When it comes to cyberweapons, America is an elephant and Iran is a flea. Still, a flea can be a persistent nuisance, especially for the unprotected.
Iran’s cyber capability is the focus of a detailed new study called “Iran’s Cyber Threat,” to be published soon by Collin Anderson and Karim Sadjadpour of the Carnegie Endowment for International Peace. It describes a country that, although “third tier” on the cyberthreat matrix, can still do considerable damage.
The disclosures about Iran’s cyberattacks are a reminder that America and its allies live in a dangerous electronic ecosystem. Russia’s hacking of the 2016 U.S. presidential campaign gets daily coverage, and China’s theft of American secrets has also been well-publicized. What gets too little attention are the less-sophisticated but still-toxic weapons available to dozens of smaller countries. The U.S., with its relatively open systems, can be an easy target.
The Iran study is timely: The Trump administration has declared its desire to help Saudi Arabia and other allies push back against Iran’s proxies across the Middle East, in Yemen, Syria, Lebanon and elsewhere. The U.S. call for rollback is largely rhetoric, at this point; there’s still little clear policy. But Tehran’s allies can fight back, sometimes in ways that are hard to identify or attribute. That’s especially true with cyberweapons.
The Carnegie study describes a small but capable Iranian cyber capability that evolved partly to gather foreign intelligence and partly to spy on domestic opposition groups that coalesced in the 2009 Green Movement. Iranian hackers developed payback motive, too, after 2012 newspaper reports about the U.S. and Israeli “Stuxnet” malware attacks on the Iranian nuclear program that had started in 2007.
A decade ago, Iran began mobilizing its own resources. This home-grown hacking culture is one of the report’s most interesting findings, because it can probably be duplicated in dozens of other emerging economies. “Iran’s cyber capabilities appear to be indigenously developed, arising from local universities and hacking communities,” the report notes. “Threat actors seemingly arise from nowhere and operate in a dedicated manner until campaigns dissipate, often due to their discovery by researchers.”
The Iranian hackers began slowly in 2007, with cyber-pinpricks. A group calling itself the Iranian Cyber Army defaced dissident Twitter accounts in 2009 and, soon after, websites belonging to the Voice of America. But the attacks became more serious in 2011, after an Iranian hacker penetrated a Dutch security firm called DigiNotar, opening Gmail users in Iran to government surveillance, according to the Carnegie study.
Then came Iranian counterattacks, simple but destructive. After Iran’s oil industry was hit in April 2012 by malware known as “Flame” and “Wiper,” the Iranians launched an August 2012 attack on the Saudi Aramco oil company, using a wiper virus known as “shamoon.” According to the Carnegie researchers, the attack affected tens of thousands of Saudi Aramco computers and caused tens or even hundreds of millions of dollars in damage.
Iran successfully attacked the U.S. as well. In September 2012, a hacker group that called itself the Izz ad-Din al-Qassam Cyber Fighters began attacking U.S. banks and financial institutions with a primitive but destructive assault known as a “distributed denial of service,” or DDoS, which basically flooded targeted computers with so much traffic that their systems crashed. Here, too, the assaults did surprising damage.
The FBI concluded that from 2012 to 2013, the Iranian operation “locked hundreds of thousands of banking customers out of accounts for long periods of time and resulted in tens of millions of costs to remediate,” the Carnegie analysts explain. Many financial institutions that had been hit by the Iranians said little about the attacks, to avoid worrying customers or shareholders.
Why did the Iranians strike U.S. banks? Revenge is the simple answer. The Carnegie reports cites an NSA assessment that signals intelligence “indicates that these attacks are in retaliation to Western activities against Iran’s nuclear sector and that senior officials in the Iranian government are aware of these attacks.”
Iran’s cyber capabilities suggest that the Trump administration’s new anti-Tehran campaign may not be costless, even if open conflict is avoided. A website called “The Cipher Brief,” which focuses on intelligence issues, headed this month that “Iran’s … Cyber Hackers Poised to Strike If Trump Shreds Nuke Deal.” A computer security firm called “FireEye” reported this month that a group of Iranian hackers, dubbed “APT34,” have developed a new backdoor cyber-surveillance technique.
Iran has an arsenal of cyber-stones, so to speak, ready to throw. The U.S., meanwhile, lives in the world’s biggest glass house.
David Ignatius can be reached via Twitter: @IgnatiusPost.