But the recent outpouring of reporting follows a flurry of new activity, which has targeted a number of entities in the Gulf and in Western countries, using more sophisticated tools such as a modified version of the Shamoon computer virus, previously used in 2012 for devastating attacks on the state-owned oil company Saudi Aramco and Qatar’s RasGas.
The Wired article characterizes the latest attacks as part of a program of retaliation against the United States in the wake of the re-imposition of economic sanctions following President Donald Trump’s withdrawal from the 2015 Iran nuclear deal in May. The article quotes one cybersecurity expert, Crowdstrike Vice President Adam Meyers, as saying “Iran has targeted the West before and will continue to do so.”
Meyers also observed that the latest emergence of Shamoon is actually the third, as its operations had previously continued in 2016 and 2017 before taking on their new form involving broader customizability and the ability to destroy targeted files or entire systems following the theft of information.
According to Wired, these and other operations can be expected to continue and even escalate as the US continues to enforce sanctions and otherwise pursue assertive policies toward the Islamic Republic. The Iranian hackers’ motivations are evident in the fact that at least a dozen Treasury officials have been targeted in recent months, alongside other persons with specialized knowledge of the US sanctions regime. But American entities are by no means alone on the list of individuals and groups whom Iranian hackers have targeted in order to steal information, gain access to their accounts, or generally “wreak havoc.”
In another report published on Tuesday, Gulf News highlighted cyberattacks on oil and gas companies headquartered both in Europe and among Iran’s Arab adversaries, including but not limited to Saudi Arabia. Additionally, the Associated Press reported upon the growing phenomenon nearly a week earlier and noted that the latest hacking efforts had been directed against US officials outside the Treasury Department, against American defense companies, various foreign policy think tanks, high-profile commentators on the Iran nuclear deal, and perhaps most alarmingly, Arab atomic energy experts.
The AP, Gulf News, and Wired all indicate that there is little doubt about these operations origins in the Iranian regime. Although Tehran does have a long history of hiring independent contractors to carry out the technical work of hacking, there has been a longstanding trend toward greater central organization of that work. This trend points to clear overlap between the targets of Iran-based hackers and targets that are relevant to the Iranian regime’s interests.
This trend clearly remained on display for cybersecurity experts following the latest revelations about Shamoon and related operations. Dick O’Brien, threat researcher at Symantec, said specifically of Shamoon that it has “hallmarks of state-sponsored attacks,” according to Gulf News. Meanwhile, the AP indicates that Allison Wikoff of Secureworks drew upon the latest Certfa report to conclude that “it’s fairly clear cut” that the past operations of relevant Iranian hackers were government-backed.
In any event, Gulf News quoted yet another cybersecurity expert, FireEye’s Alister Shepherd, as saying, “The sophistication and volume of attacks from Iran have been consistently increasing.” The AP report noticeably agreed with this assessment, insofar as it identified instances of hackers reacting very quickly when a certain individual’s work became relevant to Iranian interests. In other cases, people were targeted in spite of their relevant activities being low-profile or not publicly disclosed.
Shepherd went on to assert that the trend toward more frequent and more advanced hacking operations can be expected to continue through the year 2019, as political tensions between Iran and the US continue to escalate, with implications for allies on each side. And yet another report published on Tuesday, this one by Stratfor, expanded upon this conclusion with reference to Iran’s overall tendency toward “asymmetrical warfare.”
According to that report, the rising tide of state-sponsored hacking is only one aspect of that larger strategy, but the high-profile trend is indicative of the general behavior that can be expected from the Islamic Republic in the year ahead.
“Iran’s strategy for handling conflict in cyberspace mirrors its game plan for physical clashes,” the article explains, noting that the regime will strive to compensate for an imbalance of power with its foreign adversaries by relying on tactics like terrorism and the support of militant proxies in the broader Middle East.
Critics of the Islamic Republic are quick to point out that the regime has already manifested greater reliance on these tactics over the course of 2018, and earlier in some cases. Tehran has directed at least four terrorist plots against Iranian dissident targets on Western soil during the past year.
