The Iranian Cyber Threat

Major Attacks on U.S. Banks and Casino

Iran followed up the Madi campaign with a major offensive cyber operation targeting the U.S. banking sector, heralding the Islamic Republic’s arrival as a major cyberwarfare actor. Beginning in December 2011, an Iranian hacking group calling itself the Izz ad-Din al-Qassam Cyber Fighters began laying the groundwork for a series of Dedicated Denial of Service (DDoS) attacks against U.S. financial institutions. In March 2016, the U.S. Department of Justice unsealed an indictment against “seven Iranian individuals who were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps,” responsible for carrying out the series of attacks. The indictment offered a rare glimpse into Iran’s modus operandi with regard to cyber attacks, demonstrating the IRGC’s penchant for using multiple contractors each with their own set of objectives in an attack. According to a leaked briefing document of the National Security Agency obtained by the Intercept, the agency picked up signals intelligence stating explicitly that the campaign was conducted to retaliate against the U.S.’s cyber attacks on Iran’s nuclear facilities, and that senior officials in the Iranian regime were aware of the attack.

The first phase of the campaign, named Operation Ababil, involved the culprits exploiting vulnerabilities in the software of thousands of websites in order pool bandwidth, which it then used to overwhelm their targets. After a few sporadic DDoS attacks, in September 2012, the campaign began in earnest and would continue in phases until July 2013, by which time, the major players in the financial sector had shored up their defenses, leading to the campaign fading away. Ultimately, the culprits hacked into the servers of 46 primarily financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC, deluging them with up to 140 gigabits of data per second, far exceeding their capacity and thereby denying customers from logging into their online bank accounts. The group’s DDoS attacks occurred in waves on 176 distinct days, costing the affected institutions tens of millions of dollars in remediation costs as they worked to counter the attacks.

Following the DDoS campaign against U.S. banks, Iranian “hacktivists” carried out a data deletion attack against the network of a Las Vegas casino owned by Sheldon Adelson, an outspoken opponent of Iran’s nuclear program. Personal computers and servers operating on the casino’s network shut down and had their hard drives wiped clean, disrupting the casino’s operations. The attack destroyed three-quarters of the casino’s servers and the costs of data recovery and rebuilding IT infrastructure were estimated at $40 million. Cyber security researchers determined based on the scale and sophistication that the attack could not have been achieved without government knowledge or backing.

Shamoon

Iran has at times directed cyber operations against U.S. allies as well, with the most significant attacks targeting Saudi Arabia. In addition to being in a state of cold war with Saudi Arabia for regional dominance, targeting American allies is a way for Iran to strike an indirect blow against U.S. interests that is less likely to provoke an American response. In 2012 and then again in late 2016 and early 2017, Iranian-origin malware called Shamoon targeted the Saudi Arabian government and private sector. The Shamoon malware works by overwriting computers’ master book record, making it impossible for them to start back up. 

The initial 2012 Shamoon attack targeted Saudi Aramco, a company responsible for 10% of the world’s oil supply at the time. The groundwork for the attack was laid mid-year, when an Aramco computer technician opened a spam email and clicked on a malicious link. On August 15, 2012, the actual cyber attack commenced, and the malware began deleting and overwriting the data on around 30,000 computers. Affected computers were effectively “bricked,” and reportedly displayed images of a burning American flag. The attacks were timed to coincide with Ramadan, when most workers would be absent to allow the malware the maximum time to work unimpeded. The malware only infiltrated office computers and did not impact systems dealing with technical operations. Still, it grounded services to a halt, as office workers resorted to communications with typewriters and fax machines and gasoline refill trucks were turned away with no way to process payments. To mitigate the damage, Aramco purchased 50,000 hard drives, paying higher prices to cut the line and buy all the hard drives on the manufacturing line at several Southeast Asian factories.   

The U.S. intelligence community has attributed the Aramco attack to Iran. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, posting a missive online that blamed the “Al-Saud corrupt regime” for using its oil resources to fund “crimes and atrocities” in Middle Eastern countries. The attack was believed to be retaliation for a similar attack that targeted Iran’s oil ministry and National Iranian Oil Company in April 2012. That attack used malware called Wiper to delete hard drives before vanishing. The Shamoon attack demonstrated an Iranian capability to learn from attacks against it and weaponize tactics that were initially used on Tehran. 

Between November 2016 and January 2017, a variant of Shamoon re-emerged, and was used in attacks that deleted databases and files on dozens of public and private computer networks in Saudi Arabia. Among the entities struck was the General Authority of Civil Aviation, the Ministry of Labor, and the Saudi Central Bank. In the second wave of Shamoon attacks, files were overwritten with images of a 3-year old drowned Syrian refugee, hinting at the hackers’ motivations.

