The Iranian Cyber Threat

Download Report

History of Iranian Cyber Attacks and Incidents

The asymmetric nature of the cyberwarfare domain has enabled Iran to carry out the most sophisticated and costly cyber attacks in the history of the internet age. As Iran’s capabilities have expanded, driven by increased investment over the past decade since the Stuxnet attack on Iran’s nuclear facilities, Iran’s malign activities in the offensive cyber realm have evolved and advanced. Iran has kept up a steady drumbeat of lower-level attacks against the U.S., its allies, and regime opponents at home and abroad, some successful and others thwarted. The most common publicly-known attacks include simple website defacements, online disinformation campaigns to push pro-Iranian regime and anti-U.S. narratives, distributed denial of service (DDoS) attacks, and theft of personally identifiable information and intellectual property. At times, Iran has pushed the envelope launching attacks using destructive wiper malware, crippling entire computer networks. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) within DHS notes that according to open-source reporting, numerous offensive cyber operations have been attributed or are alleged to be the work of the Iranian government, or at least Iranian actors working in conjunction with or with the approval of the regime. According to CISA, Iran’s cyber attacks have targeted sectors including “financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base.” While many Iranian attacks are destructive in nature, others are conducted for purposes of espionage and intellectual property theft, designed to give Iran insights into its adversaries’ strategic planning or to improve its own industrial or military capabilities in the face of sanctions.  

The following accounting of the most significant Iranian cyber attacks, either attempted or completed, shows the evolution in Iran’s increasingly sophisticated and bold cyberwarfare activities. The incidents recounted also give an indication of how cyberwarfare fits into Iranian statecraft and national security strategy. Even at times of relative stability or low tensions, Iran has still been active in the cyber domain. Iran’s cyber activities tend to escalate in response to provocations and heightened tensions. On occasion, Iran has resorted to crude, quick strikes when it has sought to immediately respond to a provocation, such as the imposition of new sanctions. Other Iranian malign cyber activities, particularly those of its primary hacker collectives, demonstrated slow and methodical planning involving the strategic selection of targets, the development of custom malware, and protracted periods of infiltration before the deployment of its cyberweapons. 

According to the Carnegie Endowment report , “While the Iranian hacking scene emerged in the early 2000s, there is little evidence of state-aligned cyber activities before 2007.” The earliest impetus for malign offensive Iranian cyber activities was the June 2009 Iranian presidential election, which witnessed the re-election of Mahmoud Ahmadinejad amid widespread, credible allegations of fraud by Iran’s revolutionary regime. The contested election spurred the rise of the opposition Green Movement and marked a perilous period for Iran’s government as its legitimacy increasingly came into question.

The internet and social media were central to the Green Movement’s mass mobilization efforts, and the Iranian government subsequently went to war against websites and platforms affiliated with the opposition movement or seen as enabling their ongoing communications and supporting their messaging. Between December 2009 and mid-2011, a group calling itself the Iranian Cyber Army launched a campaign of website defacements targeting sites seen as sympathetic to the Green Movement, replacing their homepages with graphics and messages in support of the Iranian regime. The Iranian Cyber Army is nominally a collective of independent hackers whose aims and ideology are in lockstep with the Iranian governments, but given the regime’s tight controls over the cyber realm, its activities are believed to be overseen by the IRGC’s intelligence apparatus

Among the group’s targets was Twitter, whose homepage the group hacked and defaced in December 2009 with pro-Iranian and anti-U.S. messages. A month later, the group carried out a similar attack on China’s primary search engine, Baidu. In February 2011, the Iranian Cyber Army claimed credit for a similar attack on the Voice of America’s homepage. Other targets included websites and news outlets affiliated with Iranian opposition elements, including Mowjcamp, Radio Zamaneh, Amir Kabir Newsletter, Jaras, and the MOBY Group

The Iranian Cyber Army’s attacks during this phase were primitive, but still potentially destructive. They did not rely on technical breaches of infrastructure at the sites themselves, but on social engineering that exploited weaknesses at the sites’ domain registrars, the companies that host the websites. The Iranian Cyber Army’s attacks, known as domain name systems (DNS) attacks, involved impersonating employees at the respective websites with requisite levels of access to the site’s control panels, contacting the domain registrar in order to obtain passwords, and then hijacking pages and redirecting site traffic to pages containing the pro-Iranian propaganda. Obtaining DNS access would enable hackers to control websites’ sensitive data, but in these instances, it appears no data was compromised and the attacks merely hijacked control of the sites for limited periods for propagandistic purposes.

