Iran’s “Kitten” Cyber Hackers Poised to Strike If Trump Shreds Nuke Deal


Tehran poses an increasing cyber threat to the U.S., in light of the Trump administration’s allegations that Iran is violating United Nations Security Council resolutions tied to the nuclear agreement. Iran-sponsored hackers—dismissively referred to as “kittens” for their original lack of sophistication—are bolstering their cyber warfare capabilities as part of their rivalry with Saudi Arabia. But should President Donald Trump take further steps to scrap the nuclear deal, it could mean an uptick in Iranian state-sponsored cyber intrusions into American and allied systems, with the goals of espionage, subversion, sabotage and possibly coercion.

  • Since 2011, Iran has worked to establish itself as a prominent aggressor in cyberspace, alongside China, Russia and North Korea. Evolving from mere website defacement and crude censorship domestically in the early 2000s, Iran has become a player in sustained cyber espionage campaigns, disruptive denial of service (DDoS) attacks and the probing of networks for critical infrastructure facilities.
  • Iran wasn’t pursuing cyber capabilities with much urgency, experts say, until it was revealed  in 2010 that a joint Israeli-U.S. Stuxnet worm sabotaged nuclear centrifuges at Iran’s facility in Natanz. As the first-known instance of virtual intrusions resulting in physical effects, the operation demonstrated the potential effectiveness of such an attack and has informed much of Iranian cyber operations since.
  • Iran often has conducted disruptive cyber operations loosely in response to actions taken by others. It sees offensive cyber operations as an asymmetric but proportional tool for retaliation. For example, following the Stuxnet attack and the imposition of new sanctions on Iran’s oil and financial sectors in 2011, Tehran was suspected of retaliating in 2012 by releasing the Shamoon disk-wiping malware into the networks of Saudi oil giant Saudi Aramco and Qatar’s natural gas authority, RasGas. It also launched volleys of DDoS attacks against at least 46 major U.S. financial systems.
  • Iran commonly conducts its state-sponsored cyber operations behind a thin veil of hacktivism. From 2011 to 2013, a group calling itself the Qassam Cyber Fighters launched DDoS attacks that flooded the servers of U.S. banks with artificial traffic until they became inaccessible. In March 2016, the Justice Department unsealed indictments of seven individuals—employees of the Iran-based computer companies ITSecTeam and Mersad Company—for conducting the DDoS attacks — and intrusions into a small dam in upstate New York—on behalf of the Islamic Revolutionary Guard Corps (IRGC), the arm of Iran’s military formed in the aftermath of the 1979 Iranian revolution.

While much of Iran’s cyber operations have been attempts at asymmetric disruption against its Gulf rivals, Israel and the United States, it has recalculated since the 2015 negotiation of the Joint Comprehensive Plan of Action (JCPOA), the Iran nuclear deal.

  • Under scrutiny by the international community, Iran has largely reined in disruptive attacks against the U.S., with some operations still deployed against Saudi Arabia. In November 2016, a variant of the disk-wiping malware Shamoon was deployed against Saudi aviation and transportation authorities.

James Lewis, Senior Vice President and Program Director, CSIS

“The Iranians don’t want the nuclear deal to go away, and so that is the thing that shapes their behavior to the U.S. If we did cancel the nuclear deal, I think in some ways that would take the leash off when it comes to cyber actions. But ever since the deal was put in place, they have been very cautious about doing anything, because it is not in their interests to have sanctions re-imposed, to have hostility, to have all the things they had to deal with beforehand. So I think that is the biggest constraint right now on Iranian behavior against the U.S.”

Leslie Ireland, former Assistant Secretary of the Treasury for Intelligence and Analysis

“The costs of Iran walking away from the JCPOA are too great still, and what they will rely upon are the asymmetric measures that they have—cyber and proxy activity on the ground.”

Rather than relying on disruptive attacks against the West, Iran has pursued cyber-enabled information warfare against its regional competitors, namely Saudi Arabia. By utilizing cyber proxies to access and weaponize privileged information, Iran has subtly sought to undermine Saudi Arabia’s political standing in the region and in the eyes of international allies. This kind of grey-zone offensive—an act short of war—is a page right out of the Russian intelligence playbook of active measures in Europe and the U.S.

Leslie Ireland, former Assistant Secretary of the Treasury for Intelligence and Analysis

“One of the things that I have noticed in the way Iranians tend to approach red lines, is that they pick them apart. They don’t really go totally overboard; they go very incrementally and see what happens. The challenge for the person, or the entity or the country on the opposing side is that, if there really isn’t a red line, how do they then respond? And then, before you know it, Iran is there.”

