Understanding the cyber threat from Iran

Since the United States withdrawal from the Iran nuclear deal (Joint Comprehensive Plan of Action) in May 2018, reports of Iranian retaliation in cyberspace [1] suggest the prospect of conflict extending into the cyber domain is closer than ever.

Information security professionals are now expected to be foreign policy analysts, capable of interpreting and predicting the threat foreign states pose, and defending themselves accordingly.

This article, the fourth in a short series [2], provides insights from MWR’s research, threat intelligence, and investigations on cyber statecraft, focusing on Iran.

Iran – exploiting the advantages of cyber statecraft

Over a decade of state-sponsored cyber operations against Iran have shaped and catalyzed the regime’s cyber strategy and development. High profile attacks like Stuxnet demonstrated what could be achieved and have been used by the Iranian regime to portray the country as a victim. Behind the scenes, these attacks have motivated Tehran to develop indigenous cyber capabilities as a credible retaliatory threat.

The motives driving Iranian cyber operations are well-documented elsewhere [3], and include:

• regional power projection;
• symbolic attacks on the regime’s historic opponents (predominantly the US, the UK, and Israel)
• retaliation to sanctions imposed by the broader international community; and,
• intellectual property theft.

Iran’s development of nuclear weapons could have allowed the regime to assert regional dominance and maintain domestic public support, in addition to the deterrence of rivals. However, the combination of sanctions and the consequent nuclear deal theoretically prevented these goals from materializing.

Cyber statecraft may be seen as an alternative means to reach the same ends, particularly following the United States’ withdrawal from the JCPOA.

The Iranian regime has demonstrated greater appetite towards destructive or disruptive cyber-attacks in peacetime than any other nation. Notable examples include the Shamoon attack in 2012 and the 2016 reappearance [4], rendering thousands of workstations unusable across Saudi Aramco, Saudi ministries, and other organizations. This form of aggression has not been mirrored by Iran’s rivals, emboldening the regime not only to continue, but to escalate its cyber operations.

Beyond the Middle East, Iran’s cyber operations remain similar regarding the surveillance of, and vengeance against, the regime’s political opponents - particularly in the context of sanctions imposed by the international community. Tactics include disruptive attacks on critical national infrastructure within Western countries, for example DDoS attacks against over a dozen major financial institutions in 2012 and 2013 [5] and attacks on broadcasting networks.

Reporting also indicates that, like Russia and China, Iran has looked to obtain more discrete footholds within these networks to enable similar power projection in the future. The 2013 operation against Bowman Avenue Dam is a high profile example [6], but a more recent investigation uncovered broader targeting of government agencies and critical infrastructure in 16 countries [7].

In addition to these politically-charged campaigns, Iran targets commercial entities to support the growth of the following key indigenous industries:

• Aerospace, Defence, and Military;
• Natural Resources and Energy;
• Telecommunications; and,
• Transport, Infrastructure, and Engineering.

Iran also frequently targets overseas universities to advance the development of nuclear and military capability and monitor expatriates [8].

Several alerts have been issued regarding the Iranian cyber threat, including from the UK’s NCSC and US-CERT, warning of global espionage operations across multiple industries by groups such as MuddyWater and detailing specific techniques used by Iran nexus threat actors [9].

Dozens of campaigns involving hundreds of victims around the world have been attributed to Iranian state-sponsored actors over the last two years.

Adopting advanced techniques to accelerate capability

In armed conflicts across the Middle East, Iran has funded and armed various proxy groups to enable attacks against Iran’s rivals. Due to their ideologies, these proxies often willingly take responsibility for such attacks, allowing Iran to avoid international condemnation.

Iran’s offensive cyber activities are similarly managed; they’re largely overseen by the Islamic Revolutionary Guard Corps (IRGC) [10] and frequently outsourced to mask activity and provide plausible deniability.

Iran’s network of contractors includes universities, institutions [11], criminal gangs, and terrorist organizations. Some of these actors appear to launch independent campaigns alongside their government-aligned operations [12], and evidence of shared tooling demonstrates the extent of state support for these groups [13].

Iran’s tendency to adopt advanced techniques from other prominent threat actors has accelerated capability development whilst frustrating attribution. Reporting indicates improvements in tooling between campaigns [14], and supply chain targeting as part of onward attacks against third parties [15].

In February 2019, attacks on Australia’s Parliament House and three major political parties were first attributed to China, before being blamed on an Iranian state-sponsored group [16]. Iranian actors have also re-used tools from criminal gangs [17] and customized commodity tools such as Mimikatz [18]. These techniques have muddied efforts to attribute attacks directly to the Iranian government, allowing officials to plausibly deny any involvement [19].

Looking ahead, reporting indicates Iran’s copycat behavior is leading the regime towards new forms of cyber statecraft. In August 2018, FireEye, a cybersecurity company, identified a campaign to promote Iranian political narratives using illegitimate news sites and abuse of social media platforms [20]. This campaign replicated recent tactics used by Russia to manipulate foreign public opinion, including during the 2016 US presidential election and the Brexit referendum.

What should organizations do to defend themselves?

• Increase visibility across corporate environments at endpoint and network level and proactively hunt for evidence of current/historic compromise.
• Develop and utilize intelligence sharing platforms and relationships with law enforcement and cybersecurity agencies to enrich hunts and improve understanding of the latest TTPs.
• Critical infrastructure providers should rehearse organizational response to a disruptive cyber-attack, mimicking tactics, techniques, and procedures deployed by Iranian proxies.
• Media organizations and platforms should consider the specific risks posed by state actors involved in cyber-attack and abuse of native product functionality.