In March, Iranian operatives were arrested while planning an attack on the compound housing more than 2,000 members of the People’s Mojahedin Organization of Iran, and in June two other operatives attempted to carry out a bombing of the international rally organized by the PMOI’s parent coalition, the National Council of Resistance of Iran.
Later in the summer, one Iranian citizen and one American citizen of Iranian extraction were indicted in US federal court for spying on behalf of the Iranian Ministry of Intelligence and apparently setting the stage for would-be attacks on PMOI-affiliates on American territory as well.
Finally, in October, Danish authorities arrested a would-be assassin targeting Iranian Arab opposition figures, and the Danish government proceeded to put pressure on the European Union to confront persistent asymmetrical threats stemming from the Islamic Republic.
This and other critics of the predominant Western response have said much the same thing about Iranian terrorism as Stratfor said about Iranian cyberattacks at the conclusion of its report: “Iran has rapidly improved its… capabilities over the past year and looks to continue that trend in 2019. As it responds to greater U.S. sanctions and other efforts to weaken its government, it will be important not to underestimate those capabilities.”
The multiple recent reports about Iranian hacking underscore the breadth of assets and allies that stand to be affected if belligerent Iranian activities are allowed to go unchecked. And to this observation it might be added that Iran’s domestic population also stands to suffer as conflict escalates between the regime and its people.
The outpouring of anti-government activism since the end of 2017 has been variously cited as a contributing factor in Tehran’s terrorist plots and other attacks on perceived foreign sources of support for the PMOI and other protest organizers. Meanwhile, escalating domestic restrictions on cyberspace have accompanied the outward-directed hacking activities.
Indeed, the Associated Press noted that the long list of recent targets of Iranian hacking include a number of Iranian citizens, “including media workers, an agronomist and a senior employee of the country’s Department of Environment.” This latter example clearly connects cyberattacks to the ongoing physical assaults on activists and other perceived threats to the Islamic Republic, as about a dozen experts on the environment were arrested in early 2018 as part of the government crackdown.
As Tehran’s cyberattacks on foreign targets grow both more frequent and more sophisticated, a similar trend can be expected in the domestic arena, especially if the international community fails to react to ongoing calls for action to help safeguard free speech and freedom of communication in the Islamic Republic.
The Center for Human Rights in Iran reiterated one such call to action on Monday after praising the company behind the popular instant messaging app Telegram for warning Iranian users about the Iranian regime’s efforts to exploit its popularity. Telegram was temporarily blocked in the midst of the mass uprising at the end of 2017 and beginning of 2018, leading to concerted efforts by the regime to make that block permanent.
Among those efforts was the introduction of domestically-produced alternatives that would allow users to communicate with the actual Telegram app, but would also censor content that was not government-approved, as well as leaving users open to monitoring by Iran’s cyber police.
According to CHRI, some Iranian officials have specifically identified these alternatives, namely Talaeii and Hotgram, as having been developed by Iranian security forces with the specific intention of making use of their deliberate vulnerabilities.
With this in mind, the report argues that Telegram has not yet gone far enough in defending the app’s many Iranian users. It concludes by quoting CHRI internet security researcher Amir Rashidi as saying, “Telegram should follow through on its warning message by discontinuing these apps’ access to Telegram servers,” he added.
“Doing so will send a message to the Iranian government that even big tech companies will not engage in business as usual while the state violates the rights of its citizens.”
This, of course, represents only a fraction of the pressure faced by businesses and national governments as awareness grows of Iranian cyber threats both inside the country and throughout the world. Rising levels of that pressure are also coming from inside the Islamic Republic itself, as ongoing anti-government protests are accompanied by a public push for fewer restrictions on online activity. This push is arguably fueled in part by Tehran’s seemingly contradictory effort to globally extend its own influence over cyberspace.
According to another CHRI report, Iranian Oil Minister Bijan Zaganeh recently joined Twitter, which has been banned in Iran since the 2009 Green Movement. This announcement has spurred Iranian from across the political spectrum to come forward with renewed condemnations of the regime’s hypocrisy and malign behavior with regard to cyberspace.