WASHINGTON—Iran has been waging cyberwar against enemies, perceived and real, at home and abroad.
It defends critical infrastructure while censoring the information its citizens can access. The government restricts domestic traffic of regime opponents and blocks ideas and information from the West. The regime is allegedly attempting to create a separate Iranian communications network and disable Google services within the country.
Although the regime is generally mum about its operations, it is implicated in serious cyber-attacks, including attacks against several leading U.S. banks.
Iran will quickly become “a significant player on the cyberspace battlefield,” says cyberwarfare expert Dr. Gabi Siboni, who is head of the Military and Strategic Affairs Program and the Cyber Warfare Program at the Institute for National Security Studies (INSS) at Tel Aviv University in Israel. He gave an overview of Iran’s intentions and capabilities in a talk at the Elliott School of International Affairs–George Washington University on April 10.
Siboni says Iran will attack critical infrastructures in the United States and Israel, while creating a posture of deniability for the attacks.
Like Russia and China, Iran uses civilian hacker groups with no official connection to the regime to give the appearance of separation between cyber-activities and the state, explains Siboni in his December 2012 paper, “Iran and Cyberspace Warfare,” written with intern Sami Kronenfeld at INSS. Iran uses proxies such as Hezbollah, which established Cyber Hezbollah, to expand its cyber warfare capacity.
These hacker groups engage in cyber-attacks “causing Internet crashes, inserting pro-Iranian material, steal information, committing credit card fraud, damaging service providers, and rerouting Internet traffic,” Siboni says.
The most insidious goal of the regime is its control of intra-state cyberspace and information flow. It has invested heavily toward this end. The regime, through its state-owned telecommunications corporation, purchased a surveillance system from the Chinese ZTE Corporation for an estimated $130 million, says Siboni. He explains that ZTE’s products enable “voice communications eavesdropping, text message surveillance, and monitoring of Web surfing.”
Siboni quotes Jim Lewis, a former U.S. foreign service officer, who told Reuters: “It’s like the nuclear program: it isn’t particularly sophisticated, but it moves forward every year.”
Iran Gets Defensive
Iran has been at the receiving end of a major cyber-attack: Stuxnet. Launched in 2009 and 2010, and possibly as early as 2008, Stuxnet shut down more than 1,000 centrifuges used in the Iranian uranium enrichment program in Natanz. It set Iran back in its ability to develop a nuclear weapon by an estimated three years, according to Wired.com.
Stuxnet must have taught Iranian leaders the hard lesson that their cyberspace defense was vulnerable, says Siboni.
Experts say the Stuxnet worm had to be the work of a nation-state, as the attack required the command of great resources. It is widely believe that Israel and the United States were responsible for Stuxnet, but neither has admitted to it.
“As the victim of one of the world’s most destructive cyber-attacks,” writes Siboni, “one may assume that Iran fully understands the potential inherent in this realm, and accordingly will work to develop similar capabilities of its own.”
Attacks on Internet Security Companies
In 2011, an Iranian attack targeted Comodo, which issues Secure Sockets Layer (SSL) certificates. SSL certificates are used to encrypt communications between a user’s Internet browser and a website—they ensure the secure transmission of private information.
PCMag.com explains: “Someone who slips a fake high-level certificate into the system can reroute secure traffic to their own servers and collect authentication data, including usernames and passwords.”
Comodo found nine fraudulent certificates, appearing to come from Google, Yahoo, Skype, Microsoft, and others. Comodo removed the certificates before any damage could occur, according to the company’s incident report. Comodo concluded that the attack originated in Iran based on the IP address, and that it likely involved a state organization.
Iran had much more success in harming major Dutch SSL provider, DigiNotar.
From June to August 2011, “531 certificates were stolen and fabricated and … most stolen permissions were used to penetrate user’s email accounts, especially in Iran,” writes Siboni, citing an analysis commissioned by DigiNotar.
The fake certificate to verify the Google.com domain permitted the attacker to reroute Gmail servers. Over 300,000 computers were penetrated—more than 99 percent were Iranian.
Apparently, the focus of the attack was domestic, for internal security purposes.
DigiNotar shut down as a result of the attack.
Attacks on U.S. Banks, Saudi Oil Company
In March, Iranian Izz ad-Din al-Qassam Cyberspace Fighters claimed responsibility for the attacks on six leading U.S. banks, including J.P. Morgan Chase, testified Frank Cilluffo, director of the Homeland Security Policy Institute, before the U.S. Department of Defense Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. Cilluffo was also the moderator for Siboni’s talk at George Washington University.
They were distributed denial of service (DDoS) attacks, meaning the attackers overwhelmed the websites with external messages, interrupting or slowing down the system so legitimate users couldn’t access the banks’ services.
Iran also attacked several major U.S. financial institutions last year, including Bank of America, Morgan Chase, and Citigroup, writes Siboni, citing a Huffington Post report from September 2012. Most of the victims were not, however, the large banks, but small and medium businesses and small banks, writes Siboni.
He gives an analysis of the Iranian viral attack on Saudi oil company Aramco and on Qatari natural gas company ResGas. Iran, which may have had help from Hezbollah, used a computer virus called Shamoon. Siboni says international sanctions against Iran on its petroleum exports likely motivated it to attack the Saudi company.
It was “one of the most devastating attacks” against a single company, writes Siboni. The motives were not espionage or intelligence gathering like other Iranian attacks—it was just “total destruction of data and target computers.”
Overview of Iran’s Cyberspace Structure
Iran has an extensive and unique organizational structure to carry out multiple cyber-activities, both defensive and offensive, according to Siboni. At the top, is the Supreme Cyberspace Council, headed by Supreme Leader Ayatollah Ali Khamenei.
Two central organizations that work mostly in a defensive posture are the Cyber Defense Command and the Center for Information Security.
The Committee to Identify Unauthorized Websites controls internal Iranian cyber-activities. It blocks access to sites that are inimical to the regime’s requirements.
The police have their own cybercommand, the Cyber and Information Exchange Police (FETA). FETA is authorized to arrest political criminals and anyone who poses a security threat. It monitors Internet users, especially in Internet cafés.
The Revolutionary Guards (a branch of Iran’s military founded after the Iranian Revolution) conducts0 offensive cyberspace warfare.
In 2008, it employed 2,400 professionals and had a budget of $76 million. Linked to the Revolutionary Guards is also the hacker group Ashiyane Digital Security Team. The Ashiyane hackers attack the regime’s perceived enemies. They are also involved in criminal enterprises, such as credit fraud, identity theft, and infiltration of financial institutions, says Siboni.
The Cyber Army, which targets Western websites, is also linked with the Revolutionary Guards.
Rounding out the list of entities engaged in cyberwarfare are the lower level hackers and bloggers for the Iranian Basij militia, which is subordinate to the Revolutionary Guards. The Basij Cyberspace Council was created in 2010. These are the tens of thousands of pro-regime bloggers who spread pro-Iranian propaganda in cyberspace.