Following the 2010 Stuxnet attack on Iran’s nuclear program, Iran rapidly began investing in and improving its offensive cyberwarfare capabilities, which ushered in increasingly sophisticated attacks. In September 2011, an Iranian hacker (or hackers) claimed credit for an attack that compromised the Dutch certificate authority, DigiNotar, and issued fake security certificates, which communicate to your web browser that the site you are visiting is the site you intended to visit. The hack effectively gave Iran the ability to access the Gmail accounts and spy on the encrypted communications of 300,000 Iranian users. The attack was claimed by a hacker who claimed to have acted alone and who chose to help his government monitor the communications of his fellow citizens, yet it appears that Iranian intelligence was involved as well. The UK Government Communications Headquarters (GCHQ) provided a post-mortem account of the DigiNotar event in which it alleged that an “Iranian intelligence agency added a specific rule in an internet router that forced Google’s traffic through an alternative route inside the country.”

Having cut their teeth responding to the internal threats to national cohesion and stability represented by the Green Movement, Iran’s cyber threat actors would go on to adapt an offensive cyber posture geared toward confronting the regime’s internal and foreign adversaries concurrently. The same infrastructure and cyberweaponry used against the Iranian opposition would also be turned against the U.S. and its allies. 

The earliest incidents of major external Iranian cyber attacks were initially reported in the summer of 2012. In July, 2012, security firms Kaspersky Lab and Seculert uncovered an Iranian cyber espionage campaign, relying on spyware called Madi, ongoing since December 2011 that affected 800 victims over the course of a year. The campaign primarily targeted business executives in the fields of critical infrastructure and financial services, as well as Middle Eastern government officials and embassy staff. Of those targeted, 387 were in Iran itself, 54 in Israel, and the rest scattered around the Middle East and Afghanistan. The campaign relied on crude spear-phishing tactics. Those affected clicked on PDF or Microsoft PowerPoint attachments or links to news articles. Once the users downloaded the corrupted files, a Trojan spying software called Madi would be secretly loaded onto their computers. Remote attackers would then be able “to swipe sensitive files from infected Windows computers, monitor email and instant messages exchanges, record audio, log keystrokes, and take screenshots of victims' activities.” Based on the code used, the researchers who uncovered the Madi campaign characterized the hackers’ tradecraft as “amateurish and rudimentary,” yet effective. 

Iran followed up the Madi campaign with a major offensive cyber operation targeting the U.S. banking sector, heralding the Islamic Republic’s arrival as a major cyberwarfare actor. Beginning in December 2011, an Iranian hacking group calling itself the Izz ad-Din al-Qassam Cyber Fighters began laying the groundwork for a series of Dedicated Denial of Service (DDoS) attacks against U.S. financial institutions. In March 2016, the U.S. Department of Justice unsealed an indictment against “seven Iranian individuals who were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps,” responsible for carrying out the series of attacks. The indictment offered a rare glimpse into Iran’s modus operandi with regard to cyber attacks, demonstrating the IRGC’s penchant for using multiple contractors each with their own set of objectives in an attack. According to a leaked briefing document of the National Security Agency obtained by the Intercept, the agency picked up signals intelligence stating explicitly that the campaign was conducted to retaliate against the U.S.’s cyber attacks on Iran’s nuclear facilities, and that senior officials in the Iranian regime were aware of the attack. 

The first phase of the campaign, named Operation Ababil, involved the culprits exploiting vulnerabilities in the software of thousands of websites in order pool bandwidth, which it then used to overwhelm their targets. After a few sporadic DDoS attacks, in September 2012, the campaign began in earnest and would continue in phases until July 2013, by which time, the major players in the financial sector had shored up their defenses, leading to the campaign fading away. Ultimately, the culprits hacked into the servers of 46 primarily financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC, deluging them with up to 140 gigabits of data per second, far exceeding their capacity and thereby denying customers from logging into their online bank accounts. The group’s DDoS attacks occurred in waves on 176 distinct days, costing the affected institutions tens of millions of dollars in remediation costs as they worked to counter the attacks.

