Tehran, its allies and sympathizers have returned to launching a diverse array of cyberattacks targeting U.S. interests.
These attacks began reemerging in May 2018 following the Trump administration’s unilateral withdrawal from the Joint Comprehensive Plan of Action (JCPOA), also known as the Iran Nuclear Deal.
Until that moment, Iran-aligned hackers had significantly reduced their cyber operations on the U.S. and its allies since the agreement was signed by the five permanent members of the UN Security Council plus Germany (P5+1) in July 2015.
Washington’s subsequent implementation of the “Maximum Pressure” campaign—embodied by economic sanctions and military operations—further galvanized Iran and its friends to confront the American challenge in cyberspace (among traditional domains).
Indeed, Washington’s recent assassination of IRGC Qods Force General, Qassem Soleimani, via drone strike on January 2 accelerated the number of Iran-aligned cyber attacks targeting government institutions (federal, state, and local), critical infrastructure, and financial organizations of the United States and its Middle East allies.
For example, within a week of Soleimani’s assassination, Texas’s state government alone detected a surge of 10,000 attempted attacks per minute on statewide infrastructure believed to originate from Iran.
Absent a diplomatic breakthrough, Tehran’s record in the cyber domain suggests that the Iranians, their vast network of regional allies and sympathizers will continue attacking U.S. interests in cyber space in alignment with the Islamic Republic’s larger military doctrine of imposing a cost on Washington for its crippling sanctions and military escalations.
So how does Iran deliver such costs to the United States in cyberspace?
According to a history of well-documented attacks, Iran-aligned hackers have already begun to engage in most of the following five forms of cyber operations (ordered from least to most destructive).
1. Online Vandalism
During times of great tension between the United States and Iran, hacktivists sympathetic to the Islamic Republic deface American websites and social media profiles with political messaging. The purpose is to cause embarrassment, confusion, and cosmetic damage onto the targets.
A slew of Iran-aligned online vandalism occurred within twenty-four hours of Soleimani’s assassination when hacktivist groups began attacking hundreds of webpages of organizations associated with the U.S. government.
The Iran Cyber Security Group, for instance, successfully defaced the Federal Depository Library Program site (fdlp.gov); a program operated by the U.S. federal government to provide public access to government publications. The attack was the most notable of recent defacements as it highlighted the hackers’ ability to penetrate federal cyber defenses in order to compromise a US government domain (.gov).
In the FDLP defacement—like many others—hackers posted Islamic Republic propaganda on the homepage praising Soleimani’s martyrdom, and an image of President Donald Trump bloodied by a punch from an IRGC guardsman.
Although the damage caused by website defacements is generally negligible, Iranian online vandalism does have the ability to cause short-term monetary damage.
In April 2013, for example, the Syrian Electronic Army (SEA)—a group widely-believed to have been developed by, and closely partnered alongside, Iranian government cyber operatives—hacked AP’s Twitter account and falsely claimed two explosions hit the White House and injured former U.S. President Barack Obama. As a result, the U.S. stock market briefly dipped by $136 billion.
Of course, Iranian hacktivists will not limit their attacks to online vandalism if they can allocate their efforts toward operations that yield financial benefit.
Ransomware is a kind of cyber attack where the hacker infects a target’s computer(s) with malware that encrypts its data making it inaccessible for the user. The attacker then blackmails the target by threatening to delete their sensitive data, or publish it online, if they choose not to pay the ransom using cryptocurrencies, mainly Bitcoin.
Iranian hackers are exceptionally skilled at ransomware attacks. In an almost three-year campaign beginning in December 2015, two independent Iranian hackers released the notorious SamSam ransomware on over 200 American organizations; seizing more than $6 million in ransoms and causing over $30 million in damages.
The hackers’ most notable breaches include local governments, like the City of Atlanta; critical infrastructure, like the Port of San Diego; as well as prominent hospitals and universities.
Tehran may have leverage in increasing the number of ransomware attacks on U.S.-aligned organizations by demonstrating (tacitly or otherwise) that it will turn a blind eye on such hacktivist-led attacks. Independent hackers would then have free-reign to compromise the infrastructure of U.S.-aligned organizations and seize their funds without fear of punishment.
But the Iranian government can launch its own ransomware attacks given how inexpensive the kind of malware is to purchase on the dark web, let alone develop on their own. According to some analyst reports, the recent Snake ransomware that emerged in late 2019 can be attributed to Iranian state-sponsored actors.
