‘A shot across the bow’: Iran’s growing cyberwar threat

US Deputy Attorney General Rod Rosenstein announces charges against nine Iranians accused of conducting massive cyber theft campaign, on March 23

US security authorities in New York have indicted nine Iranian hackers on charges of penetrating the computer systems of hundreds of US and foreign universities to steal data worth at least $3.4 billion that was sold to the Tehran regime, a move likely to trigger retaliatory attacks by Iran as a long-running cyberwar intensifies.
Also, the Moscow-based cyber-security firm Kaspersky Labs reported it uncovered a highly advanced US English-language malware known as Slingshot, active since at least 2012 and widely considered to have been developed by US intelligence authorities with Iran as its primary target.
Slingshot, Kaspersky reported, could implant various types of spyware, including one code-named “Gollum,” and had targeted Latvia-made internet routers that are popular in the Middle East and South-east Asia.
“Iran is engaged in an ongoing campaign of malicious cyber-activity against the United States and our allies,” observed Sigal Mandelker, under-secretary of the Treasury for Terrorism and Financial Intelligence after the computer intruders, who remain at large, were charged March 26 in New York.
Mandelker claimed the stolen information was traced to the Islamic Revolutionary Guard Corps (IRGC), which, she said, “plays a central role in Iran’s malign activities across the world.”
The right-leaning Washington-based Foundation for Defense of Democracies alleged that, even during the talks that led to the 2015 agreement with Iran to ease crippling sanctions in exchange for curtailing its contentious nuclear programme, the Tehran regime “continued to invest heavily in cyber-capabilities” to attack the West.
The US Treasury and Justice departments zeroed in on the Tehran-based Mabna Institute, which the 25-page indictment charged was acting as a front for the IRGC, the most powerful force in Iran.
The proceedings underlined how Iran has built a powerful cyberwarfare network with a global reach since the United States and Israel crippled Tehran’s secret nuclear programme for a time with destructive malware known as Stuxnet in 2010.
Dorothy Denning, emeritus distinguished professor of defence analysis at the US Naval Postgraduate School, said: “Iran may view cyberwarfare as a means of overcoming its military disadvantage compared to the US. To that end, it will likely undoubtedly continue to improve its cyber-capabilities.
“Containing Iran’s cyberwarfare programme would likely be even more challenging than containing its nuclear programme,” Denning observed.
“Computer code is easy to conceal, copy and distribute, making it extremely difficult to enforce controls placed on cyber-weapons.”
Tehran has spent billions of dollars establishing cyberwarfare capabilities which Western security authorities fear could paralyse military and economic sectors as tensions between US President Donald Trump and Iran reach the boiling point.
Several sources said Western government institutions, including military commands, remain highly vulnerable to Iranian cyber-sabotage while Iran faces seeing its precarious economy in ruins and its military forces reduced to a disorganised rabble unable to coordinate its response.
It is possible that Iran will resort to step up cyber-attacks against key US targets, including electricity and rail networks and vital communications systems, if Trump scraps, as promised, the landmark July 2015 agreement under which Tehran agreed to curtail its contentious nuclear programme in return for the lifting of ruinous economic sanctions.
Iran is weak in conventional warfare terms but cyber-attacks allow it to project its growing regional power. As its expansionist strategy unfolds from Afghanistan to the Levant, these are expected to intensify with Saudi Arabia, Iran’s leading regional rival, getting special treatment, reflecting the countries’ profound geopolitical and ideological differences.
Iran is increasingly using its cyber-armoury to retaliate against its foes with sophisticated weapons it has developed since its nuclear programme was crippled in 2010 by Stuxnet, the world’s first digital weapon, unleashed by the United States and Israel — the West’s opening salvo in global cyberwarfare.
Stuxnet took the Iranians by surprise, delaying Tehran’s nuclear programme for several months but Iran swiftly built its own system-killing malware and began retaliating. Most of these cyber-attacks were aimed at Iran’s three leading opponents: the United States, Israel and Saudi Arabia.
“Iran has demonstrated how militarily weaker countries can use offensive cyber-operations to contend with more advanced adversaries,” the Carnegie Endowment for International Peace warned in a January 4 report released in Beirut.
“Cyberspace has become the newest frontier in the 4-decade-long US-Iran cold war,” Carnegie noted. “Perhaps more than any government in the world, the Islamic Republic has been the target of uniquely destructive attacks by the United States and its allies.
