types directed at the US should be expected, several experts say.

“If the nuclear talks fail, we should expect retaliation from Iran in a variety of ways including cyber-attacks, both against the US, but also Saudi Arabia and others,” CrowdStrike’s Mr. Alperovitch says.

“It’s that willingness to display belligerence in the cyber realm that sets Iran apart,” says Jen Weedon, a manager in the threat intelligence division at the cyber-security firm Mandiant.

There’s another reason for the US and others to be wary of Iran as a growing cyber-threat. Iran is believed to be learning from the cyber-attacks against its own operations – and is actively reverse engineering them, some experts say.

Signs of this emerged in May 2012 when an Iranian cyber-engineer, Morteza Rezaei, an automation expert at NEDA Industrial Goup in Tehran, published his analysis of defending against Stuxnet in Control Global, a US online publication.

“It shows they're very competent, they're knowledgeable, and they have access to all of the latest solutions,” says Joe Weiss, an industrial control systems security expert who publishes Control Global. “It shows that that they're capable of doing to us what they think we did to them.”

Hayat Alvi, an associate professor of national security affairs at the US Naval War College concurs.

“When the Stuxnet virus hit their nuclear facilities it was a huge shock,” she says. “But clearly they’ve sent their tech savvy personnel to examine it and see what they can learn from it. I wouldn’t be too surprised if we see something potent like that from them in the not too distant future.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.