State-Sponsored Cyber Threats: Iran

A decade of crippling international sanctions has not deterred the Islamic Republic of Iran from aggressively developing its offensive cyber warfare capabilities. From a relatively novice level, Iran has rapidly emerged as one of the world’s most sophisticated cyber powers, trailing only the United States, Russia, and China.

Capabilities

Iran has steadily elevated its funding for cybersecurity over the past five years. Under the leadership of President Hassan Rouhani, official funding has increased from $3.4 million to $19.8 million. However, some believe Iran had already started investing as much $1 billion into cybersecurity starting in 2011.

A broad and loosely defined network of military, paramilitary, and civilian hackers constitutes the nation’s cyber shock troops. The only official cyber activity recognized by the government is conducted by the Cyber Defense Command, a branch of the military that claims to exist solely to provide defensive security to the country and its infrastructure against cyber threats. The bulk of cyber attacks executed by Iran originate from the Iran Cyber Army, a network unrecognized by the regime though widely believed to be overseen by the Intelligence Unit of the Iran Revolutionary Guard Corps (IRGC).

Distributed denial-of-service (DDoS), spear phishing, viruses, and brute force attacks are the most common weapons in an Iranian hacker’s toolkit. Recent research has shown that Iran’s cyber warriors control thousands of systems outside the country whose IP addresses are used frequently to launch attacks. Cloud and hosting services like Amazon and GoDaddy have also been used to create websites that infect visitors with malware designed specifically for surveillance and data exfiltration.

Victims

Progressing from basic website defacements in 2010, Iranian cyber attacks have increasingly become malware-based espionage aimed at exfiltrating or destroying data. Quite often these attacks are unrestrained, retaliatory actions aimed at states and entities perceived as threats by the regime.

Saudi Arabia, one of Iran’s archrivals, has borne the brunt of its growing cyber offensives. An attack named “Shamoon” that struck Saudi Aramco in 2012 is thought to be one of the most destructive acts of virtual sabotage ever recorded. Hackers used malicious software to delete the data from 30,000 computers. In June of this year, Saudi officials blamed Iran for the theft of over half a million confidential Foreign Ministry documents, nearly 70,000 of which have since been posted on Wikileaks’ website.

The United States has also been a prime target for Iran’s cyber warriors. During “Operation Ababil” in September 2012, an Iranian cyber group deployed one of the most massive DDoS attacks ever launched against the websites of several major US financial institutions, leading to severe slowdowns in traffic for some victims and complete website inaccessibility for others. A month prior to that, Iranian hackers, attempting to disrupt the websites of oil companies in the Middle East, conducted a four day DDoS campaign against the servers of AT&T.

Motivations

Iran’s escalation of cyber offensives follows a string of devastating attacks on its own networks. In 2010 Stuxnet, a mutating computer worm, infected the industrial control systems monitoring the centrifuges at the Natanz nuclear facility, causing nearly a tenth to spin out of control and destroy themselves. Two stealthy malware programs, Duqu and Flame, engineered to gather troves of data about Iran’s nuclear program for further sabotage efforts, were subsequently discovered in 2011 and 2012.

A cyber attack against Iran’s Oil Ministry and several of its affiliates was also launched in April 2012, resulting in the wiping of information from hard disks at the ministry’s headquarters. Although both have expressly denied official involvement, the United States and Israel are believed to have been behind these attacks. Iran’s motivation can therefore be principally ascribed to revenge and self-defense.

Outlook

Given the nuclear accord between Iran and the West announced in July, Iran’s offensive cyber warfare program will likely grow. Having forsworn the pursuit of nuclear weapons, Iranian defense planners will likely advocate for the continuation of cyber attacks, as they are now the most effective means of conducting asymmetric warfare against superior forces like those of the United States and Israel. Like its financing of terrorist operations worldwide, Iran’s use of unofficial hacking networks provides the country the ability to strike against its enemies under the cover of deniability at relatively low cost.

Given the somewhat unrestrained nature of Iranian cyber attacks and their tendency to purposefully destroy valuable information of their victims, this may become a major source of conflict in the near future.