One of the co-conspirators in Operation Ababil was additionally indicted for allegedly hacking into the control system of a dam in upstate New York between August 28 and September 21, 2013. The level of access he had obtained would have allowed him to operate the dam’s sluice gate, responsible for regulating water levels and flow rate. However, the dam’s sluice gate had been manually disconnected at the time of the intrusion for maintenance. This incident was alarming, as it demonstrates Iran’s ability and desire to access industrial control systems, as well as the vulnerabilities posed by the thousands of soft sites around the country that can potentially be manipulated, leading to potential loss of life. 

Iran has at times directed cyber operations against U.S. allies as well, with the most significant attacks targeting Saudi Arabia. In addition to being in a state of cold war with Saudi Arabia for regional dominance, targeting American allies is a way for Iran to strike an indirect blow against U.S. interests that is less likely to provoke an American response. In 2012 and then again in late 2016 and early 2017, Iranian-origin malware called Shamoon targeted the Saudi Arabian government and private sector. The Shamoon malware works by overwriting computers’ master book record, making it impossible for them to start back up. 

The initial 2012 Shamoon attack targeted Saudi Aramco, a company responsible for 10% of the world’s oil supply at the time. The groundwork for the attack was laid mid-year, when an Aramco computer technician opened a spam email and clicked on a malicious link. On August 15, 2012, the actual cyber attack commenced, and the malware began deleting and overwriting the data on around 30,000 computers. Affected computers were effectively “bricked,” and reportedly displayed images of a burning American flag. The attacks were timed to coincide with Ramadan, when most workers would be absent to allow the malware the maximum time to work unimpeded. The malware only infiltrated office computers and did not impact systems dealing with technical operations. Still, it grounded services to a halt, as office workers resorted to communications with typewriters and fax machines and gasoline refill trucks were turned away with no way to process payments. To mitigate the damage, Aramco purchased 50,000 hard drives, paying higher prices to cut the line and buy all the hard drives on the manufacturing line at several Southeast Asian factories.   

The U.S. intelligence community has attributed the Aramco attack to Iran. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, posting a missive online that blamed the “Al-Saud corrupt regime” for using its oil resources to fund “crimes and atrocities” in Middle Eastern countries. The attack was believed to be retaliation for a similar attack that targeted Iran’s oil ministry and National Iranian Oil Company in April 2012. That attack used malware called Wiper to delete hard drives before vanishing. The Shamoon attack demonstrated an Iranian capability to learn from attacks against it and weaponize tactics that were initially used on Tehran. 

Between November 2016 and January 2017, a variant of Shamoon re-emerged, and was used in attacks that deleted databases and files on dozens of public and private computer networks in Saudi Arabia. Among the entities struck was the General Authority of Civil Aviation, the Ministry of Labor, and the Saudi Central Bank. In the second wave of Shamoon attacks, files were overwritten with images of a 3-year old drowned Syrian refugee, hinting at the hackers’ motivations.

In 2014, Iranian “hacktivists” carried out a data deletion attack against the network of a Las Vegas casino owned by Sheldon Adelson, an outspoken opponent of Iran’s nuclear program. In March 2018, federal prosecutors unsealed indictments against nine Iranians accused of carrying out cyber attacks on behalf of the IRGC who stole data for financial gain from “144 American universities, 36 American companies and five American government agencies,” as well as 176 universities across 21 foreign countries.

In August 2018, Facebook and Twitter purged hundreds of Iran-based groups and accounts that appeared to be part of a coordinated, inauthentic effort linked to Iranian state media to spread political content on four different continents, including in the United States. The unusual activity was detected by a private cybersecurity firm called FireEye, which alerted the social media companies. In a statement, FireEye said, “This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests.” The inauthentic pages sought to back Iranian foreign policy imperatives, and featured content that was pro-Iranian and pro-Palestinian, or anti-American, anti-Israeli, and anti-Saudi. Many pages reportedly promoted Quds Day, the Iranian regime-sponsored global day of protest against Israel.

