Third-party contractors — our weakest cyber link — need to be held accountable
Are we underestimating Iran's cyber capabilities?
While Iran is unlikely to match the cyber capabilities of Russia, China, or even North Korea in the short term, this third-tier actor has already racked up some notable wins. Between 2011 and 2013, in some of their first forays into cyberwarfare, Iranian hackers cost U.S. financial institutions tens of millions of dollars and knocked Saudi Aramco's business operations offline for months. Over the past two years, Iranian hackers hit more than 200 companies around the world, inflicting hundreds of millions dollars' worth of damage, according to a new Microsoft report. We downplay this evolving menace at our peril.
Too quickly, experts dismiss Iran's ability to conduct significant operations. After a February breach of the Australian parliament, the Syndey Morning Herald reported that "Australian sources with detailed knowledge of the hack" dismissed a cybersecurity firm's attribution of the attack to Iranian hackers, claiming that Iran lacks the cyber skills necessary to conduct such a sophisticated operation. While the firm has provided insufficient data to draw definitive conclusions, analysts should not discount Iran out of hand.
After all, Tehran did reportedly conduct a similar operation in 2017 against the British parliament. In that attack, hackers compromised dozens of email accounts belonging to lawmakers by identifying accounts with weak passwords and without two-factor authentication. While Downing Street has not publicly identified the hacker, British news outlets reported that British intelligence has attributed the attack to Iran.
In its annual Worldwide Threat Assessment, the U.S. Intelligence Community concluded that Iranian hackers are only capable of "causing localized, temporary disruptive effects." Yet, the assessment also cautioned that "Iran uses increasingly sophisticated cyber techniques," and is attempting to deploy capabilities to attack U.S. and allied critical infrastructure. In fact, as the cybersecurity firm FireEye warned in January, Iranian operations pose a threat to "a wide variety of sectors and individuals on a global scale." A European Union report released the same month concluded that Iran will likely "intensify state-sponsored cyber threat activities."
Recent statements from the U.S. and Israeli governments offered further details about the threat. Last month, the Justice Department unsealed an indictment against a U.S. citizen and four Iranian operatives who were targeting U.S. government and intelligence agents. The operatives created fake Facebook profiles to trick victims into accepting friend requests and, in at least one case, adding the fake persona to a private Facebook group "composed primarily of USG Agents." Although not alleged in the indictment, access to this group likely provided the hackers with additional information and targets to expand their operation.
The indictment indicates, though, that Iran's use of phishing emails failed to convince the targets to click malicious links and download malware. The emails are poorly written, with grammatical and spelling errors. And yet, the Justice Department noted, had these efforts succeeded or had a victim inadvertently clicked the link, the operation would "have brought serious damage to the United States."
In fact, a week earlier, DHS had issued an emergency directive to all federal agencies to take steps to protect their infrastructure from an operation posing "significant and imminent risks to agency information and information systems." While DHS did not attribute the operation to Iran, the emergency directive coincided with the release of a FireEye report on a global campaign targeting the same infrastructure. The company confirmed that its initial research pointed to Iran.
The Israeli military's outgoing cyber chief, meanwhile, has been raising alarms about Iran's cyber capabilities. Brigadier-General Noam Sha'ar told Israel Hayom that one of his division's first operational events was the detection and prevention of an attempt to infiltrate Israel's home front missile alert system. By corrupting the missile warning system, hackers could have activated false alerts. Even worse, when the system detected incoming rockets, hackers could have prevented sirens from activating so that civilians would not know to take cover.
Sha'ar explained that by tracking Iranian cyber groups, Israel detected the presence of hackers in some of its systems. His division excised the attackers, assessed the damage, determined what reconnaissance Iran had conducted, and reinforced network defenses. In a separate interview, Sha'ar warned that Iran's expanding capabilities are the most worrying trend in cyberspace.
To be sure, analysts should not inflate Iran's capabilities. Last year, when a sophisticated and lethal piece of malware was discovered at a Saudi petrochemical plant, news reporting began pointing fingers at Iran. The malware, later linked to the Russian government, targeted industrial control systems and manipulated safety systems that could have caused physical explosions. The misattribution artificially raised alarms about Iranian capabilities.
Still, the United States can ill afford to dismiss Tehran's capabilities as those of a third-tier cyber actor. An accurate assessment of the threat is the first step to defeating, thwarting, and deterring the Islamic Republic's cyber army.
Annie Fixler is deputy director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. Follow her on Twitter @afixler. Follow FDD on Twitter @FDD. FDD is a Washington-based, nonpartisan research institute focusing on national security and foreign policy.