“At the same time, groups associated with Iran’s security forces” — the IRGC and the Ministry of Intelligence — “have become increasingly adept at conducting their own offensive cyber-operations.”
Carnegie concluded that Iranian attacks appear to have been deliberately “restrained based on strategic calculations,” presumably to avoid triggering a potentially destructive cyberwar in which Iran would probably come off worse than its adversaries.
The United States and Israel are not the only countries crossing digital swords with Iran: Canada, France, Russia and Britain have all engaged in offensive cyber-operations against the Islamic Republic.
“These attacks further motivated Tehran to develop indigenous defensive and offensive cyber-capabilities as well as a credible retaliatory threat,” Carnegie added.
“These exchanges are directly correlated to Iran’s domestic and geopolitical climate, which has been reflected in the reduction of disruptive attacks since the signing of the 2015 nuclear deal” with US-led global powers.
“A better understanding of the history and strategic rationale of Iran’s offensive cyber-operations must inform US strategy towards Iran and future US responses to Iran’s actions,” Carnegie commented.
“This is especially true given that the United States is reliant on an inadequately guarded cyberspace and should anticipate that future US cyber-attacks against Iranian targets could trigger retaliatory attacks on US infrastructure. Iran’s recent history suggests such an outcome.”
At least 46 major US financial institution and finance sector companies, including JPMorgan Chase, Wells Fargo and American Express were targeted in 2011-13, the US indictment said.
The United States says the operations were allegedly carried out by at least one group of veteran Iranian hackers who worked for private Tehran-based firms named ITSecTeam and the Mersad Company, which have been linked to Iran’s intelligence apparatus.
“They were sending a shot across our bow,” warned US Senator Chuck Schumer, a Democrat from New York. “They were saying that we can damage, seriously damage, our critical infrastructure and put the lives and property of people at risk.”
His strident comments underlined a major loophole in US defences against potentially cataclysmic Iranian penetrations: Most US infrastructure is privately owned and poorly defended against such assaults because of corporate reluctance to install defence systems.
Cyber-experts have detected the Iranians digitally smashing their way into the networks of defence, aviation and energy companies and telecommunications providers.
“These sectors may be particularly vulnerable to cyber-attack because they rely on open-source software or hardware, third-party utilities and interconnected networks,” the Congressional Research Service warned.
“Such networks are particularly tempting because they often control operations and not merely information, potentially magnifying the impact of any attack on them.”
Iran has multiple hacking groups and some attacks involve what’s known as “denial of service” that use “wiper” malware that overrides data on hard drives and spreads throughout targeted networks using a virus known as Shamoon.
An Iranian group, identified by Western sources as the Cutting Sword of Justice, used this virus for the first time in August 2012 in targeted attacks on Saudi Arabia’s state oil company Aramco and Qatar’s state-owned RasGas two weeks later. Some 30,000 computers were crippled.
The strikes reportedly cost the Arab companies several hundred million dollars and spurred the Arabian Gulf states to secure digital defences.
The Iranians were also indicted for breaking into a computer system that controls the Bowman Avenue Dam in Rye, a small town in the woods 40km north of New York City, on March 25, 2016.
One of the indicted hackers, Hamid Firoozi, 34, allegedly obtained “unauthorised remote access” to the computer system housed in Rye city hall’s basement that controls the 36.5-metre long, 7-metre high dam but made no discernible move to interfere with the controls of the 1900s-era facility.
The intrusion was sufficiently alarming that word went all the way to the White House amid fears the Iranians were seeking to control the dam, possibly to flood the countryside.
There are suspicions the hackers may have been seeking to control a much larger US dam, possibly the 75-metre high Arthur J. Bowman Dam in Oregon. That dampened conjecture that Firoozi accidentally stumbled onto the dam’s control system.
But, however he got there, Firoozi would not have been able to open the dam and flood the area because one of the dam gates was offline for computer maintenance.
Next time the Americans may not be so lucky.
Ed Blanche
has covered Middle East affairs since 1967. He is the Arab Weekly analyses section editor.

This article was originally published in The Arab Weekly.