Iran’s hackers can be a real threat to Trump

Getty Images / ATTA KENARE / Contributor

The US and Iran aren’t necessarily on the brink of an all-out online battle after general Qasem Soleimani’s assassination – but that doesn’t mean Iran’s hackers should be underestimated.

The killing of the general last week by a US drone left plenty around the world wondering how Iran would retaliate, on the ground and online. Because Iran has recent history with cyber attacks, the situation has raised the spectre of a so-called cyber war between Iran and the US, with the Department of Homeland Security warning that Iran is capable of “carrying out attacks with temporary disruptive effects against critical infrastructure” and advising businesses to be wary of suspicious emails and use two-factor authentication – though that advice is always true.

That Iran will retaliate via a cyber attack seems to be an issue of not if, but when. “Cyber attacks are a classic asymmetric attack, used by one state to inflict harm on a stronger opponent,” says Emily Taylor, CEO of Oxford Information Labs and associate fellow at Chatham House.

And it’s a tactic Iran has used before – though so too has the US, of course. According to Chris Morales, head of analytics at security firm Vectra, Iran was motivated to push forward with its cyber capabilities in the wake of Stuxnet, attributed to the US and Israel, which took out a nuclear enrichment facility in Iran. “The thing about Iran is they didn’t even think about cyberwarfare until… after they were hit with Stuxnet,” he says. The next year, Iran was suspected of launching the Shamoon attack against Saudi Arabia’s Aramco, taking out tens of thousands of computers, says Taylor.

In 2016, the US Department of Justice indicted Iranian Revolutionary Guard members for targeting US banks and infrastructure, with one of the attacks against a dam in New York State failing only because the facility was coincidentally offline at the time, Taylor adds. The next year, British intelligence agencies said Iran was likely behind an attack against MPs emails.

“Iran has already demonstrated the willingness to carry out cyberattack in the West,” says John Hultquist, director of intelligence analysis at FireEye. “It has targeted several US and European financials with a series of DDoS attacks that lasted nearly a year prior to the nuclear agreement.”

Recent attacks may suggest how Iranian hackers would target the west. FireEye, where Hultquist works, tracks such activity. In 2012, the attack against Aramaco was run by a group called “Cutting Sword of Justice” using malware known as Shamoon or Disstrack, a “wiper” worm that deletes files and wipes the master boot record. Similar variants were used against other Saudi organisations in 2012 and 2016.

In 2017, FireEye reported a new Iran-linked group, which it dubbed APT33, had been carrying out attacks since 2013 against military, energy and other organisations in the US, Saudi Arabia and South Korea. APT33 used a variety of attack techniques, including spear phishing emails and fake domains to install another type of wiper malware, dubbed Shapeshift, as well as a remote access trojan called Nanocore, a screenshot taking malware called TurnedUp, and a tool for stealing credentials called NetWire. Two of the malware types used were readily available to buy online.

Another Iranian group spotted by FireEye is known as APT34, and has been operational since at least 2014, and appears to use known flaws in software such as Microsoft Office as well as phishing emails to spread malware and compromise accounts, targeting a wide range of industries largely in the Middle East. This year, APT34 set up a LinkedIn account posing as a researcher from the University of Cambridge in order to send compromised files to infect victims’ computers in order to steal information.

In October, Microsoft warned about a threat group it calls Phosphorus, saying it was likely linked to the Iranian government and was targeting email accounts belonging to US political officials, journalists, and Iranians living outside the country. Four accounts were successfully breached via password reset systems, Microsoft admitted. While the attacks weren’t technically sophisticated, the attackers were “highly motivated,” the company said, spending significant time harvesting the necessary personal information to target victims.

“If we see renewed attacks in the West, we expect them to follow the model we’ve seen in the Middle East, relying heavily on wipers to target critical infrastructure companies,” says Hultquist. “We are particularly concerned with APT33 and APT34, among others, because of their use of wipers to carry out cyberattacks.”

We’re used to such attacks, but the real fear is an attack on an infrastructure control system (ICS), such as at a dam, power plant or similar – that’s where the real threat to human life could be. But though there’s a possibility that Iran is capable of such attacks, Hultquist doesn’t believe it’s likely. “We are skeptical Iran will manipulate ICS processes to create unsafe conditions, but they are very capable of causing significant disruptions.”

However, Vectra’s Morales notes such systems are usually better protected and less susceptible to risk than banks or other companies that are normally targeted by Iranian state-sponsored actors. “But it’s something to absolutely be aware of,” he warned.

Such an attack would be easier to attribute to a state-backed hacking group, as it would likely demand more resources. That suggests Iranian hacking groups may stay with attacks that are less damaging, more difficult to attribute, and less likely to escalate the situation: targeted attacks for disruption and espionage, as well as website vandalism for attention.

The first attack to happen after Soleimani’s death was less dangerous than previous examples: the website of the US Federal Depository Library Program was defaced with a bloody image of US president Donald Trump alongside pro-Iranian propaganda. Despite the basic attack and insignificant damage, the incident was widely reported globally. Such smaller incidents are more likely to be perpetrated by an individual or hacktivist group, perhaps acting as a government proxy, says Rebecca Lucas, a research analyst at the Royal United Services Institute. That gives the Iranian government plausible deniability while still winning plenty of attention.

And then there’s propaganda and disinformation. According to Hultquist, Iran’s tactics already include fake news sites to share propaganda, the impersonation of influential individuals — including those running for office – and the creation of fake journalists to spread disinformation, and networks of social-media bots. The use of such tactics is on the rise, adds Lucas. “We have seen a couple of sources that say there’s an uptick in fake news and disinformation from Iran since the killing of Soleimani.”

Past attacks and current capabilities suggest Iran is certainly able to cause disruption and perhaps even impact infrastructure control systems – but whether or not it does remains to be seen. “There’s been a lot of hype – and the hype is not unwarranted, the Iranian government does have fairly impressive cyber capabilities, in terms of conducting attacks to cause disruption or for espionage and information gathering,” says Lucas. “But the real question is whether they will gauge it to be in their interest to use them. The Iranian government has been very sophisticated in their response and they’ve very aware of the public relations impact of what they do at this point.”

Indeed, the Iranian administration has been careful to say it will not target civilians, instead focusing only on US military and government targets, Lucas notes – but what happens in the longer term is impossible to predict.

In short, Iran has real hacking powers, but exactly what it’s capable of and what it’s willing to do remains to be seen. “There’s a lot of evidence to suggest that the Iranian government or its proxies can attack those targets [such as control systems] though whether they would be successful depends on the defense capabilities,” Lucas says. “Just because they haven’t doesn’t mean they can’t, and the Iranian government has proven that it is an effective and sophisticated cyber actor. But it’s about the Iranian government wants, and what they think is in their best interest and unfortunately that’s the hardest thing to predict.”

While tension between the US and Iran have escalated, they’ve been hacking each other for years – we need to protect against such attacks, but that’s hardly new. “It’s a scary moment and we should defend critical systems across society,” says Lucas. “We should all be doing that anyway, because there are a lot of scary actors out there.”

More great stories from WIRED

🚙 The most exciting electric cars coming in 2020

🍄 These mental tricks can help you go vegan this January

🚐 SUVs are worse for the planet than anyone realised

⏲️ Science says we should work shorter hours in winter

📧 How to use psychology to get people to answer your emails

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on pinterest
Share on Pinterest

Leave a comment