State Department officials determined that Iran hacked their emails and social media accounts during a particularly sensitive week for the nuclear deal in the fall of 2015, according to multiple sources familiar with the details of the cyber attack.
The attack took place within days of the deal overcoming opposition in Congress in late September that year. That same week, Iranian officials and negotiators for the United States and other world powers were beginning the process of hashing out a series of agreements allowing Tehran to meet previously determined implementation deadlines.
Critics regard these agreements as "secret side deals" and "loopholes" initially disclosed only to Congress.
Sources familiar with the details of the attack said it sent shockwaves through the State Department and the private-contractor community working on Iran-related issues.
It is unclear whether top officials at the State Department negotiating the Iran deal knew about the hack or if their personal or professional email accounts were compromised. Sources familiar with the attack believed top officials at State were deeply concerned about the hack and that those senior leaders did not have any of their email or social media accounts compromised in this particular incident.
Wendy Sherman, who served as Under Secretary of State for Political Affairs for several years during the Obama administration and was the lead U.S. negotiator of the nuclear deal with Iran, could not be reached for comment.
A spokeswoman for Albright Stonebridge LLC, where Sherman now serves as a senior counselor, said Tuesday that Sherman is "unavailable at this time and cannot be reached for comment."
Asked about the September 2015 cyber-attack, a State Department spokesman said, "For security reasons we cannot confirm whether any hacking incident took place."
At least four State Department officials in the Bureau of Near East Affairs and a senior State Department adviser on digital media and cyber-security were involved in trying to contain the hack, according to an email dated September 24, 2015, and multiple interviews with sources familiar with the attack.
The Obama administration kept quiet about the cyber-attack and never publicly acknowledged concerns the attack created at State, related agencies, and within the private contractor community that supports their work.
Critics of the nuclear deal said the Obama administration did not publicly disclose the cyber-attack's impact out of fear it could undermine support right after the pact had overcome political opposition and cleared a critical Congressional hurdle.
The hacking of email addresses belonging to the State Department officials and outside contractors began three days after the congressional review period for the deal ended Sept. 17, according to sources familiar with the details of the attack and the internal State Department email.
In the week leading up to that deadline, Senate Democrats blocked several attempts to pass a GOP-led resolution to disapprove of the nuclear deal. The resolution of disapproval needed 60 votes to pass but the most it garnered was 58.
President Trump, during his trip to the Middle East in late May, talked tough against Iran and its illicit ballistic missile program but has so far left the nuclear deal in place. A Trump State Department review of the deal is nearing completion, the Free Beacon recently reported, and some senior Trump administration officials are pushing for the public release of the so-called "secret side deals."
State Department alerts outside contractors of cyber-attack
State Department officials in the Office of Iranian Affairs on Sept. 24, 2015 sent an email to dozens of outside contractors. The email alerted the contractors that a cyber-attack had occurred and urged them not to open any email from a group of five State Department officials that did not come directly from their official state.gov accounts.
"We have received evidence that social media and email accounts are being compromised or subject to phishing messages," the email, obtained by the Washington Free Beacon, states. "Please be advised that you should not open any link, download or open an attachment from any e-mail message that uses our names but is not directly from one of our official state.gov accounts."
"We appreciate learning of any attempts to use our names or affiliations in this way," stated the email. Shervin Hadjilou, the public diplomacy officer in the Office of Iranian Affairs, sent the email and cc'd four other State Department officials who deal with Iran issues, including one cyber-security expert.
Two sources familiar with the details of the hack said the State Department and outside contractors determined that Iranian officials were the perpetrators. The hack, which began Sept. 21, had compromised at least two State Department officials' government email accounts before they regained control of them, as well as private email addresses and Facebook and other social media accounts, the source said.
"They had access to everything in those email accounts," the source said. "Everyone in the [State Department Iranian Affairs] community was very upset—it was a major problem."
The hack also stood out because cyber-warfare between Iran and the United States, which had been the weapon of choice between the countries for years, had cooled considerably in 2015 during the nuclear negotiations in what cyber-security experts have described as a limited détente.
Since Iran discovered the Stuxnet virus—a cyber-worm the United States and Israel planted to degrade Iran's nuclear capabilities—in 2011, the countries have been engaged in escalating cyber warfare as Tehran's cyber capabilities become increasingly sophisticated and destructive.
Since 2011 Iran has attacked U.S. banks and Israel's electric grid. In 2012, Iranian hackers brought down Saudi-owned oil company Saudi Aramco, erasing information on nearly 30,000 of the company's work stations and replacing it with a burning American flag.
Cyber-security experts have long believed that Russia helped Iran quickly build up its cyberweaponry in response to Stuxnet. A team of computer-security experts at TrapX, a Silicon Valley security firm that helps protect top military contractors from hackers, said in April they officially confirmed that Iranians were using a cyber "tool set" developed by Russians.
Tom Kellerman, a TrapX investor who also served on a commission advising the Obama administration on cyber-security, said Iranian cyberwarfare has dramatically improved over the last two or three years in large part due to Russian technical assistance.
"Much like you see the alliance between Syria, Iran, and Russia, the alliance doesn't just relate to the distribution of kinetic weapons," he said, but extends into cyberwarfare.
Uproar among private contracting community over cyber-attack
In the late September 2015 hack, at least two State Department officials and a handful of outside contractors lost control of access to their email and social media accounts, which were automatically forwarding emails to work and personal contacts. This spread the hack to a wider network of victims.
