Intelligence & Cyber
United States and Iran's cyber warfare
Rumors about a cyber war between the United States and Iran were recurring after the killing of Gen. Qassem Soleimani by an US drone on 3th January 2020. Iran is in fact a cyber power with a very active ‘proxy cyber militia’ that could use against the USA and its allies for vengeance or as alternative warfare risk to escalation with conventional weapons. The shooting down of the Ukrainian plane suggests, however, a break from any military action by Teheran.
Cyber warfare is now a consistent element of modern warfare that considers terrorism, information warfare, insurgency and other non conventional systems as useful tools for confronting enemies. It is a fundamental instrument of the so called ‘hybrid warfare’, in a way that cyberspace must be considered the fifth dimension of the modern conflict, after land, sea, sky and the cosmos. It is even more valid if conventional powers are interested in a conflict, with the risk of escalation with unpredictable consequences. In addition, Iran is in eighth place in the Middle East in terms of defense spending as a percentage of GDP. There is a wide gap between its external goals (its ambitions of regional power and the export of the Iranian revolution) and its means to obtain them compared with those of its enemies, such as Saudi Arabia, Israel and the United States. Cyber attacks can be a realistic and feasible alternative to an asymmetrical kinetic and very disadvantageous war.
It would not be the first time that the United States and Iran confront each other in cyberspace. Even if it is impossible to define the responsibility of a cyber attack (the problem of the so called attribution), in recent years both Washington and Teheran have confronted with cyber attacks or cyber sabotages that are now being studied in military manuals. The first and most famous cyber interference by the United States (and Israel) against Iran was Stuxnet virus in 2010, that infected the nuclear centrifuges Fuel Enrichment Plant in Natanz through an external usb key. The attack’s aim was to block and neutralize the Iranian plant. It caused damage to about 1000 centrifuges and stopped Iranian nuclear activities for almost 5 years.
Stuxnet alerted Iranian authorities that a new era was beginning.
Iran’s response was Operation Ababil. From December 2011 to May 2013, DDoS attacks (distributed denial of service is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target with a consistent flood of Internet traffic) were directed against 46 major US financial institutions and corporations on at least 176 days. Hundreds of thousands of customers were unable to access their accounts online, and victim institutions incurred millions of dollars in remediation costs. An Iran-affiliated hacker group called Izz al-Din al-Qassam Cyber Fighters claimed responsibility.
In the meantime, two forms of advanced malware, Duqu (2011, an extensive version of Stuxnet) and Flame (2012), were discovered on Iranian computer networks. Flame was a spyware that affected Microsoft Window’s operating system on personal computers. Its major effect was the data loss by thousands of victims across Iranian private companies and universities. It was a different kind of attack compared to Stuxnet: Flame was not a sabotage tool but a spy worm in search of personal data to be used for illegal economic gains. On that occasion, a private group (Equation Group, linked with NSA) was considered responsible for the attack and, even if the main target was Iran, traces of Flame also were discovered in Lebanon, Syria, Israel, Europe and North America.
Recently other attacks have been the protagonists of the attrition between the United States, Israel and Iran. However the most important attack, with a certain attribution of responsibility, was carried out by the US Cyber Command Operation against Iran’s Paramilitary Intelligence networks, in June 2019. It was a US retaliation after a series of rocket attacks against oil tankers in the Hormuz Strait, for which Washington was sure of Iran’s responsibility.
After a failed airstrike as retaliation by a US drone downed by Iran, the US Cyber Command attacked the Iranian database used by a paramilitary arm to plot attacks against oil tankers. The US cyber action degraded Teheran’s ability to covertly target shipping traffic in the Persian Gulf, at least temporarily. On this occasion, there was no problem with attributing the attack, as the US Cyber Command admitted its responsibility. In a normal situation, all the operations between Iran and the US should be considered as a sort of act of war, even if an ‘undeclared’ war. Today, however, even if international politics rest on recognized and shared international laws, the latter are increasingly violated without any imposition of credible or powerful sanctions. In fact, there is no longer a supranational authority capable of managing and imposing codes of conduct appropriate to the solution of conflict between nations. That's why the foundations for a ‘cyber guerrilla war’ among powers has been being laid.
Moreover, cyber warfare can be considered as an alternative tactical instrument for Iran to conduct covert operations mainly for spying purposes. Personal, economic, financial and above all technological data are now the most coveted booty of war. They are strategic targets, much more important than the conquest and control of land. This is due to the competition in a global, asymmetric but, above all, an even more and more connected world with the use of wireless networks. Data acquisition and the control of fluxes are the main purpose for many cyber powers. It is similar to gaining control of maritime routes crossing strategical choke points, like the Hormuz or Bab el Mandeb Straits or to obtain financial and commercial data passing through submarine cable systems or on the word wide web. It is an aspect of geopolitics of fluxes in which cyber warfare seems to be the perfect tool for a perfect and never yet declared and endless war.
As far as we know at the moment, Iran lacks advanced cyber capabilities to carry out sophisticated operations. It uses proxy agents or ‘threat actors’ to conduct scientific, military and industrial espionage. The use of proxy militia in battlefields (Afghanistan, Lebanon, Syria, Iraq and Yemen) or proxy cyber agents on the Internet seems to be a habit tactic for Iran in order to fill the gap between its power ambitions and the real tools available in its arsenals. In cyber warfare Iran seems not to have used State agents but a mix of criminals, hackers and individuals willing to be Iran’s mercenaries of its cyber warfare.
On the other hand, Iran seems to have received new capabilities in cyberspace from China. China is, in fact, the strongest in cyber defense all over the world. Even if Chinese authorities haven’t yet given Iran cyber offensive capabilities, specific skills transfers could be possible as a new form of collaboration after the escalation of attrition between Iran and the USA. This was an alarm raised by Israeli military authorities that fear Iran’s cyber retaliation due to shared information between the US and Israeli intelligence agencies about Soleimani’s last movements.
Chinese aid creates the conditions for what is called ‘plausible deniability’. In the case of a cyber attack, the Iran political and military authorities can demonstrate not to have the necessary and specific know how to launch such an attack or to benefit from its results. It is a kind of ‘deception’, even if Iran’s involvement is very hard to disprove.
Iran’s success, however, is due also to the limits of its enemies. On a real battlefield, these limits are often weak armies, maybe well armed but without strategic skills or command or training, as it has occurred with the Syrian rebels or in Iraq with the Islamic State. In cyberspace, paradoxically, it is the hyper-connection among innumerable subjects (States and/or individuals) and their extreme confidence in their capabilities to bring them to underestimate their networks’ security and to reveal their weaknesses.
Iran’s cyber attack abilities are at the moment a pillar of its deterrence strategy, together with the use of proxy militia all over the Middle East, its missile arsenals, and the possibility to disrupt maritime traffic passing through Hormuz and, in the event of total control of Yemen, also Bab el Mandeb Strait. In this perspective, Iran cyber warfare capabilities must be considered: not a big cyber army but a strategic tool of espionage and deception. The challenge for Iran’s enemies is to prevent it from becoming an effective espionage and sabotage tool with its adversaries’ critical infrastructures as its cyber targets.