National Security

Cyber Researchers Warn of Increase Threat from Iranian Government Hackers

“But that was before the negotiations for curbing sanctions started in 2013. At that point, hackers began letting up on US targets and focused largely on rivals in the Middle East, the infamous Shamoon hacks targeting Saudi Arabia being one well-known example.”

US-based IT researchers have thrown a cyber element into the web of tensions that makes up current US-Iran relations.

Washington and Tehran have quite a bit at odds these days, from the Yemen conflict to Iran’s support of terror funding activity in America’s backyard. Recent reports from the State Department that the administration is reexamining the 2015 Iran deal of the Obama era have not helped (“the president said he is either going to fix it or cancel it,” were Secretary of State Tillerson’s exact words).

On the backdrop of these conflicts, reports of an increased cyber threat from Iran-backed hackers should come as no surprise. This is the basic thrust of the latest publication of the Carnegie Endowment for International Peace (CEIP), a non-partisan think tank for policy issues based in Washington, D.C.

The threat of Iranian cyber-attack on US infrastructure is far from new.

Iran, which maintains a fully modernized military and defense infrastructure, is no novice when it comes to state-backed hacking. In October, British intelligence officials reported that a series of hacks in June that targeted several Parliament members, including Prime Minister Theresa May, was executed by cyber criminals connected to the Iranian government. The hacks affected some 9,000 accounts and exposed approximately 100 sensitive communications.

CEIP assesses that in light of this, the personal accounts of government agencies dealing with Iran policy, such as the State Department, are at a high risk of persistent targeting.

Largely forgotten is the era in which Iranian-linked hackers persistently targeted US infrastructure with cyber assaults. The coordinated government-backed hacks began in September 2012 with a series of distributed denial of service operations, or DDoS, against US banks. Dozens of online banking sites were affected by being slowed, or in some cases completely ground to a halt. Iranian hackers increased the complexity of their attacks, even managing to infiltrate the digital system of a dam in New York State.

But that was before the negotiations for curbing sanctions started in 2013. At that point, hackers began letting up on US targets and focused largely on rivals in the Middle East, the infamous Shamoon hacks targeting Saudi Arabia being one well-known example.

The hacks affected some 9,000 accounts and exposed approximately 100 sensitive communications.

Since Trump’s coming into office and the cold peace between Iran and the United States taking a turn for the worse, the threat of Iranian hackers has become an increasingly bigger bleep on the national security radar.

Researchers at CEIP make a few important points worth noting.

First off, it’s important to put the threat of Iranian hackers in proportion. Iranian cyber warriors are far from world-class. This is evident from several failed attempts from hackers to penetrate high-profile US government organizations. In the words of the CEIP, “Government agencies are typically hardened beyond the capability of Iranian threat actors to penetrate them.”

Additionally, Iranian hackers, while able to construct their own cyber weapons, still lack the sophistication necessary to use them more than one time. Cyber weapons differ from conventional ones in that once they have been deployed, they often lose their effectiveness. After being affected, victims can document and understand a given cyber weapon’s infrastructure, which in turn gives them the ability to update their cyber security tools accordingly.

In a series of attacks, hackers targeted the accounts of former staffers of the Obama White House, conservative media organizations, and nominees for political appointments in the incoming administration.

In order for a given piece of malware to be re-used, cyber criminals need to update and alter it in order to bypass the updated systems of a target. The CEIP report explained that Iranian hackers seem to not possess this advanced capability “and there are no observed examples from Iranian threat actors of escalation into more sophisticated attacks against hardened targets.”

So what is the extent of the Iranian cyber threat?

Hackers of the Islamic Republic seem to be quite good at identifying soft targets—weakly protected victims that will still offer a strategic advantage in attacking. Personal accounts of government personnel are a favorite. While personal accounts are less likely to contain classified data, they often contain useful snippets such as private material and traces of professional communications between other government workers or entities.

The report cites one example from the period following the 2016 presidential election. In a series of attacks, hackers targeted the accounts of former staffers of the Obama White House, conservative media organizations, and nominees for political appointments in the incoming administration. All of these were “an apparent attempt to acquire intelligence on the new administration.”

CEIP assesses that in light of this, the personal accounts of government agencies dealing with Iran policy, such as the State Department, are at a high risk of persistent targeting.

The more serious threat posed by Iran’s cyber army is the one facing US critical and economic infrastructure. Iran has already demonstrated its ability to hit these targets remotely, such as in the New York dam hack cited above. Despite the limited capabilities of their hackers, the CEIP weighs the possibility of Iran targeting US power grids or other “industrial control systems” in the near future.

On the backdrop of these conflicts, reports of an increased cyber threat from Iran-backed hackers should come as no surprise.

The last point for consideration is what the CEIP means in the context of the ongoing anti-government protests in Iran. The report devotes quite a bit of space to the history of the Iranian government using internet restriction as a target against domestic threats. Those known to have been targeted over recent years in the country include diverse groups from reformist politicians, media personnel, and religious minorities.

In the last eruption of anti-government protests in 2009, social media was dominated by pro-opposition users and reformists who used Facebook, YouTube, and Twitter to expose images of the so-called “Green Movement” to the world. Nearly nine years later, the regime is more prepared to combat these challenges. Since protests broke out, the government has blocked popular social media applications such as Instagram and another widely used messaging app in Iran called Telegram.

Many of these have been used by activists to organize protests and spread awareness. Many reports indicate that the Iranian government has deployed bots—automated account running programs—on social media platforms to post misinformation in an attempt to disrupt protest activity.

These reports are enough to consider whether the perception of the international community of current events in Iran may become skewed if bot activity continues to grow.

In any event, the CEIP includes a number of important revelations regarding Iran’s manipulation of the cyber sphere to advance its interests. The facts the report brings to light are likely already having a substantial effect on US policy toward the Islamic Republic.

The opinions expressed here by contributors are their own and are not the view of OpsLens which seeks to provide a platform for experience-driven commentary on today's trending headlines in the U.S. and around the world. Have a different opinion or something more to add on this topic? Contact us for guidelines on submitting your own experience-driven commentary.
Samuel Siskind

Samuel Siskind studied intelligence research at the American Military University in West Virginia. He served as a squad commander in the Israeli Defense Force (IDF) Corp of Combat Engineers, in the Corps' ground battalions and later in its Intelligence Wing at regional and divisional stations. For the past five years, Samuel has worked as a consultant and researcher on physical and information security issues for private and governmental institutions, in the US, Africa, India, and Israel. He currently lives in Jerusalem.

Join the conversation!

We have no tolerance for comments containing violence, racism, vulgarity, profanity, all caps, or discourteous behavior. Thank you for partnering with us to maintain a courteous and useful public environment where we can engage in reasonable discourse.

OpsLens Premium on CRTV.

Everywhere, at home or on the go.

SIGNUP NOW