Science & technology

Iran’s cyber ‘revenge’: it’s not if, but when

Dr Mahdi Aiash writes about the potential cyber backlash the West may face following the US military airstrike of January 2020.

Dr Mahdi Aiash writes about the potential cyber backlash the West may face following the US military airstrike of January 2020.

On 2nd January 2020, an American airstrike killed one of Iran’s top generals, Quds Force Commander Major General Qasem Soleimani. Consequently, Iran vowed “severe revenge.”. Now, we should expect a mixed bag of vengeance, and  undoubtedly, cyber-attacks will be at the top of the list. But what are Iran’s options when it comes to cyber warfare, and how serious could its cyber revenge be?

A close-up on an abstract design of a display, which is warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warnings and single character exclamation marks.

Understanding Iran’s cyber capabilities

Iran is a third-tier actor in cyber security and is unlikely to match the cyber capabilities of Russia, China, or even North Korea in the short term. However, over the past few years, hacking groups associated with Tehran have been linked to serious attacks in the Middle East region and beyond.

In 2011, a major breach to the Dutch certificate authority (DigiNotar’s) affecting tens of thousands of Gmail accounts was linked to a hacking group associated with the Iranian government. Between 2012-13 an operation alleged to be Iranian hackers caused millions in lost profits after they targeted American banks with repeated distributed-denial-of-service attacks.  

One Iranian group closely associated with the Iranian Revolutionary Guard, known as The Rocket Kitten has been linked to numerous attacks between 2014-15 against different countries including the United Kingdom, US and Saudi Arabia.  

Starting from 2018, it has been reported that one of Iran’s most active hacker groups (APT33, also known by the names Holmium) appears to have shifted focus. Rather than just standard IT networks, they’re targeting the physical control systems used in electric utilities, manufacturing, and oil refineries. Microsoft’s cyber security report of 2018 states that APT33 targeted dozens of those industrial equipment and software firms including the Saudi state oil company Saudi Aramco.

Who could be at more risk of a cyber attack?

Unfortunately,  in the case of cyber warfare there is a massive attack surface that gives state-sponsored hackers a great opportunity to pick and choose. Potential targets for Iran’s cyber assault could include:

Sensitive political or diplomatic targets
These are classical targets for hacking groups. Such attacks are often preceded with sophisticated information operations over Facebook, Twitter and other social media platforms.  Tehran reportedly conducted a similar operation in 2017 against the British parliament and compromised dozens of email accounts belonging to lawmakers by identifying accounts with weak passwords and without two-factor authentication.   

Businesses and Enterprise in the Public and Private Sector
Iran has already been known to target commercial and industrial firms to great effect, as they did to US banks from 2011 to 2013 and to the Las Vegas Sands casino in 2014.

Critical Infrastructure and Industrial Control System (ICS)
Recent threat intelligence reports by Microsoft and FireEye highlight that Iran’s most aggressive hacking group APT33 (AKA Holmium) has been mainly targeting manufacturers, suppliers, or maintainers of industrial control system equipment. These ICSs are the main building blocks in our critical infrastructure (power grids, manufacturing and oil refineries). Although Iran has never been publicly tied to one of these ICS attacks, this shift by APT33 to target ICS supply chains might highlight Iran’s ambition to inflict damage on critical infrastructures.

While the most appealing targets are likely to be in the US homeland, given Iran’s history of staging visible, politically potent attacks linked thematically to their grievances, it may be easier to strike US military or diplomatic targets abroad, or similar targets in allied nations.

The forms of cyber revenge Iran may employ

Iran’s efforts differ from those of Russia, which sought to stoke social and political unrest in different western countries with tactics including interfering with the presidential elections in France and the United States.

Russia intends to engage in, and infiltrate, communities online, and is politically agnostic, targeting users and causes across the spectrum. Iran, by contrast, tends to make a lot of noise to persuade others to their side, particularly with anti-Israel, anti-US and anti-Saudi messages. It is however unclear whether this recent assassination will change the rules of the game.

Undoubtedly, there will be several layers of retaliation, all depending on the message that Iran wants to send and its risk appetite. Iran might have a number of options for its cyber revenge:

Direct Involvement
In this case, the central government in Tehran through its Islamic Republic’s cyber army will be directly involved in a cyber-operation targeting assets for US or its allies. While very unlikely, the Iranian government might choose this option -after assessing the geopolitical situation- in order to show strength and to intimidate their “foes”.

Collaborated Cyber Operation
The investigation of some recent incidents that has initially been attributed to Iran showed evidences of possible involvement of Russia and North Korea such as the case of the sophisticated and lethal piece of malware that targeted a Saudi petrochemical plant in 2018.  This collaboration in the cyber world reflects the collaboration between these nations at battlefields in countries like Syria and Yemen.

Proxy Attacks
Iran  is more cyber vulnerable than capable and therefore might decide not to get involved directly in a cyber-attack, rather to instruct proxy-militia such as the Syrian Electronic Army (SEA) and the Cyber Party of God in Lebanon. These groups would be well placed to  launch anything from espionage, to offensive operations like large-scale Distributed Denial of Service attacks against institutions in countries like Israel, Saudi Arabia or even Western countries.

Forward planning will be key

While it’s difficult to predict what an Iranian offensive in cyberspace will look like, given how quickly capabilities are evolving, we know that Iranian cyber operations are currently scoping and preparing to usher in an era of unrestrained responses.

The earliest of these responses might be in the form of disruptive attacks and espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence to better understand the dynamic geopolitical environment.

Western governments have a number of options facing the elevated threats. These include tracking and intercepting cyber operations as they are developing, sharing intelligence across countries and supporting private businesses which might end up bearing the brunt of the risk.

When it comes to ICS, governments should verify the integrity of these systems and audit the supply chain before introducing them to their infrastructure. Most importantly, governments should never dismiss or underestimate Tehran’s cyber capabilities; being over-prepared is always better than being under-prepared when it comes to cyber warfare.

Leave a Reply