Although an end of Iranian cyberattacks was never the intent of the nuclear deal, it may have been a benefit, according to Robert Malley, the senior White House negotiator on the nuclear deal and now a vice president at the International Crisis Group, a think tank that encourages nations to engage in diplomacy to solve problems. “The nuclear deal was never premised on the notion that it would alter their behavior,” Malley said. “Rather, it was based on the notion that blocking Iran’s path to a nuclear weapon was all the more critical given their behavior.”
Cyberwar is costly. In 2014, Iranian hackers significantly damaged an American target, costing gambling mogul Sheldon Adelson millions.
Adelson is a friend of Israeli Prime Minister Benjamin Netanyahu and a major Republican donor. He had been highly critical of the Obama administration’s attempts to negotiate with Iran preceding the nuclear deal. On October 22, 2013, at Yeshiva University in New York City, he suggested that instead of talking, the US should bomb the Iranian desert. If that didn’t bring the Iranians to heel, he said, “The next one is in the middle of Tehran.” Adelson continued, “So, we mean business. You want to be wiped out? Go ahead and take a tough position and continue with your nuclear development.”
Within a month, Iranian hackers were probing the systems of the Las Vegas Sands casino, which belonged to Adelson. By February 9, 2014, they had the login credentials of a senior computer systems engineer. On February 10th, thousands of computers on Sands networks were wiped clean of files.
The hackers defaced one Sands site with a photo of Adelson with Netanyahu and placed a warning on another: “Encouraging the use of Weapons of Mass Destruction, UNDER ANY CONDITION, is a Crime.”
Data recovery, as well as fixing and replacing equipment, cost Adelson an estimated $40 million, according to a Bloomberg investigation of the hack.
Adelson had cavalierly talked about Iranian nuclear annihilation, so Iran hit him in a costly manner, and made it clear why they did. “They put great emphasis on tit-for-tat, measure-for-measure type of action,” Michael Eisenstadt, director of the Washington Institute’s Military and Security Studies Program and an expert on Iran was quoted as saying.
“From their point of view, justice is poetic, and when they’re responding, they’re responding in a way that makes the connection to the initial challenge or provocation from their point of view,” he added. “There’s a lot of logic in connecting it to perceived provocations.”
Since then there have been no known major destructive attacks by Iranian hackers against an American target. Iranian hackers may have conducted cyber espionage against the US, Israel, and Saudi Arabia, but it’s been limited, compared to the years that preceded the Sands attack.
Still, in 2008, the US, in conjunction with Israel, developed and deployed one of the most destructive cyberattacks ever revealed, the Stuxnet worm. Two years passed before it was discovered, and it caused an estimated 1,000 Iranian centrifuges to malfunction and destroy themselves. It set Iranian nuclear research back by a year or more.
Then, the US imposed additional sanctions against Iran in 2010 and 2011. In response, Iranian hackers began a series of distributed denial of service (DDoS) campaigns. These are relatively unsophisticated attacks that overwhelm a network with traffic and knock it offline. It was used against major US financial institutions, including Bank of America, Citigroup, and PNC. A total of 46 companies were hit between late 2011 and early 2013, causing tens of millions of dollars in damage.
According to Michael Daniel, who was the White House cybersecurity coordinator for the latter half of Obama’s presidency, the finance-focused DDoS attacks are regarded as Iran again creating what it saw as a justified, in-kind retaliation. He said, “The conclusion is the Iranians viewed denial of service attacks as completely proportional to the economic sanctions they were experiencing. From their point of view, they were retaliating against economic aggression against them.”
In 2013, Iranian hackers also accessed the online control panels of a small dam in Rye, New York, that were left relatively unsecured. “I don’t know necessarily that they were like, ‘we need to go after the dam in New York,’” said Adam Meyers, vice president of intelligence at cybersecurity firm CrowdStrike, which has tracked Iranian hacking for years. “I think largely they were looking for targets of opportunity. If they can get into one of them, then they’ll call it a win and they’ll be able to use that to demonstrate to themselves and their leadership that they have the capability.”
However, the intrusion caused no damage, but the threat that a hacker could damage US infrastructure provoked the US in 2016 to employ its rarely used tactic of naming seven Iranians it deemed responsible and charging them with crimes, despite it being unlikely that Iran would extradite them.
When negotiations for the Joint Comprehensive Plan of Action, the Iran nuclear deal, had been completed, and the deal was being implemented, Iran tuned its cyber attentions elsewhere, largely to its neighbor and rival, Saudi Arabia.
“They shifted their more active operations to targets in the region,” Daniel, the cybersecurity coordinator, said, with Saudi Arabia becoming the primary target. “You could conjecture a variety of reasons for why they might do that, but that’s a fair characterization of what happened.”
Meyers, who also is a former manager of the State Department’s State Cyber Threat Analysis Division said that Iranians are blamed for continuous attacks on Saudi government computers and telecommunications facilities. While the US hasn’t been attacked in the same way, Meyers said that for 10 years Iranians have conducted surveillance of US targets. “That has focused primarily on a couple of topic areas,” Meyers said. “Dissidents outside and inside Iran has been a continuous target, aerospace defense sector has been a continuous target, and political intelligence sources, think tanks, things . . . that have insight into US policies.”
Recent analysis by FireEye, another prominent cybersecurity firm, found that a new Iranian state-sponsored hacking group, more sophisticated than those seen previously, has been aggressively spying on major oil companies and military contractors. Targets include companies based in the US and South Korea, but all had ties to Saudi Arabia. John Hultquist, FireEye’s manager of analysis, said, “It’s gathering espionage.”
The cyber war between the US and Iran may resume if tensions reach a breaking point, experts say. Trump’s hinting that he might pull out of the 2015 nuclear deal could ratchet up tensions, especially now, as the war against ISIS winds down.
“If they believe the US is violating the deal, hurting their economy, or trying to undermine the regime’s grip on power, regardless of the means we employ, Iran will respond,” said Malley, the nuclear negotiator. “There’s a fair possibility they would do so by targeting Americans and American interests in ways we have not witnessed in the past few years because they haven’t considered it to be in their interest, because they didn’t want to provoke a US retaliation.”
“There’s potential for this becoming an issue at any time,” Eisenstadt said. “We’re not there yet — I don’t know if it’s four months, six months, a year, year and a half down the road. But I think there’s a good chance we’re on a collision course, and I’m pretty sure cyber will play a role.”