In 2016, the industrial computer security firm MalCrawler conducted an experiment: It created an elaborate network to observe the actions and gauge the intentions of malicious cyber operators. The firm concluded that hackers from different countries typically exhibit distinct behaviors. Chinese hackers pilfered “anything that looked like novel technical information.” Russians penetrated systems, “mapping them and implanting hard-to-find backdoor access for potential future use.” In contrast, Iranian hackers sought to do “as much damage as possible.”1 This is consistent with Iranian cyber behavior: Over the past decade, the Islamic Republic has shown it will exploit deficient cyber defenses to wreak havoc on its adversaries’ networks. The regime is now bolstering its capacity to cause even greater harm in the future.
Comparatively lacking in conventional forms of military, economic, and geopolitical power, the Islamic Republic leverages asymmetric capabilities to wage war against the United States and its allies. These methods include sponsorship of terrorists and militia forces, hostage taking, overseas assassinations, ballistic missiles, and – potentially – nuclear weapons. The latest additions to this asymmetric toolkit are cyber capabilities and, specifically, cyber-enabled economic warfare – a strategy involving cyber attacks against an adversary’s economic assets in order to reduce its political and military power.2 Consistently, the evidence reveals that the Iranian regime and its Islamic Revolutionary Guard Corps (IRGC) are sponsoring these malicious Iranian cyber operations.
The Islamic Republic accelerated its pursuit of offensive cyber capabilities in 2009-2010 after falling prey to the Stuxnet virus, reportedly engineered by the U.S. and Israel.3 Less than two years later, the Islamic Republic retaliated against U.S. economic sanctions with cyber attacks on American banks, along with a costly attack against regional rival Saudi Arabia.4
After those two operations, the Islamic Republic’s cyber activities appeared to shift. As Tehran sought to negotiate relief from U.S. sanctions, its malicious cyber activity focused primarily – although not exclusively – on its regional adversaries, and simultaneously, the regime also expanded its cyber infiltration operations around the world. Through these campaigns, Iranian hackers are able to hone their skills on soft targets and pre-position assets for future conflicts, both cyber and otherwise.5
Those battles may be around the corner. The U.S. has reinstated its sanctions on Iran after withdrawing from the controversial 2015 nuclear accord in May. These sanctions threaten to further destabilize an economy whose currency is already in free fall and appears headed for a deep recession. Reeling from sanctions, and already inclined to aggressive and destructive cyber and non-cyber related malign activities, the desperate regime may become a more aggressive actor both in the virtual and physical worlds.
To counter the Islamic Republic’s malicious cyber activity, Washington must be prepared to impose significant costs on the leadership in Tehran and to use cyber and kinetic means to hold at risk the Islamic Republic’s most valuable assets. Simultaneously, Washington must work with its allies and the private sector to bolster defenses so that Iranian operations are less likely to succeed. While the Islamic Republic’s capabilities do not match those of China and Russia, its cyber capabilities are dangerous to U.S. national security and rapidly maturing.
2011-2017 – social media influence operation aimed at U.S. and global audiences7
2012-2014, Operation Cleaver – global cyber surveillance and infiltration campaign8
December 2011-May 2013, Operation Ababil – distributed denial of service attacks against the U.S. financial system9
August 2012, Shamoon – destructive wiper malware attack against Saudi Aramco10
August-September 2013 – infiltration of the Bowman Avenue Dam in Rye, New York11
2013-December 2017 – intrusions and data theft against 176 U.S. and foreign universities, 47 U.S. and foreign private companies, and U.S. federal and state agencies12
2013-2014, Operation Saffron Rose – malware-based cyber espionage against Iranian dissidents and U.S. defense industrial base13
February 2014 – attack against Las Vegas Sands Corporation14
2014-2015, Thamar Reservoir – cyber espionage and infiltration against Middle Eastern university researchers, defense and security companies, journalists, and human rights activists15
2016-2017 – APT33 cyber infiltration and trade secret theft against a U.S. aerospace company, Saudi aviation conglomerates, and a South Korean petrochemical company16
2016-2018 – APT OilRig global cyber espionage and data exfiltration17
November 2016-January 2017, Shamoon 2 – destructive malware against Saudi government ministries and companies18
May 2017 – data theft and extortion against HBO19
2017-2018 – APT Leafminer cyber infiltration against governments and businesses in the Middle East20
The Islamic Republic’s asymmetric mindset was forged during the Iran-Iraq War.21 The naval battles known as the “Tanker War” crystallized Tehran’s reliance on asymmetric approaches. In 1987, in response to Iranian harassment of civilian oil tankers belonging to Arab Gulf states aligned with Iraq, the U.S. Navy began escorting the tankers through the Persian Gulf. Tehran launched a conventional naval campaign against the Navy, but was quickly outgunned and lost half of its fleet. The regime then switched to the use of small boats, mines, and cruise missiles, which led to greater success.22
Faced with constraints on its ability to purchase conventional weapons systems (as a result of U.S. sanctions) in the decades following the Iran-Iraq War, the regime allocated its defense spending to capabilities that exploited the vulnerabilities of its regional rivals and technologically superior adversaries.23 Instead of a conventional air force, Iran developed ballistic missiles. Instead of traditional naval capabilities, Iran relied on swarms of small, fast-attack speedboats. Instead of conventional land forces, Iran built up terrorist proxies like Hezbollah and the Islamic Revolutionary Guard Corps’ (IRGC) expeditionary Quds Force, both of which the regime created in the immediate wake of the 1979 Revolution.24 Iran’s current strategy focuses on the ability to develop a nuclear weapons capability, conduct terrorist activities around the world, threaten missile attacks, and hold hostage global oil markets by threatening to close the Strait of Hormuz – a vital waterway for global oil trade.25