The private-contracting community involved in State Department Iran programs—approximately 40 private firms, some of which are based in Washington and others located throughout the United States—were outraged by the infiltration.
"They were saying ‘We're mad—we're angry,'" the source recalled. "We all got compromised."
Eric Novotny, who served as a senior adviser for digital media and cyber security at the State Department at the time, was involved in trying to shut down the hack and help affected officials and private contractors regain control of their accounts. Novotny was one of the four government officials copied on Hadjilou's Sept. 24 email.
Critics: Obama administration's silence on hacking was needed to secure nuke deal
Critics of the Obama administration's handling of the Iran nuclear deal argue that the State Department stayed silent about the hack because acknowledging it could have publicly undermined the pact right after it became official.
"Within hours of the Iran deal being greenlighted, Iran was already conducting cyberattacks against the very State Department that ensured passage of the [nuclear deal]," said Michael Pregent, a senior Middle East analyst at the Hudson Institute. "Acknowledging a cyberattack after the [nuclear deal] was greenlighted would be something that would immediately signal that it is a bad deal—that these are nefarious actors."
Mark Dubowitz, the CEO of the Foundation for Defense of Democracies, said Iran's hacking of State Department personnel at such a critical period is "just one of many of Iran's malign activities that continued and the State Department essentially ignored while the Obama administration was working out the fine points of the nuclear deal."
"The Obama administration didn't acknowledge it publicly out of fear that public outrage could threaten the nuclear deal," he said.
In early November 2015, the Wall Street Journal reported that the Iran's hardline Revolutionary Guard military had hacked email and social-media accounts of Obama administration officials.
Yet that report wrongly tied the beginning of the uptick in Iranian cyberattacks to the arrest October 29, 2015 of Siamak Namazi, a businessman and Iranian-American scholar who has pushed for democratic reforms. Namazi and his elderly father remain imprisoned in Iran and face a 10-year sentence on espionage charges.
The Journal report also did not indicate that the attacks had occurred more than a month earlier, within three days of the end of the congressional review period, nor did it indicate any specific individual targeted nor how officials and contractors reacted to it.
The Sept. 24 email obtained by the Free Beacon shows the Iranian hacking of State Department officials occurred much earlier—the weekend after Republicans in Congress failed to push through a resolution disapproving the Iran nuclear pact, effectively sealing the foreign policy win for Obama.
The late September time period was particularly important for negotiating critical details of the nuclear deal's implementation, what critics, including CIA Director Mike Pompeo, have labeled "secret side deals" allowing Iran to evade some restrictions in the nuclear agreement in order to meet its deadline for sanctions relief.
Among other non-public details of the pact, the side agreements involved the controversial exchange of American prisoners held in Iran for $1.7 billion in cash payments.
Infiltrating State Department emails and internal communications about where the United States stood on a number of sensitive issues could have given the Iranians an important negotiating advantage, according to David Albright, a former U.N. weapons inspector and president of the Institute for Science and International Security.
"The [Joint Comprehensive Plan of Action] had a lot of loose language at the time and the question was whether the U.S. was going to accept it," he told the Free Beacon, referring to the weeks immediately following the Congressional Review Period, which ended Sept. 17, and Iran's own review process, which ended Oct. 15.
"It would be to Iran's great benefit to know where the U.S. would be" on a number of these issues dealing with the possible military dimensions of the Iran nuclear program, he said. "If they could tell the U.S. was going to punt, they could jerk around the [International Atomic Energy Agency, or IAEA] a bit."
"That's essentially what happened with the IAEA," he added.
The IAEA is charged with verifying and monitoring Iran's commitments under the nuclear agreement.
According to Albright, the IAEA ultimately accepted far less access to nuclear sites than it originally wanted. The United States and other world powers also accepted other concessions involving "loopholes" allowing Iran to exceed uranium enrichment and heavy water limits for a certain time period in order for Iran to meet implementation deadlines, he said.
"The IAEA didn't know much at all and had to write a report [in December 2015] that it was content in knowing so little," he said.
Others who credit Iran's Islamic Revolutionary Guard with the cyber-attack say it may not have focused entirely on gaining leverage in the negotiations but simply demonstrating a resistance to the deal among hardline factions in the country.
"Iran has two personalities, and I think you were seeing the other personality shine through," Kellerman said of the hack during a critical phase of the nuclear deal.
Hack used common spear-phishing technique
Sources said the September 2015 hacking incidents compromised email accounts by sending spear-phishing messages, or efforts to gain unauthorized access to confidential data by impersonating close contacts.
The phishing emails targeted both State Department and private contractors' personal email and social media accounts, including Facebook, shutting down the users' access and sending out emails to some of the hacked individuals contacts and forwarding other information to unfamiliar emails with Persian-sounding names, two sources told the Free Beacon.
Samuel Bucholtz, co-founder of Casaba, a cyber-security firm that conducts test-hacking for Fortune 500 companies, said the hackers were likely trying to gain access to contacts and emails. The hackers also may have tried to install malware that would provide greater access to information held on computers or the entire computer network of the organizations, he said.
"If it's a phishing account that installs malware on your machine, then they have access to all the information on your machine," he said. "Then they start using that foothold to start exploring access throughout the entire organization."