2018 to Today

In August 2018, Facebook and Twitter purged hundreds of Iran-based groups and accounts that appeared to be part of a coordinated, inauthentic effort linked to Iranian state media to spread political content on four different continents, including in the United States. The unusual activity was detected by a private cybersecurity firm called FireEye, which alerted the social media companies. In a statement, FireEye said, “This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests.” The inauthentic pages sought to back Iranian foreign policy imperatives, and featured content that was pro-Iranian and pro-Palestinian, or anti-American, anti-Israeli, and anti-Saudi. Many pages reportedly promoted Quds Day, the Iranian regime-sponsored global day of protest against Israel.

In July 2018, Germany’s domestic intelligence service found that Iranian cyber attacks targeting “the German government, dissidents, human rights organizations, research centers and the aerospace, defense and petrochemical industries” have been growing since 2014. The efficacy of the Iranian cyber attacks on Germany led the report’s authors to conclude that the operations are initiated and guided by intelligence agencies.

In 2019, Iran engaged in a campaign of stepped up malign activities around the region as the Trump administration’s “maximum pressure” campaign increasingly took effect, harming Iran’s economy. As part of its campaign, Iran also stepped up its malign cyber activities. In June 2019, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned,

CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. … Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing.

In July 2019, U.S. Cyber Command tweeted that they discovered active misuse of a bug in Microsoft Outlook. FireEye traced the activity to a threat group called APT33, which is allegedly working at the behest of the Iranian government as part of a coordinated campaign against “U.S. federal government agencies and financial, retail, media, and education sectors.” 

In November 2019, a Microsoft researcher presented findings that the Iranian hacking group APT 33, the group behind the 2012 Shamoon attacks on Saudi Aramco, has undergone a dangerous evolution and shifted focus, moving away from attacks targeting IT networks in favor of efforts to infiltrate industrial control systems used in electric utilities, manufacturing, oil refineries, and related critical infrastructure. The researcher found that over the course of a year, APT 33 had launched crude password-spraying attacks at tens of thousands of targets, but in recent months, had narrowed focus to 2000 organizations per month while increasing the amount of accounts targeted at each organization ten-fold. The effort indicates that the group is seeking a foothold that would enable it to launch disruptive physical attacks at a time of its choosing. 

In December 2019, IBM researchers announced they had discovered a new form of malware, dubbed “ZeroCleare,” that is believed to have been created by Iranian hacking collective APT 34, a group with ties to the government. The malware was reportedly used in data deletion attacks on unnamed Middle Eastern energy and industrial companies in the preceding months. On December 29, 2019, the day the U.S. struck Iran-backed militia targets in Iraq in retaliation for earlier rocket attacks, Saudi cybersecurity officials detected a rapid effort to deploy a cyber attack using malware it nicknamed “Dustman.” The target of the attack was subsequently revealed to be Bapco, Bahrain’s state petroleum organization. The malware was highly similar to the “ZeroCleare” malware discovered earlier in the month, leading experts to conclude that Tehran was the likely culprit.

Following the January 2020 drone strike that killed IRGC Quds Force commander Qassem Soleimani, Iran-based attempts to hack U.S. federal, state and local government websites jumped 50% and nearly tripled worldwide. In February 2020, Reuters and Certfa exposed an Iranian hacking attempt—through Charming Kitten—targeting Israeli academics and researchers who study Iran. Hackers posed as prominent journalists who cover Iran, and asked for email credentials to preview interview questions all in an attempt to penetrate their targets’ accounts.

As the world has struggled to respond to the COVID-19 pandemic, Iran has been one of the hardest-hit nations, driven in large part to various missteps taken by the regime. Despite facing an unprecedented public health crisis, Iran has continued its malign cyber activities unabated. At a press conference on March 20, 2020, Secretary of State Pompeo asserted that Russia, China, and Iran are carrying out online disinformation campaigns to stoke fear and discord in the U.S. On April 2, Reuters reported that hackers working in the interest of the Iranian government have since early March used advanced phishing techniques to try and steal the email passwords of staff members at the World Health Organization, presumably to gain access to intelligence that would aid in the fight against the coronavirus. Analysts believe the hackers were tied to Tehran as the malicious websites used to deceive the staffers were previously used in a campaign targeting American academics with connections to Iran. Similar incidents were reported, where Iranian hackers allegedly targeted British universities researching coronavirus vaccines as well as U.S. pharmaceutical company Gilead Sciences Inc.

