Iran is Raising Sophistication and Frequency of Cyber-Attacks
In February, a year after the Las Vegas Sands was hit by a devastating cyber-attack that ruined many of the computers running its casino and hotel operations, the director of national intelligence, James Clapper, publicly told Congress what seemed obvious: Iranian hackers were behind the attack.
Sheldon Adelson, the billionaire chief executive of Sands, who is a major supporter of Israel and an ardent opponent of negotiating with Tehran, had suggested an approach to the Iran problem a few months before the attack that no public figure had ever uttered in front of cameras.
“What I would say is: ‘Listen. You see that desert out there? I want to show you something,'” Adelson said at Yeshiva University in Manhattan in October 2013. He then argued for detonating a US nuclear weapon where it would not “hurt a soul,” except “rattlesnakes and scorpions or whatever,” before adding, “Then you say, ‘See, the next one is in the middle of Tehran.'”
Instead, Tehran directed an attack at the desert of Nevada. Now a new study of Iran’s cyber-activities, to be released by Norse, a cyber-security firm, and the American Enterprise Institute, concludes that beyond the Sands attack, Iran has greatly increased the frequency and skill of its cyber-attacks, even while negotiating with world powers over limits on its nuclear capabilities.
“Cyber gives them a usable weapon, in ways nuclear technology does not,” said Frederick Kagan, who directs the institute’s Critical Threats Project and is beginning a larger effort to track Iranian cyber-activity. “And it has a degree of plausible deniability that is attractive to many countries.”
Kagan argues that if sanctions against Iran are suspended under the proposed nuclear accord, Iran will be able to devote the revenue from improved oil exports to cyber-weapons. But it is far from clear that that is what Iran would do.
When Clapper named Iran in the Sands attack, it was one of the few instances in which the United States had identified a specific country that it believed was using such attacks for political purposes. The first came in December, when President Barack Obama accused North Korea of launching a cyber attack on Sony Pictures. Other United States officials have said that Iran attacked US banks in retaliation for sanctions and that it destroyed computers at the oil giant Saudi Aramco in retaliation for the close Saudi ties with the United States.
The evidence from the Norse report, along with analyses by US intelligence agencies, strongly suggests that Iran has made much greater use of cyber-weapons over the past year, despite international sanctions. The attacks have mostly involved espionage, but a few, like the Sands attack, have been for destructive purposes.
In the report, to be released Friday, Norse – which, like other cyber security firms, has an interest in portraying a world of cyber-threats but presumably little incentive in linking them to any particular country – traced thousands of attacks against US targets to hackers inside Iran.
The report, and a similar one from Cylance, another cyber-security firm, make clear that Iranian hackers are moving from ostentatious cyber attacks in which they deface websites or simply knock them offline to much quieter reconnaissance. In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks .
But Norse and Cylance differ on the question of whether the Iranian attacks have accelerated in recent months or whether Tehran may be pulling back during a critical point in the nuclear negotiations.
Norse, which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods, insists that Iranian hackers have shown no signs of letting up. Between January 2014 and last month, the Norse report said, its sensors picked up a 115 percent increase in attacks launched from Iranian Internet protocol, or IP, addresses. Norse said that its sensors had detected more than 900 attacks, on average, every day in the first half of March.
Cylance came to a different conclusion, at least for Iran’s activities in the past few months, as negotiations have come to a head. Stuart McClure, the chief executive and founder of Cylance, which has been tracking Iranian hacking groups, said that there had been a notable drop in activity over the past few months and that the groups were now largely quiet.
US intelligence agencies also monitor the groups, but they do not publicly publish assessments of the activity. Classified National Intelligence Estimates over the past five years have identified Russia and China as the United States’ most sophisticated, and prolific, adversaries in cyberspace.
However, US officials have said that Iran and North Korea concern them the most, not for their sophistication but because their attacks are aimed more at destruction, as was the case with the attack on Sony Pictures. In addition to the Sands attack last year – about which Clapper gave no detail in public – Iran has been identified as the source of the 2012 attack on Saudi Aramco, in which hackers wiped out data on 30,000 computers, replacing it with an image of a burning American flag.
US intelligence officials say Iran’s most sophisticated hackers are limited in number but work for both front companies and the government. The officials are concerned that as destructive attacks become more frequent, the temptation will rise to launch attacks on what the government calls “critical infrastructure,” like railways, power grids or water supplies.
Cylance researchers, for example, noted that Iranian hackers were using tools to spy on and potentially shut down critical control systems and computer networks in the United States, as well as in Canada, Israel, Saudi Arabia, the United Arab Emirates and a handful of other countries. Their targets have included a network that connects Marines and civilians across the United States, as well as networks of oil companies and major airlines and airports.