Testifying before Congress, then-Director of National Intelligence (DNI) James Clapper explained that Iran “views its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes.”26 After reaching the nuclear deal with Iran, some officials in the Obama administration noted to The New York Times that the regime views cyber as “a tool to seek the kind of influence that some hard-liners in Iran may have hoped its nuclear program would eventually provide.”27 More recently, in September, the U.S. State Department concluded, “The Islamic Republic has developed its cyber capabilities with the intent to surveil and sabotage its adversaries, undermining international norms and threatening international stability.”28
Cyber operations have also become an increasing part of Iran’s arsenal because they provide “less risky opportunities to … retaliate against perceived enemies at home and abroad.”29 In February 2014, in retaliation for Las Vegas Sands Corporation CEO Sheldon Adelson’s recommendation that the United States drop a nuclear bomb in the Iranian desert to convince the Islamic Republic to relinquish its own nuclear ambitions,30 suspected Iranian hackers penetrated the systems of Adelson’s company. The attack caused computers to flat-line, knocked corporate e-mail offline, and crippled phones and other business operations platforms that ran the $14-billion company.31 The result: an estimated $40 million in damages.32 And it took the company a week to restore its networks.33 Then-DNI Clapper called the incident the first destructive cyber attack “carried out on U.S. soil by [a] nation-state entit[y].”34
Experts assess that the IRGC and security services oversee the majority of the Islamic Republic’s offensive cyber capabilities,35 but the government bodies that determine the regime’s policies in cyber space also include representatives of other power centers, including the president, the supreme national security council, and relevant cabinet ministers. The regime also has an extensive censorship apparatus, which blocks access to traditional media, social media sites, and online content more generally. The entities responsible for censorship include the Ministry of Information and Communications Technology, which is responsible for deploying the regime’s censored, national internet infrastructure,36 as well as the state-owned media firm Islamic Republic of Iran Broadcasting (IRIB), which jams foreign satellite broadcasts.37 Sitting atop this bureaucracy is Supreme Leader Ali Khamenei. He is the “single most powerful individual in a highly factionalized, autocratic regime. Though he does not make national decisions on his own, neither can any major decisions be taken without his consent,” scholar Karim Sadjadpour observes.38
Academic and research institutions also provide training and recruit talent to support the Islamic Republic’s cyber operations. According to some experts, the science and technology departments of Shahid Beheshti University and Imam Hossein University may be key recruitment grounds for Iran’s government cyber forces.39 Both of these universities have strong connections to the regime’s military and security apparatus.40 For example, Fereidoun Abbasi-Davani, former head of the Atomic Energy Organization of Iran, was a professor at Shahid Beheshti,41 and the European Union sanctioned the university in 2011 for its involvement in Iran’s nuclear and ballistic missile activities.42 Similarly, the U.S. Treasury Department sanctioned Imam Hossein University in 2012 for being controlled by the IRGC and supporting its operations. Sanctioned Iranian telecommunications producer and software developer PeykAsa grew out of an initiative at another university, Sharif University of Technology.43 The regime reportedly partners with major universities to advance Tehran’s strategic objectives in a broad range of fields including cyber. This arrangement also funnels graduating students – whom Supreme Leader Khamenei has called Iran’s “cyber-war agents”44 – into companies and projects that further these same objectives.45
It is often difficult to identify Iranian cyber threat actors because they are not static. What at first appear to be distinct groups will later use the same network infrastructure or tactics in subsequent operations. For example, researchers initially identified separate hacker groups they labeled “Flying Kitten” and “Rocket Kitten” in 2013 and 2014. Then, in 2015, researchers noted the two groups employed similar modes of operation and shared domain names, leading them to conclude that “the ecosystem of Iranian actors is chaotic and ever-changing, making disambiguating different campaigns and groups a troublesome process.”46 The affiliation of individual hackers may also be fluid.47
Further complicating the challenge of attribution, these groups often use publicly available malware tools.48 For example, even though the Shamoon 2 attacks in 2016-17 against Saudi Arabia described below shared characteristics with campaigns launched by the group labeled APT33, cyber security firm FireEye could not conclusively link ATP33 to those attacks because of “differences in both targeting and tactics, techniques and procedures (TTPs) associated with the group using SHAMOON and APT33.”49
Nevertheless, a list of names of prominent Advance Persistent Threat (APT) groups is included in the graphic as a reference. In addition to the names the groups themselves use, the table also includes names assigned by cyber security firms when identifying campaigns, malware, and infrastructure. Different firms may ascribe different names to the same actors.50 Some of these groups appear to have ceased operations over time, while some individual operatives may have shifted affiliation to other groups. Some hackers claim affiliation with the “Iranian Cyber Army,”51 although the name implies more official backing from Tehran than the group receives.