In April 2020, suspected Iranian actors undertook an unprecedented campaign of cyber terrorism, attacking industrial control systems with the aim of injuring or killing Israeli civilians. Israeli media reported that six Israeli water facilities were targeted by Iranian hackers, causing irregularities in the operations of infrastructure and control systems at wastewater treatment plants, pumping stations, and sewage facilities that were detected in time to prevent a catastrophic outcome. According to Israeli and western intelligence officials, the most severe attack involved Iranian-written code, routed through American and European servers to disguise its origin, being used to hack into the software systems that controlled the water pumps at a major Israeli water pumping station with the intent of increasing the chlorine levels of treated water that would make its way to Israeli homes. The sophisticated attack was ultimately thwarted, but if successful, it could have sickened hundreds of civilians or triggered fail-safe mechanisms that would have shut off water for residential and agricultural use during a heatwave for those who receive water from the affected facility.

The attacks highlighted the vulnerabilities facing internet-accessible industrial control systems, and Israel’s Water Authority subsequently ordered all facilities under its jurisdiction to update passwords to their control systems, reduce internet exposure, and ensure that all software is up-to-date. In particular, security researchers have found internet accessible human-machine interfaces to be a potentially vulnerable source of great risk at oil and gas, water, and power facilities. While major facilities tend to be well-protected, researchers have found that human-machine interfaces at some smaller and medium size facilities were susceptible to hacking. Once a malicious cyber actor gained remote access, they would be able to adjust critical inputs controlled by human operators, such as disabling alarms; starting, stopping, slowing down, or speeding up the operation of oil wells or gas pumps; or adjusting chemical levels in the water.

The head of Israel’s National Cyber Directorate warned after the April attacks that “cyber winter is coming and coming even faster than I suspected,” expressing concern that cyber attacks targeting civilian opulations would become increasingly commonplace now that Iran had breached a clear red line. For its part, the Iranian government denied culpability for the attacks on Israel’s water system, claiming that Iran’s cyber posture is purely defensive and that Iran could ill afford the blowback that would arise from trying to poison Israeli civilians. Iran’s official protestations showed how Iranian officials seek to make use of the degree of plausible deniability offered by the cyber realm. As noted earlier in this report, if the attacks were in fact the handiwork of an ostensibly “independent” Iranian hacker collective, major attacks by such groups are typically bankrolled and coordinated by the IRGC, so the regime bears ultimate responsibility.

The suspected Iranian cyber attacks on Israeli civilian water infrastructure touched off a cycle of tit-for-tat cyber attacks and reprisals between the two nations. In May 2020, Israeli officials revealed that then-Israeli Defense Minister Naftali Bennett greenlit a cyber attack that caused delays at a major Iranian port for several days. The Israeli reprisal was intended as a “knock on the door” to remind Iran of Israel’s cyber capabilities and deter future aggression and was calibrated to only cause economic damage rather than harming civilians.

During June and July 2020, Iran was beset by a series of unexplained explosions and fires at military facilities, missile production sites, petrochemical, and industrial complexes, and, most notably, the Natanz uranium enrichment nuclear facility. While the origins of these incidents remain officially undetermined and some may have indeed been accidental or due to natural causes, the volume of explosions and fires over a short period points to an Israeli campaign of deliberate sabotage to set back Iran’s nuclear program and malign regional activities. Israeli security officials cautioned that while “not every event that happens in Iran is necessarily related to us,” Israel is committed to preventing a nuclear armed Iran and, to that end, “we take actions that are better left unsaid.”

At least some of the explosions are believed to be the result of Israeli cyber attacks. Iranian officials blamed the most serious incident, the explosion at Natanz, which reportedly set Iran’s nuclear program back at least a year, on a cyber attack, although other regional officials and an IRGC member who had been briefed told the New York Times that the explosion was caused by a powerful bomb that was smuggled into the facility. In response to the military threats against its nuclear program, Iran has begun reconstituting the damaged building at Natanz underground “in the heart of the mountains,” according to the head of Iran’s Atomic Energy Organization. Iran’s hardening of the physical defenses of its nuclear program means that its adversaries will likely increasingly turn to cyber operations to try and set back Iran’s nuclear progress.

In June 2020, hackers again targeted Israeli water management facilities, attacking agricultural water pumps in the upper Galilee and central Israel. According to the Israeli Water Authority, "These were specific, small drainage installations in the agriculture sector that were immediately and independently repaired by the locals, causing no harm or any real-world effects.” While the attacks were not officially attributed to Iran, the similar nature of the attacks to the April 2020 attacks against Israel’s water infrastructure points to Iranian involvement.