In July 2018, Germany’s domestic intelligence service found that Iranian cyber attacks targeting “the German government, dissidents, human rights organizations, research centers and the aerospace, defense and petrochemical industries” have been growing since 2014. The efficacy of the Iranian cyber attacks on Germany led the report’s authors to conclude that the operations are initiated and guided by intelligence agencies.

In 2019, Iran engaged in a campaign of stepped up malign activities around the region as the Trump administration’s “maximum pressure” campaign increasingly took effect, harming Iran’s economy. As part of its campaign, Iran also stepped up its malign cyber activities. In June 2019, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned, “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. … Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing.”

In July 2019, U.S. Cyber Command tweeted that they discovered active misuse of a bug in Microsoft Outlook. FireEye traced the activity to a threat group called APT33, which is allegedly working at the behest of the Iranian government as part of a coordinated campaign against “U.S. federal government agencies and financial, retail, media, and education sectors.” 

In November 2019, a Microsoft researcher presented findings that the Iranian hacking group APT 33, the group behind the 2012 Shamoon attacks on Saudi Aramco, has undergone a dangerous evolution and shifted focus, moving away from attacks targeting IT networks in favor of efforts to infiltrate industrial control systems used in electric utilities, manufacturing, oil refineries, and related critical infrastructure. The researcher found that over the course of a year, APT 33 had launched crude password-spraying attacks at tens of thousands of targets, but in recent months, had narrowed focus to 2000 organizations per month while increasing the amount of accounts targeted at each organization ten-fold. The effort indicates that the group is seeking a foothold that would enable it to launch disruptive physical attacks at a time of its choosing. 

In December 2019, IBM researchers announced they had discovered a new form of malware, dubbed “ZeroCleare,” that is believed to have been created by Iranian hacking collective APT 34, a group with ties to the government. The malware was reportedly used in data deletion attacks on unnamed Middle Eastern energy and industrial companies in the preceding months. On December 29, 2019, the day the U.S. struck Iran-backed militia targets in Iraq in retaliation for earlier rocket attacks, Saudi cybersecurity officials detected a rapid effort to deploy a cyber attack using malware it nicknamed “Dustman.” The target of the attack was subsequently revealed to be Bapco, Bahrain’s state petroleum organization. The malware was highly similar to the “ZeroCleare” malware discovered earlier in the month, leading experts to conclude that Tehran was the likely culprit.

Following the January 2020 drone strike that killed IRGC Quds Force commander Qassem Soleimani, Iran-based attempts to hack U.S. federal, state and local government websites jumped 50% and nearly tripled worldwide. In February 2020, Reuters and Certfa exposed an Iranian hacking attempt—through Charming Kitten—targeting Israeli academics and researchers who study Iran. Hackers posed as prominent journalists who cover Iran, and asked for email credentials to preview interview questions all in an attempt to penetrate their targets’ accounts.

As the world has struggled to respond to the COVID-19 pandemic, Iran has been one of the hardest-hit nations, driven in large part to various missteps taken by the regime. Despite facing an unprecedented public health crisis, Iran has continued its malign cyber activities unabated. At a press conference on March 20, 2020, Secretary of State Pompeo asserted that Russia, China, and Iran are carrying out online disinformation campaigns to stoke fear and discord in the U.S. On April 2, Reuters reported that hackers working in the interest of the Iranian government have since early March used advanced phishing techniques to try and steal the email passwords of staff members at the World Health Organization, presumably to gain access to intelligence that would aid in the fight against the coronavirus. Analysts believe the hackers were tied to Tehran as the malicious websites used to deceive the staffers were previously used in a campaign targeting American academics with connections to Iran. Similar incidents were reported, where Iranian hackers allegedly targeted British universities researching coronavirus vaccines as well as U.S. pharmaceutical company Gilead Sciences Inc. That’s not to mention reports of an attempted Iranian cyber attack on Israeli civilian water infrastructure in the middle of a pandemic. These incidents highlight that the Iranian cyber threat adds additional layers of insecurity at a time of international crisis.