DUBAI: Iran is one of the biggest threats in cyberspace, according to experts who warn that a global response is needed to repel its rising wave of cyberattacks on government and communications infrastructure worldwide.
The leading state sponsor of terror is extending its malign presence online, with Saudi Arabia among its main targets. Iran’s growing digital prowess is part of its “soft war” strategy to spy on adversaries and spread its rhetoric.
“Iran is increasingly active and a growing cyber threat, though it isn’t the most sophisticated actor,” Michael Eisenstadt, Kahn fellow and director of the military and security studies program at the Washington Institute for Near East Policy, told Arab News. “But as past Russian hacking efforts in the US have shown, you don’t need to be technologically sophisticated to hack and then leak emails, causing embarrassment to adversaries.”
In recent months, cybersecurity firms and tech companies have exposed attacks linked to faceless enemies in Iran.
“Cyber holds a certain appeal” for the country, Eisenstadt said. “Because of the difficulty attributing responsibility for cyber-attacks, it provides Tehran with a degree of deniability,” he said. “Perhaps most importantly, it allows Iran to strike its adversaries globally, instantaneously and on a sustained basis, and to achieve strategic effects in ways it can’t in the physical domain.”
Iran’s greatest adversaries are the US, Israel and Saudi Arabia “in that order,” Eisenstadt said. “In March 2018, the US government designated an Iranian entity, the Mabna Institute, and nine individuals associated with the institute, for operating a massive hacking and cyberspying operation that targeted hundreds of universities and companies in dozens of countries to steal proprietary data and academic research, presumably to help Iran’s own research and development efforts, to circumvent sanctions, and to compensate for its economic isolation. These activities had been going on for years.”
Joyce Hakmeh, a research fellow of cyber policy and co-editor at the Journal of Cyber Policy at the International Security Department at Chatham House, said Iran has been linked to several attacks in the Middle East, including in Saudi Arabia. One of the biggest attacks was identified in 2012, when an Iranian hacker group deployed the Shamoon computer virus to cripple thousands of hard drives at Saudi Aramco. “Everyone remembers the big attack against Saudi Arabia in 2012, which affected 35,000 computers. It was called the biggest hack in history at the time,” she said.
Eisenstadt said there were several attempted strikes on Saudi government and private sector entities using the Shamoon 2.0 malware in 2016 and 2017, and on Italy’s Saipem oil services firm (whose biggest customer is Saudi Aramco) in December 2018.
Hakmeh said while “attribution is a challenge” when it comes to cyber activity, a host of groups have been linked to Tehran’s terror online, including Magic Hound, MuddyWater, APT33, APT34, APT39, Cobalt Gypsy, Rocket Kitten and NewsBeef.
Collectively, these have targeted organizations across the Middle East in industries including finance, government, energy, chemicals and telecommunications.
A 2018 report by the Carnegie Endowment for International Peace noted: “While Iran’s offensive cyber operations have required modest resources to develop, they have allowed Tehran to project itself as an emerging cyber power able to cause significant harm to its adversaries.”
The report said: “As judged from the evidence of coordination between security agency actions and observed cyber operations, the campaigns of Iranian threat actors almost certainly have a direct relationship with government entities, specifically the Islamic Revolutionary Guard Corps and the Ministry of Intelligence. Attempts to forecast the future of Iranian cyber operations are constrained by the secrecy on the part of the Iranian state about its activities and an uncertain geopolitical climate.”
Eisenstadt said when it comes to the biggest threats in cyberspace, the most formidable actors are Russia followed by China, North Korea and Iran. “Iran’s activities in the cyber domain generally serve its broader foreign policy objectives. In some cases, the goal might be to advance Iran’s propaganda line. In others, it might be to steal intellectual property and propriety information, in order to circumvent sanctions and benefit its own research and development efforts,” he said.
Hakmeh said countries, especially in the Middle East, need to build resilience against cyberattacks by sharing information, preparing strategies and educating people about good “cyber hygiene,” such as changing passwords. “While Iran for some years has been considered a third-tier threat, the threat is considerable. It’s a country to monitor, to keep on the map,” she added. “It doesn’t have the same capabilities as China, Russia or the US, but it has been able to be very destructive.”
While Iran spreads fake news to support its rhetoric against Israel, Saudi Arabia and the US, its more serious attacks are geopolitically motivated, said Hakmeh. “Most of the attacks that Iran has been linked to are for espionage reasons to get a competitive advantage — Saudi Arabia’s petrochemical industry, for example, to see what technology it’s using — or to gain insight into Saudi Arabia’s military capacities so Iran can enhance its own,” she said.
Dr. Johannes Ullrich, dean of research at the SANS Institute, a US company that specializes in information security and cybersecurity training, said as Iran’s conflict with its neighbors grows, so has its presence on the dark web.
“Iran is believed to maintain a significant effort to conduct offensive cyber operations against its adversaries,” he added. “It may not be among the most sophisticated, but it’s very aggressive in applying the skills it has.
“One technique that has been employed in the attacks is domain hijacking. For this attack, an administrator’s password is used to alter settings for an organization’s domain. The attack itself is pretty simple, and the hard part is to get the administrator’s password. It isn’t clear how the administrator password was obtained in these cases, but typically phishing attacks are used. Overall these attacks aren’t terribly sophisticated, but the impact can be huge.”
Aside from hacks on government and company infrastructure, Iran has been linked to a global network of fake news websites. ClearSky, a Tel Aviv-based cyber tech security firm, recently issued a report linking Iranian propagandists to fake news sites in 28 countries that spread misinformation about their targets — chiefly in the Middle East and Asia — and advance Tehran’s ideological and geopolitical interests.
In recent months, FireEye, a US cybersecurity firm, issued a warning about fake news sites and profiles on Facebook and Twitter that it believed were operatedby Tehran as part of its cyber-influence campaign. Such campaigns were also exposed by Twitter, which posted 1 million tweets generated by fake accounts.
Facebook said it had deleted dozens of fake profiles. Just this month, the platform said it removed 783 accounts tied to Iran that appeared to be engaging in a manipulation campaign against people in almost 30 countries.
Still, experts at the Institute for National Security Studies in the US have said Tehran’s efforts have not been foolproof, with a report noting: “Use of Iranian contact data (such as phone numbers and email addresses), copied content and poor writing has led to their public exposure. Until then, however, Iran managed to reach many people … some contents were viewed by millions of views, and some earned responses by hundreds of thousands of surfers.”
Simone Vernacchia, cybersecurity and digital infrastructure advisory lead at PwC Middle East, said that while it is against his company’s policy to attribute cyberattacks to a specific “nation-state actor,” the firm had noted an “increase in disruptive attacks, which may be sponsored by a nation-state.”
Although there has been a big increase in investment in cybersecurity in past months, many Middle Eastern countries’ defense systems remain less advanced than those in the West, he said.
“A stronger collaboration among privately owned critical infrastructure and government defense systems, as well as a strong and periodically tested set of organizational and technical interfaces, would strengthen the ability to respond to crises,” he said.