In October 2020, Israeli cyber security firms Clear Sky and Profero reported that they had identified a campaign of ransomware attacks targeting prominent Israeli companies and organizations the previous month by a hacker collective called MuddyWater (sometimes also referred to as TEMP.Zagros, Static Kitten, or Seedworm). According to Microsoft researchers, MuddyWater “is believed to be a contractor for the Iranian government working under orders from the Islamic Revolutionary Guard Corps, Iran's primary intelligence and military service.” The MuddyWater campaign involved exploiting vulnerabilities in the Windows operating system that the affected organizations had not patched yet, allowing hackers to effectively take over their internal networks. The hackers were then able to install malware -- reportedly a variant of Shamoon – that would encrypt the data on computers within the network, blocking users from accessing them. Typically, these attacks are known as ransomware, as hackers will demand payment to restore access to the network. In this instance, however, the hackers did not seek payment, indicating their motivation was primarily to disrupt the affected organizations by preventing them from regaining access to their data. The prioritization of harming Israeli companies over monetary gain suggests that MuddyWater’s motive was primarily ideological, buttressing the belief that its hacking is carried out at the directive of the Iranian regime. The campaign was ultimately thwarted due to intervention by Israel’s National Cyber Directorate, Clear Sky, and Profero.

Shortly after the revelation of the MuddyWater campaign, Iran reported that the country’s port authority and one other unnamed institution had been targeted by cyber attacks that caused significant disruption. State media blamed the attack on Iran’s “sworn enemies.”

Cybersecurity researchers then revealed in December 2020 that Iranian hackers had launched cyber attacks involving ransomware, hitting 80 Israeli firms in November and December of 2020. The Iranian operation, known as Pay2Key, appeared to have been the handiwork of a state-sponsored hacking collective known as Fox Kitten, the name given to collaborate between APT33 (Elfin, Magnallium, Holmium, and Refined Kitten) and APT34 (OilRig, Greenbug). The Pay2Key attacks targeted dozens of companies in Israel’s insurance, logistics, and industrial sectors, encrypting data on computers and workstations to make them unusable. Pay2Key also claimed to have penetrated the Israeli Aerospace Industries.

Pay2Key would, in some instances, issue taunting messages to affected firms and threaten to expose their data unless the companies remitted payments in BitCoin. Even after payment, Pay2Key did not turn over decryption keys in several instances and went ahead with leaks of sensitive information. Clear Sky assessed that the campaign’s motives were primarily ideological and designed to incite panic in Israel rather than financial and noted that the wave of attacks caused significant damage to several of the affected companies. These incidents highlight that the Iranian cyber threat adds additional layers of insecurity at a time of international crisis.

The tit-for-tat campaign of sabotage between Iran and Israel escalated further in April 2021, as Israel is believed to have been behind an apparent cyber attack that triggered an explosion that caused a major blackout at the Natanz enrichment complex. The attack reportedly destroyed the power system that runs the facility’s centrifuges and may have set back Iran’s enrichment at Natanz by nine months. The incident occurred shortly after Iran announced the installation of new advanced centrifuges at Natanz and after Iran has begun enriching uranium to 60%, steps taken by Tehran to increase its leverage in negotiations with the Biden administration. At the time of the attack, Iran and the U.S. had just entered negotiations to restore compliance with the JCPOA, a development Israel opposes as it views the JCPOA as leaving Iran a pathway to a nuclear bomb. The attack underscored Israel’s willingness to take matters into its own hands if it is dissatisfied with the direction of diplomatic efforts to resolve Iran’s nuclear program. Iran has referred to the attack as “nuclear terrorism” and vowed reprisals, but Tehran is constrained by its desire to acquire sanctions relief. Its calculus may change, and it may even be compelled to target the U.S., which it views as complicit in Israel’s cyberwarfare, if diplomacy breaks down.

In June 2021, during a critical point in the negotiations to revive the JCPOA, hackers linked to Iran’s government attempted a cyberattack on Boston Children’s Hospital. In revealing the incident a year later, the FBI director called it “one of the most despicable cyberattacks I’ve ever seen.” According to U.S. officials, the hack featured attackers exploiting Fortinet software to control the hospital’s computer network. Earlier, in November, U.S. agencies warned that Iranian hackers had accessed “environmental control networks” at an unnamed children’s hospital, which likely meant Boston Children’s Hospital, which is one of the largest pediatric centers in the United States, and offers cancer treatment and heart surgeries, among many other services. This shows that even in June 2021, when negotiators were reportedly making progress to revive the JCPOA—the actual negotiations themselves adjourned on June 20 for the Iranian presidential election—Iran’s government was trying to attack critical infrastructure in the United States.

