Russia and China remain the most serious nation-state cyber-threats facing the US, but Iran is coming on quickly, says the latest Mandiant M-Trends Threat Report released by parent company FireEye earlier this month.

“Mandiant has investigated multiple incidents of what we suspect is Iran-based network reconnaissance activity,” says the report, released April 10. “The majority of these incidents targeted the energy sector, although we have also seen these threat actors target the networks of several US state government agencies.”

In the case of one state agency, Iranian hackers “maintained local administrative access” and infected about one-quarter of the agency’s computer systems with malware, Mandiant reports. Along the way, hackers stole more than 150 gigabytes of network diagrams, user passwords, and other data.

Overall, the malicious software used in the Iranian cyber-attacks did not show great sophistication, the report said. Unlike Russian and Chinese adversaries, Iranian hackers are mostly using standard tools available on the black market. But that’s almost beside the point, it noted.

“Although we do not believe these suspected Iran-based actors are particularly capable now, nothing stands in the way of them testing and improving their capabilities,” the report said. “The US and other nation-states’ increasingly public discussions of their offensive cyber capabilities might very well encourage other interested actors to develop and test their own skills.”

Iran’s capabilities are believed to be growing rapidly, thanks to ample funding from its government and easy access to Russian, Chinese, and black market cyber-tools and expertise, other cyber experts agree.

“They’ve put in place the structures, strategy – and have acquired software tools from the black market,” James Lewis, a cyber expert with the Center for Strategic and International Studies, concurred in a recent interview. “They have groups whose job it is to hack.”

There’s also the undeniable aggressiveness. Iran is widely credited with carrying out damaging cyber-attacks on oil and gas company computers in Saudi Arabia and Qatar in August 2012. A spate of intense distributed denial of service (DDoS) against US banks began in fall 2012, running for about a year before inexplicably petering out.

The cessation of attacks on US banks might be a shift dictated by Iranian authorities eager to smooth international talks over Iran’s presumed nuclear weapons development program, some experts say. But Iran could become more aggressive if it isn’t happy with the outcome of the talks, they note.

“Although the suspected Iran-based threat actors that Mandiant has observed appear to be less sophisticated than other threat actors, they pose an ever increasing threat due to Iran’s historical hostility towards US business and government interests,” the report said.

“It’s that willingness to display belligerence in the cyber realm that sets Iran apart,” Jen Weedon, a manager in the threat intelligence division at Mandiant, told the Monitor in a March interview.

April 28, 2014