Iran is rapidly building cyber warfare capabilities and recent reports suggest Tehran is set to conduct cyber attacks on global critical infrastructures, according to a State Department security report.
The internal report sent to U.S. businesses last week by the Overseas Security Advisory Council concludes that Iran’s offensive cyber capabilities have evolved in recent years, making the nation a sophisticated cyber adversary.
“Iranian hackers have been suspected in multiple incidents that inflicted damage on various entities in the private sector, including finance and energy firms,” according to the five-page report, “Pistachios and Saffron: Investigating the Iranian Cyber Threat.”
“Current analysis indicates Iran may intend to use its growing cyber force to attack global critical infrastructure,” the report added.
Once limited to website defacements and other less damaging attacks, Tehran’s hacker forces are now capable of using customized malicious software designed for use against specific victims.
Recent evidence of the large investment in offensive cyber warfare capabilities indicates “Iran is rapidly improving its cyber warfare capabilities,” the report said.
Iranian hackers were blamed for several serious cyber attacks in recent years following reports of the U.S.-Israeli Stuxnet virus attack against Tehran’s covert uranium centrifuge program at Natanz.
Among Iran’s recent cyber attacks are:
- Cyber disruptions aimed at U.S. government officials involved in nuclear nonproliferation;
- A 2012 cyber attack on the state oil producer Saudi Aramco that destroyed 30,000 computers;
- Cyber attacks against Israeli communications during the conflict with Hamas in the summer of 2014;
- Hacking that compromised the Marine Corps intranet in 2012;
- Large-scale denial-of-service cyber attacks against U.S. banks in two waves in 2012, and;
- The use of wiper malware against networks at the Las Vegas Sands casino in 2014.
The Las Vegas casino attack was confirmed by James Clapper, the director of national intelligence, during congressional testimony in February.
Clapper stated that Iran regards cyber attacks as one of many tools for conducting asymmetric, proportional retaliation against its enemies. The Iranians were behind the cyber attacks against U.S. banks and the Sands, Clapper said.
Adm. Mike Rogers, commander of the U.S. Cyber Command, told a Senate hearing in March that the government of Iran, along with those of China and Russia, have been using semi-official hackers in cyber attacks.
“Each of the three use a slightly different structure,” Rogers said March 19. “But in each case, the cyber activities we have seen to date display a strong and direct linkage between the individual actors doing the actual activity and the nation state directing it.”
Rogers said one future trend could be that nation states begin using techniques to “try to confuse our attribution ability by creating different relationships.”
“For example, using other partners, trying to distance themselves in a visible way so their activity is not as directly attributable,” he said. “I think that’s a trend that we’re going to be looking for.”
According to the State Department report, multiple reports linked Iran’s cyber attacks against the $14 billion Sands casino network attack to critical remarks on Iran from the casino’s chief executive Sheldon Adelson.
“In similar fashion, the multi-stage 2012 attacks against U.S. banks and financial institutions were assessed to be a response to economic sanctions” against Iran, the report said.
The report identified four trends in Iranian cyber activities: Retaliation, coordination between cyber and political strategy, increased technical sophistication, and a focus on attacking critical infrastructure.
Critical infrastructures include computer networks that control such sectors as finance, transportation, water, public health, security, telecommunications, and electrical grids. Electrical grid control networks are considered among the most critical infrastructure because electricity is common to all networks.
“Assessments continue to place critical infrastructure, supervisory control and data acquisition (SCADA) and transportation systems at the top of the list for potential targets of Iranian cyber operations,” the report says, adding that the cyber security firm Cylance reported that the Iranian government and its Islamic Revolutionary Guard Corps (IRGC), “is backing numerous groups and front entities to attack the world’s critical infrastructure.”
The report, published May 8, was based on several recent studies of Iranian cyber attacks conducted by the American Enterprise Institute and three security firms: Cylance, iSight Partners and FireEye.
“We have seen Iranian cyber capabilities increase in scale and sophistication over the last few years,” said Frederick W. Kagan, co-author of the AEI report.
“As others have noted, Iranians have been trying to identify and compromise vulnerable industrial control systems,” Kagan told the Free Beacon. “Our report shows that the Iranians have not stopped their cyber activities while negotiations have been going on, and that, on the contrary, their cyber attack infrastructure continues to expand.”
The Cylance report concluded that Iran’s cyber attack capabilities have increased sharply since 2010. Cylance also said North Korean cyber attacks against South Korean infrastructure suggest Tehran and Pyongyang may be cooperating on cyber attack strategy.
State Department documents made public by Wikileaks bolster the unclassified report’s conclusions.
“Several Iranian institutions and organizations conduct [open source intelligence (OSINT)] against USG programs,” one 2009 State Department cable said. “Most of the Iranian universities involved in this activity maintain longstanding ties to the IRGC.”
One organization, Farhang Azma Communication Co., downloaded over 100 U.S. Navy websites in a hunt for data on Pentagon equipment, weapons systems, unmanned vehicle technologies, communications, and intelligence systems.
“Persistent OSINT efforts show the continued interest and knowledge of U.S. capabilities and operations by Iranian institutions, as well as the Government of Iran (GoI),” the classified 2009 cable said.
“Individuals from many Iranian universities, as well as a variety of commercial organizations, also routinely attempt to solicit information from cleared defense contractors and U.S. firms via socially engineered email messages in order to acquire information related to restricted U.S. operations and research. This information could then be used to develop similar programs for the GoI, shared with third-party entities (e.g., Islamic extremist groups), or exploited through additional Iranian computer network operations activities,” the report said.