Beyond its escalating cyber warfare with Israel, Iran has also recently upped its cyber activities in terms of influence campaigns. U.S. authorities alleged that Tehran engaged in electoral interference during the 2020 U.S. presidential election by obtaining voter registration data and sending spoofed emails designed to intimidate voters and undermine confidence in U.S. democratic institutions. In December 2020, the FBI found that Iran had been behind a website called “Enemies of the People,” which exploited claims of voter fraud in the United States to incite “lethal violence” against the FBI director, a former U.S. cybersecurity official, and state election officials who were involved in refuting the claims. The website posted these officials’ home addresses and other personal information. These incidents demonstrate the growing investment Tehran is making in these kinds of operations, which target the United States.

In November 2021, the U.S. Justice Department unsealed an indictment against two Iranian nationals for their involvement in a cyber attack against the United States. Court documents stated that, prior to the 2020 U.S. presidential elections, the two Iranians compromised voter websites, sent out intimidating emails to voters, disseminated a video containing disinformation about purported election vulnerabilities, and gained unauthorized access to a U.S. media company’s computer network. Iran’s cyber operations were largely aimed at discrediting Trump’s reelection campaign, according to a declassified report commissioned by the Director of National Intelligence (DNI).

In May 2022, the Shin Bet uncovered Iranian operations to lure and possibly harm Israeli businessmen and academics outside of Israel and gather intelligence through cyber operations. The Iranian operatives created email accounts with minor differences from the actual email of a trusted person in order to build rapport and extract information. They impersonated academics and journalists in these social engineering tactics and invited their victims to a made-up “conference” outside the country. The Shin Bet foiled the attempts to lure the Israelis out of the country, and none of the Israelis who were targeted in the spear-phishing campaign opened the links sent to them. The Israeli national security agency also warned at the time that the Iranians have recently turned to the internet to recruit agents for intelligence-gathering and terrorist activities.  

On September 7, 2022, Albania, the U.S., and the U.K. governments confirmed allegations made by cyber security firm Mandiant that the IRGC-sponsored cyber espionage group APT 42 conducted a cyber attack against the Albanian government in July 2022. This cyber attack occurred around the time that an Iranian dissident rally in Albania at which former U.S. officials were scheduled to speak had to be canceled due to a terror threat. Following the discovery of the cyber attack, the U.S. government and its private sector partners worked together with the Albanian government to investigate the actors behind the attack. The U.S. and U.K. governments found that critical Albanian infrastructure was the intended target of the Iranian cyberattack. The White House pledged that the U.S. would take action “to hold Iran accountable” for its attack, which violated peacetime norms on “refraining from damaging critical infrastructure that provides services to the public.” The U.S. government supported Albania’s decision to sever ties with the Islamic Republic.

Disrupting Albanian government websites and public services appeared to be a goal of APT 42’s cyber attack, although the group is typically tasked with information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. The attack caused the Albanian government to shut down government websites and suspend public services. The cyber security firm Mandiant identified ransomware called ROADSWEEP used in the attack to encrypt files on a compromised system, and leave a note claiming that the Albanian government was being targeted in a cyber attack.

Ransomware is typically used for extortion, but on this occasion, the attack appears to have been politically-motivated. The ROADSWEEP ransomware dropped a ransom note including the text “why should our taxes be spent on the benefit of Durres terrorists?” Durres is a county in which the town of Manez is located; Manez was scheduled to host the World Summit of Free Iran conference on July 23-24 before it was canceled due to terrorist threats. The Iranian dissident group Mujahedeen-e-Khalq (MEK) organized this summit in opposition to the Iranian regime, so it falls squarely within the purview of the IRGC’s mandate to neutralize foreign and domestic adversaries. Tensions increased between Iran and Albania when the latter decided to accept up to 3,000 Iranian MEK dissidents at the request of the U.S. in 2013. A front group by the name of “Homeland Justice” claimed responsibility for the cyber attacks, posting on their Telegram page a video of the ransomware being executed along with purported government documents and residence permits of members of the MEK.

This was not the first cyber attack launched by APT 42. Mandiant noted in a report on the group that it has often relied on the tactic of rapport-building with their victims, sometimes conversing for weeks to months pretending to be a journalist or other trusted person, before sending a link that allows them to access personal information. Between March and June 2021, the group compromised an email account of a U.S.-based think-tank employee with the intention of targeting other think-tanks, academic institutions, and U.S. officials working on Iran policy. It was unclear which U.S. government agencies were targeted, or whether the attacks on the U.S. government were successful. These efforts underscore the fact that the IRGC relies upon cyber operations for intelligence gathering, influence operations, and surveillance. UANI has been similarly targeted by the Iranian government via phishing attempts.