  • In April 2015, the pro-Saudi newspaper Al Hayat was hacked by a group calling itself the Yemen Cyber Army, which experts say has loose ties to Iran. The attack replaced the media outlet’s front page with threatening messages aimed at dissuading the Saudis from getting involved in the civil unrest bubbling across their southern border. The hack was followed quickly by stories on Iran’s state-run FARS news agency and Russia’s RT network, citing the Yemen Cyber Army for breaching the Saudi foreign ministry and its threats to release personal information on Saudi officials and expose diplomatic correspondence that allegedly suggested Saudi support of Islamist groups in the region. One month later, WikiLeaks published material likely taken from the trove of stolen correspondence.
  • In another example, an Iran-linked Hezbollah hacktivist group known as the Islamic Cyber Resistance leaked sensitive material related to the Saudi army, the Saudi Binladin Group and the Israeli Defense Forces, following the December 2013 assassination of Hezbollah leader Hassan al-Laqis, according to Matthew McInniss, an AEI scholar now working on Iran in the Trump State Department. Ties also have been detected between Iran and the Syrian Electronic Army, the hacking wing of the regime of Bashar al-Assad, according to Cipher Brief expert and former CIA and NSA chief Michael Hayden.
  • The link between Iranian government support and the cyber proxy actors is difficult to prove. But it would follow the pattern of Iranian military assistance given to other types of proxy forces in Lebanon, Syria and Yemen.
  • The governmental structure in Iran that oversees cyber-related activities is the Supreme Council of Cyberspace, established by Ayatollah Ali Khamenei in March 2012. It consists of representatives from various Iranian intelligence and security services. However, the direct command-and-control structure for engaging in cyber operations remains a mystery, particularly when it comes to cyber proxies. While it could be the responsibility of Iran’s Quds Force, the external wing of the IRGC, the lack of a clear command-and-control system could be intentional. Similar to Iran’s “mosaic defense” military structure, cyber operations appear more decentralized and fluid than other countries with advanced cyber capabilities—Russia and China, for example—complicating the tracking and attribution of attacks.

James Lewis, Senior Vice President and Program Director, CSIS

“They are normally volunteers – like irregulars. They are very often organized through the Basij – which is an Iranian paramilitary group. People who have these abilities are on the payroll or getting some support from the Iranian government, but aren’t necessarily Iranian government employees. They have a network of individuals who are private, but will carry out government instructions. And I don’t think it is unwilling. In China, some people are told to either play ball or go to jail. Maybe that happens in Iran, but I have never heard of it.”

Rhea Siers, former Deputy Associate Director for Policy, National Security Agency

“Let’s take Hezbollah as an example. We know that the IRGC (Quds Force) is directly involved in Hezbollah’s strategy and used Hezbollah as a test bed against Israeli forces in the 2006 Lebanon war. That’s a pretty close link. But given that Iranian cyber capabilities are spread among different entities—the military, the IRGC, etc.—it is difficult to draw that conclusion in every instance.”

The Iranian nuclear deal may have had some cyber-deterrent value, in that it reined in Iranian disruptive attacks against the West, but this could be short-lived. Rhetoric from the Trump administration is stoking the fire, including recent statements by U.S. Ambassador to the United Nations Nikki Haley that Iran is violating the nuclear agreement.

  • Iran, as a result, is likely to engage in broad-spectrum cyber espionage to alleviate that uncertainty. For example, Operation Cleaver in 2012-14 hit U.S. military targets, as well as systems in critical industries such as energy and utilities, oil and gas, chemicals, airlines and transportation hubs, global telecommunications, healthcare, aerospace, education and the defense industrial base. Earlier this month, reports surfaced of a new Iranian state-sponsored actor—referred to as APT 34—conducting reconnaissance of critical infrastructure in the Middle East.
  • While the probing of such essential systems is alarming, it is expected as a contingency plan, should relations with adversaries escalate. The New York Times reported that the U.S. had similar plans – known as Operation Nitro Zeus – to disrupt Iranian critical services should the nuclear negotiations have gone sideways during the Obama administration. It is likely the Trump administration is devising similar contingency plans.

John Hultquist, former Senior Cyberthreat Intelligence Analyst, U.S. Government

“The situation we are in now is one of uncertainty. Intelligence services—and these hackers are connected to the intelligence services—their job is to reduce uncertainty. To do that requires engaging in these collections. So given that the future of our relationship is so uncertain, we anticipate seeing more and more of their activity in the future. In addition to that, preparing for destructive attacks, as a result of that uncertainty, would be almost a responsible move for their intelligence services, because when it is time to carry something like that out, it is going to take a while to get everything in place and ready to go.”

Rhea Siers, former Deputy Associate Director for Policy, National Security Agency

“Iranians are using cyber capabilities and information operations to shore up its conflict with the Gulf states and Saudi Arabia. They are using cyber on a continuous basis to confront Israel and other U.S. partners in the Middle East. The latest reports on their capabilities provide clear information that the Iranians have prepared their contingency planning to strike back at the U.S., Israel, Saudi Arabia and others. The number of Iranian-originated or assisted attacks is rising rapidly. Additionally, it is safe to assume that the Iranians have also learned how effective information operations can be, given the Russian experience, as well as recent events in Qatar.”

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.


Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *