According to multiple sources, State Department officials believe Iran hacked their emails and social media accounts in 2015, during a particularly sensitive week for the nuclear deal.
A cyber-attack took place within days of the deal overcoming opposition in Congress in late September that year, Susan Crabtree writes in an article for the Free Beacon. This occurred during the week when Iranian officials and negotiators for the United States and other world powers were attempting to meet implementation deadlines for a series of agreements with Tehran.
The sources say that it’s unclear whether top officials at the State Department negotiating the Iran deal knew about the hack, or even if their personal or professional email accounts were compromised.
A State Department spokesman asked about the September 2015 cyber-attack said, "For security reasons we cannot confirm whether any hacking incident took place.”
According to an email dated September 24, 2015, and multiple interviews with sources familiar with the attack, at least four State Department officials in the Bureau of Near East Affairs and a senior State Department adviser on digital media and cyber-security were involved in trying to contain the hack.
In the week leading up to the deadline, Senate Democrats blocked several attempts to pass a GOP-led resolution to disapprove of the nuclear deal. The resolution of disapproval needed 60 votes to pass but received only 58.
Crabtree writes, “State Department officials in the Office of Iranian Affairs on Sept. 24, 2015 sent an email to dozens of outside contractors. The email alerted the contractors that a cyber-attack had occurred and urged them not to open any email from a group of five State Department officials that did not come directly from their official state.gov accounts.” She states that the email read, "We have received evidence that social media and email accounts are being compromised or subject to phishing messages. Please be advised that you should not open any link, download or open an attachment from any e-mail message that uses our names but is not directly from one of our official state.gov accounts. We appreciate learning of any attempts to use our names or affiliations in this way.”
Shervin Hadjilou, the public diplomacy officer in the Office of Iranian Affairs, sent the email and cc'd four other State Department officials who deal with Iran issues, including one cyber-security expert, according to Crabtree. She adds, “Two sources familiar with the details of the hack said the State Department and outside contractors determined that Iranian officials were the perpetrators. The hack, which began Sept. 21, had compromised at least two State Department officials' government email accounts before they regained control of them, as well as private email addresses and Facebook and other social media accounts, the source said.”
"They had access to everything in those email accounts," the source continued, "Everyone in the [State Department Iranian Affairs] community was very upset—it was a major problem.”
Cyber-warfare between Iran and the United States had cooled considerably in 2015 during the nuclear negotiations, but after Iran discovered the Stuxnet virus—a cyber-worm the United States and Israel planted to degrade Iran's nuclear capabilities— the countries have been engaged in escalating cyber warfare as Tehran's cyber capabilities become increasingly sophisticated.
Crabtree writes, “Since 2011 Iran has attacked U.S. banks and Israel's electric grid. In 2012, Iranian hackers brought down Saudi-owned oil company Saudi Aramco, erasing information on nearly 30,000 of the company's work stations and replacing it with a burning American flag.” She adds, “Cyber-security experts have long believed that Russia helped Iran quickly build up its cyberweaponry in response to Stuxnet. A team of computer-security experts at TrapX, a Silicon Valley security firm that helps protect top military contractors from hackers, said in April they officially confirmed that Iranians were using a cyber ‘tool set’ developed by Russians.”
TrapX investor who served on a commission advising the Obama administration on cyber-security, Tom Kellerman, said Iranian cyber warfare has dramatically improved over the last few years, partly with Russian technical assistance. "Much like you see the alliance between Syria, Iran, and Russia, the alliance doesn't just relate to the distribution of kinetic weapons," he said, “but extends into cyberwarfare.”
According to Crabtree, the 2015 hack involved at least two State Department officials and a handful of outside contractors, who lost control of access to their email and social media accounts, which were automatically forwarding emails to work and personal contacts, spreading it to a wide network of victims.
Approximately 40 private firms who were privately contracting for State Department Iran program were outraged by the infiltration. "They were saying ‘We're mad—we're angry,'" the source recalled. "We all got compromised.”
Eric Novotny, one of the four government officials copied on Hadjilou's Sept. 24 email, and who served as a senior adviser for digital media and cyber security at the State Department at the time, was involved in trying to shut down the hack and help affected officials and private contractors regain control of their accounts.
Michael Pregent, a senior Middle East analyst at the Hudson Institute said, "Within hours of the Iran deal being greenlighted, Iran was already conducting cyberattacks against the very State Department that ensured passage of the [nuclear deal]. Acknowledging a cyberattack after the [nuclear deal] was greenlighted would be something that would immediately signal that it is a bad deal—that these are nefarious actors.”
The CEO of the Foundation for Defense of Democracies, Mark Dubowitz said Iran's hacking of State Department personnel at such a critical period is "just one of many of Iran's malign activities that continued and the State Department essentially ignored while the Obama administration was working out the fine points of the nuclear deal.”
The Wall Street Journal reported in early November 2015, that the Iran's hardline Revolutionary Guard military had hacked email and social-media accounts of Obama administration officials. Crabtree writes, “Yet that report wrongly tied the beginning of the uptick in Iranian cyberattacks to the arrest October 29, 2015 of Siamak Namazi, a businessman and Iranian-American scholar who has pushed for democratic reforms. Namazi and his elderly father remain imprisoned in Iran and face a 10-year sentence on espionage charges.”
Crabtree alleges that the Sept. 24 email shows the Iranian hacking of State Department officials occurred on the weekend after Republicans in Congress failed to push through a resolution disapproving the Iran nuclear pact.
According to David Albright, a former U.N. weapons inspector and president of the Institute for Science and International Security, infiltrating State Department emails and internal communications about where the United States stood on a number of sensitive issues could have given the Iranians an important negotiating advantage, "The [Joint Comprehensive Plan of Action] had a lot of loose language at the time and the question was whether the U.S. was going to accept it," he stated, and added, ”It would be to Iran's great benefit to know where the U.S. would be" on a number of these issues dealing with the possible military dimensions of the Iran nuclear program, he said. "If they could tell the U.S. was going to punt, they could jerk around the [International Atomic Energy Agency, or IAEA] a bit. That's essentially what happened with the IAEA.” The IAEA is charged with verifying and monitoring Iran's commitments under the nuclear agreement.
Albright goes on to say that the IAEA accepted far less access to nuclear sites than it originally desired. The United States and other world powers also accepted other concessions involving "loopholes" allowing Iran to exceed uranium enrichment and heavy water limits for a certain time period in order for Iran to meet implementation deadlines. "The IAEA didn't know much at all and had to write a report [in December 2015] that it was content in knowing so little," he said.
Sources said the hackers sent spear-phishing messages, which impersonate close contacts, to gain access to the compromised accounts. Co-founder of Casaba, a cyber-security firm that conducts test-hacking for Fortune 500 companies, Samuel Bucholtz, said, ”If it's a phishing account that installs malware on your machine, then they have access to all the information on your machine," he said. "Then they start using that foothold to start exploring access throughout the entire organization."