New York: Inside the Pentagon’s cyber warfare unit, analysts have been closely monitoring internet traffic out of Iran. Nearly 10,000 kilometres away, Israel’s elite cyber intelligence Unit 8200 has been running war games in anticipation of Iranian strikes on Israeli computer networks.
Government and private-sector cyber security experts in the United States and Israel worry that US President Donald Trump’s decision to pull out of the Iran nuclear deal this week will lead to a surge in retaliatory cyber attacks from Iran.
Within 24 hours of Trump announcing the US would leave the deal, researchers at CrowdStrike, the security firm, warned customers that they had seen a “notable” shift in Iranian cyber activity. Iranian hackers were sending emails containing malware to diplomats who work in the foreign affairs offices of US allies and employees at telecommunications companies, trying to infiltrate their computer systems.
And security researchers discovered that Iranian hackers, most likely in an intelligence-gathering effort, have been quietly probing internet addresses that belong to US military installations in Europe over the last two months. Those researchers would not publicly discuss the activity because they were still in the process of warning the targets.
Iranian hackers have in recent years demonstrated an increasingly sophisticated arsenal of digital weapons. But since the nuclear deal was signed three years ago, Iran’s Middle Eastern neighbours have usually been those hackers’ targets.
Now cyber security experts believe that list could quickly expand to include businesses and infrastructure in the United States. Those concerns grew more urgent on Thursday after Israeli fighter jets fired on Iranian military targets in Syria, in response to what Israel said was a rocket attack launched by Iranian forces.
“Until today, Iran was constrained,” said James Lewis, a former government official and cyber security expert at the Centre for Strategic and International Studies in Washington. “They weren’t going to do anything to justify breaking the deal. With the deal’s collapse, they will inevitably ask, ‘What do we have to lose?'”
Lewis’ warnings were echoed by nearly a dozen current and former US and Israeli intelligence officials and private security contractors contacted by The New York Times this week.
“With the nuclear deal ripped up, our nation and our allies should be prepared for what we’ve seen in the past,” General Keith Alexander, former director of the National Security Agency, said.
Over the years, state-backed Iranian hackers have showed both the proclivity and skill to pull off destructive cyber attacks. After the United States tightened economic sanctions against Tehran in 2012, state-supported Iranian hackers retaliated by disabling the websites of nearly every major US bank with what is known as a denial-of-service attack. The attacks prevented hundreds of thousands of customers from accessing their bank accounts.
Those assaults, on about 46 American banks, detailed in a 2016 federal indictment, were directly attributed to Iranian hackers.
Iranian hackers were also behind a digital assault on the Las Vegas Sands Corporation in 2014 that brought casino operations to a halt, wiped Sands data and replaced its websites with a photograph of Sheldon Adelson, Sands’ majority owner, with Israeli Prime Minister Benjamin Netanyahu, according to the indictment.
Security researchers believe the attacks were retaliation for public comments Adelson made in a 2013 speech, when he said that the US should strike Iran with nuclear weapons to force Tehran to abandon its nuclear program.
But after the nuclear deal with Iran was signed, Iran’s destructive attacks on US targets cooled off. Instead, its hackers resorted to traditional cyber espionage and intellectual property theft, according to another indictment of Iranian hackers filed in March, and reserved their louder, more disruptive attacks for targets in the Middle East.
With the nuclear deal at risk, US and Israeli officials now worry Iran’s hackers could retaliate with cyber attacks of a more vicious kind. The Israeli war game sessions have included what could happen if the US and Russia were drawn into cyber warfare between Israel and Iran, according to a person familiar with the sessions but who was not allowed to speak about them publicly.
The United States has a blueprint for what it might expect in Saudi Arabia, where there is growing evidence that Iranian hackers may have been responsible for a string of attacks on several Saudi petrochemical plants over the past 16 months.
The attacks crashed computers and wiped data off machines at the National Industrialisation Company, one of the few privately owned Saudi petrochemical companies, and Sadara Chemical, a joint venture of Saudi Aramco Dow Chemical. The hackers used malware — nearly identical to the bugs used in a similar 2012 Iranian assault on Aramco — that replaced data on Aramco computers with an image of a burning American flag.
Private security researchers and US officials suspect that Iranian hackers also played a role in a more serious attack at another, yet-to-be-identified Saudi petrochemical plant in August that compromised the facility’s operational safety controls. Analysts believe it was the first step in an attack designed to sabotage the firm’s operations and trigger a chemical explosion. The tools used were so sophisticated that some forensic analysts and US officials suspect Russia may have provided assistance.
The August 2017 assault in Saudi Arabia marked a dangerous escalation that put officials and critical infrastructure operators in the United States on high alert. The industrial safety controls that hackers were able to compromise in Saudi Arabia are used in tens of thousands of other installations, including nuclear plants, oil and gas pipelines and water treatment facilities across the United States.
“Iran has upped its game faster than analysts anticipated,” said Matt Olsen, former general counsel of the National Security Agency and a former director of the National Counterterrorism Centre. He now works closely with energy companies monitoring cyber threats as president of IronNet, a private cyber security company.
Olsen added that Iran was “now among our most sophisticated nation-state adversaries. We can anticipate those capabilities could well be turned against the US.”
American officials fear that the Saudi Arabia attack, which was ultimately thwarted by an error in the attackers’ computer code, was a training drill for a future attack on infrastructure or an energy company in the United States.
Similar attacks have happened before.
In 2013, Iranian hackers infiltrated computers that controlled the Bowman Avenue Dam in Rye Brook, New York. They gained access to computers that control the dam’s water levels and flow gates, according to the 2016 indictment.
But any attempt to manipulate the dam’s locks and gates would have failed because the dam was under repair and offline. US officials believed the true target of the cyber assault was the Arthur Bowman Dam, a much larger dam on the Crooked River in Oregon.
The dam hack was one of about a dozen security incidents at critical US infrastructure providers, including some power grid operators, that officials in the United States attributed to Iranian hackers.
The 2016 indictments named individual Iranian hackers, but there have not been any arrests. Officials believe there is little deterrent to stop them from trying again, especially with the United States leaving the nuclear deal and American businesses, including those in the financial services and the energy sectors, likely to bear the brunt of any attacks.
“Given the history of Iranian cyber activity in response to geopolitical issues, the American energy sector has every reason to expect some type of response from Iran,” Olsen said.