The attack targets critical infrastructure via hacking industrial control system (ICS) technology. Bahrain’s national oil company, Bapco—a target of previous Iran-aligned attacks given the country’s close relationship with the U.S.—is believed to have been hit by Snake. If the reports are true, it would mean Iran-aligned hackers may be capable of holding some critical infrastructure of U.S.-aligned states for ransom.
3. Distributed Denial of Service (DDoS)
Historically, however, Iran’s most financially destructive cyber attack against U.S. institutions is that of denying major American financial institutions the ability to operate online.
Using Distributed Denial of Service (DDoS) attacks, hackers flood the bandwidth of public-facing servers—the very infrastructure supporting online exchange between the institution’s online services and its customers—thwarting their ability to carry out necessary business transactions.
Between 2011–2013, Tehran launched a major DDoS operation against nearly fifty major financial institutions, including Bank of America, JP Morgan Chase, and Citigroup.
The operation disabled their online services for a relatively short period of time, but resulted in tens of millions of dollars in remediation costs alone for the affected institutions and an even greater unknown sum of value in lost business transactions.
4. Targeted Intrusion
Perhaps the Iranian government’s most utilized cyber operation is its espionage activities via targeted intrusion. Hackers leverage targeted intrusions to penetrate an organization’s infrastructure and maintain anonymity inside for long periods of time. From within the victim’s ecosystem, hackers monitor, seize, and destroy data.
According to cyber security company, Cylance, Iran is the “new China,” in terms of global cyber espionage, with operations spanning across various industries around the world.
One of the most notable Iran-aligned targeted intrusions took place in fall 2012 when the Iranians appeared to hack into the Navy Marine Corps Intranet (NMCI); the US Navy’s unclassified administrative network, where they spied on the network for nearly four months. NMCI is the world’s largest corporate intranet with over 800,000 users and 2,500 sites.
The following year, IRGC-aligned hackers penetrated the industrial control systems of a New York dam and obtained information related to controlling water levels and flow rates.
Looking ahead into post-JCPOA operations, cyber security company, CrowdStrike, identified an uptick in activity from Islamic Republic-aligned hacking groups since summer 2019. Much of Iran’s targeted intrusions appear to be discovered by private cyber security firms working with affected organizations and are not public knowledge.
Therefore, great uncertainty remains in understanding both the quantity and severity of organizations compromised by Iran-aligned espionage activities.
Perhaps the most alarming aspect of targeted intrusions is that once hackers are inside the target’s IT environment, they can launch a wiper; a kind of malware destroying large swathes of data and infrastructure by overwriting (or wiping) the hard drive of the infected computers.
Wipers are perhaps Iran’s most destructive cyber threat publicly known. In 2012, Iran-aligned attackers launched one of the most destructive wiper attacks on Saudi Aramco; Shamoon. The attack destroyed approximately 35,000 computers and caused dozens of hours in downtime—leading to millions of dollars in damages and lost revenue.
Then in May 2018, following President Trump’s unilateral withdrawal from the JCPOA, a new variant of the Shamoon destroyed files on approximately ten percent of Italian company Saipem’s computers that were supporting Saudi Aramco’s drilling and pipeline operations.
Wiper attacks continued into 2019 and today with the likes of ZeroCleare and Dustman. Both target multiple energy companies of U.S. allies in the Middle East resulting in unknown financial loss likely in (at least) the tens of millions of dollars range.
What is important to note in all these instances is that the wiper was employed at the tail-end of existing espionage campaigns. Therefore, given that Iran-aligned actors are already clandestinely rummaging through the environments of dozens of major organizations around the world, when Iran decides to respond in cyber space, it likely has its pick of company, industry, and country it chooses to employ a wiper.
The Trump administration’s unilateral withdrawal from the Iran Nuclear Deal and subsequent implementation of the Maximum Pressure campaign galvanized Iranians, their vast network of regional allies and sympathizers to respond in cyberspace. Such Iran-aligned actors looking to impose a cost on the United States for its economic sanctions and military escalations will increase their diverse set of attacks in the absence of a diplomatic breakthrough.
Michael Esfahani is an independent Middle East security analyst focusing on geopolitics, military dynamics, and cyber warfare in the region. He has an M.A. in Strategic Studies and International Economics from Johns Hopkins University (SAIS). He currently works for a prominent cyber security software company in Silicon Valley. All views are his own. Follow him @mesfahan.