- Under scrutiny by the international community, Iran has largely reined in disruptive attacks against the U.S., with some operations still deployed against Saudi Arabia. In November 2016, a variant of the disk-wiping malware Shamoon was deployed against Saudi aviation and transportation authorities.
James Lewis, Senior Vice President and Program Director, CSIS
“The Iranians don’t want the nuclear deal to go away, and so that is the thing that shapes their behavior to the U.S. If we did cancel the nuclear deal, I think in some ways that would take the leash off when it comes to cyber actions. But ever since the deal was put in place, they have been very cautious about doing anything, because it is not in their interests to have sanctions re-imposed, to have hostility, to have all the things they had to deal with beforehand. So I think that is the biggest constraint right now on Iranian behavior against the U.S.”
Leslie Ireland, former Assistant Secretary of the Treasury for Intelligence and Analysis
“The costs of Iran walking away from the JCPOA are too great still, and what they will rely upon are the asymmetric measures that they have—cyber and proxy activity on the ground.”
Rather than relying on disruptive attacks against the West, Iran has pursued cyber-enabled information warfare against its regional competitors, namely Saudi Arabia. By utilizing cyber proxies to access and weaponize privileged information, Iran has subtly sought to undermine Saudi Arabia’s political standing in the region and in the eyes of international allies. This kind of grey-zone offensive—an act short of war—is a page right out of the Russian intelligence playbook of active measures in Europe and the U.S.
Leslie Ireland, former Assistant Secretary of the Treasury for Intelligence and Analysis
“One of the things that I have noticed in the way Iranians tend to approach red lines, is that they pick them apart. They don’t really go totally overboard; they go very incrementally and see what happens. The challenge for the person, or the entity or the country on the opposing side is that, if there really isn’t a red line, how do they then respond? And then, before you know it, Iran is there.”
- In April 2015, the pro-Saudi newspaper Al Hayat was hacked by a group calling itself the Yemen Cyber Army, which experts say has loose ties to Iran. The attack replaced the media outlet’s front page with threatening messages aimed at dissuading the Saudis from getting involved in the civil unrest bubbling across their southern border. The hack was followed quickly by stories on Iran’s state-run FARS news agency and Russia’s RT network, citing the Yemen Cyber Army for breaching the Saudi foreign ministry and its threats to release personal information on Saudi officials and expose diplomatic correspondence that allegedly suggested Saudi support of Islamist groups in the region. One month later, WikiLeaks published material likely taken from the trove of stolen correspondence.
- In another example, an Iran-linked Hezbollah hacktivist group known as the Islamic Cyber Resistance leaked sensitive material related to the Saudi army, the Saudi Binladin Group and the Israeli Defense Forces, following the December 2013 assassination of Hezbollah leader Hassan al-Laqis, according to Matthew McInniss, an AEI scholar now working on Iran in the Trump State Department. Ties also have been detected between Iran and the Syrian Electronic Army, the hacking wing of the regime of Bashar al-Assad, according to Cipher Brief expert and former CIA and NSA chief Michael Hayden.
- The link between Iranian government support and the cyber proxy actors is difficult to prove. But it would follow the pattern of Iranian military assistance given to other types of proxy forces in Lebanon, Syria and Yemen.
- The governmental structure in Iran that oversees cyber-related activities is the Supreme Council of Cyberspace, established by Ayatollah Ali Khamenei in March 2012. It consists of representatives from various Iranian intelligence and security services. However, the direct command-and-control structure for engaging in cyber operations remains a mystery, particularly when it comes to cyber proxies. While it could be the responsibility of Iran’s Quds Force, the external wing of the IRGC, the lack of a clear command-and-control system could be intentional. Similar to Iran’s “mosaic defense” military structure, cyber operations appear more decentralized and fluid than other countries with advanced cyber capabilities—Russia and China, for example—complicating the tracking and attribution of attacks.
James Lewis, Senior Vice President and Program Director, CSIS
“They are normally volunteers – like irregulars. They are very often organized through the Basij – which is an Iranian paramilitary group. People who have these abilities are on the payroll or getting some support from the Iranian government, but aren’t necessarily Iranian government employees. They have a network of individuals who are private, but will carry out government instructions. And I don’t think it is unwilling. In China, some people are told to either play ball or go to jail. Maybe that happens in Iran, but I have never heard of it.”
Rhea Siers, former Deputy Associate Director for Policy, National Security Agency
“Let’s take Hezbollah as an example. We know that the IRGC (Quds Force) is directly involved in Hezbollah’s strategy and used Hezbollah as a test bed against Israeli forces in the 2006 Lebanon war. That’s a pretty close link. But given that Iranian cyber capabilities are spread among different entities—the military, the IRGC, etc.—it is difficult to draw that conclusion in every instance.”
The Iranian nuclear deal may have had some cyber-deterrent value, in that it reined in Iranian disruptive attacks against the West, but this could be short-lived. Rhetoric from the Trump administration is stoking the fire, including recent statements by U.S. Ambassador to the United Nations Nikki Haley that Iran is violating the nuclear agreement.
- Iran, as a result, is likely to engage in broad-spectrum cyber espionage to alleviate that uncertainty. For example, Operation Cleaver in 2012-14 hit U.S. military targets, as well as systems in critical industries such as energy and utilities, oil and gas, chemicals, airlines and transportation hubs, global telecommunications, healthcare, aerospace, education and the defense industrial base. Earlier this month, reports surfaced of a new Iranian state-sponsored actor—referred to as APT 34—conducting reconnaissance of critical infrastructure in the Middle East.
- While the probing of such essential systems is alarming, it is expected as a contingency plan, should relations with adversaries escalate. The New York Times reported that the U.S. had similar plans – known as Operation Nitro Zeus – to disrupt Iranian critical services should the nuclear negotiations have gone sideways during the Obama administration. It is likely the Trump administration is devising similar contingency plans.
John Hultquist, former Senior Cyberthreat Intelligence Analyst, U.S. Government
“The situation we are in now is one of uncertainty. Intelligence services—and these hackers are connected to the intelligence services—their job is to reduce uncertainty. To do that requires engaging in these collections. So given that the future of our relationship is so uncertain, we anticipate seeing more and more of their activity in the future. In addition to that, preparing for destructive attacks, as a result of that uncertainty, would be almost a responsible move for their intelligence services, because when it is time to carry something like that out, it is going to take a while to get everything in place and ready to go.”
Rhea Siers, former Deputy Associate Director for Policy, National Security Agency
“Iranians are using cyber capabilities and information operations to shore up its conflict with the Gulf states and Saudi Arabia. They are using cyber on a continuous basis to confront Israel and other U.S. partners in the Middle East. The latest reports on their capabilities provide clear information that the Iranians have prepared their contingency planning to strike back at the U.S., Israel, Saudi Arabia and others. The number of Iranian-originated or assisted attacks is rising rapidly. Additionally, it is safe to assume that the Iranians have also learned how effective information operations can be, given the Russian experience, as well as recent events in Qatar.”
Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.