While the Islamic Republic relies primarily on quasi-independent cyber operators to conduct its cyber attacks, experts have concluded that there is “consistent evidence” that Iranian cyber campaigns are “government-sponsored.”52 The U.S. government has also consistently connected Iran’s malicious cyber activities to the regime and, more specifically, to the IRGC. DNI Clapper attributed the 2014 cyber attack on Las Vegas Sands to the Iranian government.53 In March 2016, the Department of Justice unsealed an indictment against seven individuals responsible for the distributed denial of service (DDoS) attacks on U.S. financial institutions between 2011 and 2013. The Justice Department also charged one of the hackers with infiltration of the control systems of a dam in New York in August and September of 2013.
According to the Justice Department’s press statement, the companies employing the hackers were “sponsored by” the IRGC. Then-U.S. Attorney Preet Bharara called the incidents “calculated attacks by groups with ties to Iran’s Islamic Revolutionary Guard and designed specifically to harm America and its people.”54
Two years later, in 2018, the Department of Justice similarly stated that the individuals responsible for the infiltration of computers at hundreds of U.S. and foreign universities and dozens of U.S. companies, and the exfiltration of 30 terabytes of data, had “conducted many of the intrusions on behalf of” the IRGC.55 Even the 2017 indictment for unauthorized access to HBO’s computer systems and attempted extortion of the company noted that the accused “previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.”56
Supreme Leader Ali Khamenei – the ultimate decision-maker on all domestic and national security issues;58 exercises direct control over the IRGC, armed forces, and security services.
–The Supreme National Security Council – the highest national security policymaking body; coordinates and implements the supreme leader’s directives; led by the president; members also include speaker of parliament, chief justice, ministers, military chiefs, and appointees of the supreme leader.59
Supreme Cyberspace Council – oversees internet and cyber space policy;60 reports to Supreme Leader Ali Khamenei; members include the president, cabinet ministers, the commander of the IRGC, and other high-ranking officials from the intelligence and security agencies;61 responsible for “protecting the country from negative content of cyberspace.”62
–National Cyberspace Council – defends the Islamic Republic against the “culture war” online.63
Islamic Revolutionary Guard Corps (IRGC) – oversees offensive cyber activities;64 overseas quasi-independent cyber groups (discussed below; see graphic for a list of prominent groups).
–IRGC Electronic Warfare and Cyber Defense Organization – operates training courses; censors content and access.65
–Basij Cyber Council – non-professional, inexperienced operators; conducts simple hacking or infiltration operations against the regime’s internal enemies.66
–Center to Investigate Organized Crime (aka Gerdab) – conducts “defensive” operations focused on censoring content, targeting dissident websites, and identifying opposition activists.67Cyber Headquarters (aka Cyber Defense Command) – coordinates cyber policy (primarily defensive policy) within the Iranian armed forces; identifies and eliminates threats to Iran’s cyber infrastructure; conducts offensive cyber attacks in cooperation with the Basij Cyber Council.68
–Armed Forces General Staff – coordinates policies and operations between the IRGC and the regular military (Artesh).69
–Ministry of Intelligence and Security (MOIS) – responsible for signals intelligence.70
Ministry of Interior – oversees Iran’s police and domestic security forces.71
–Iran Cyber Police (aka FATA) – filters web content; monitors online behavior; hacks email accounts of political dissidents.72
Three key incidents have significantly shaped the evolution of Iran’s cyber capabilities: (1) the revelations of the Stuxnet virus in 2010; (2) escalating U.S. sanctions culminating with the “de-SWIFTing” of Iranian banks in 2012; and (3) the regime’s decision in 2013 to negotiate a nuclear agreement with the P5+1 group, led by the United States.
The summer of 2010 marked a step-change in Tehran’s – and the world’s – understanding about the power of cyber tools. Researchers assess that a nation-state actor created the malware of then-unprecedented complexity to target Iran’s core nuclear infrastructure.73 Press reporting has since attributed the attack to a joint U.S.-Israeli operation, but neither government has claimed responsibility.74
The virus first infiltrated Iranian systems in 2008, making its way to Iran’s nuclear enrichment plant at Natanz75 where it began slowly and meticulously to destroy centrifuges,76 the precision machines that enrich uranium for both civilian nuclear fuel and atomic weapons. At the time, the Islamic Republic was pursuing a nuclear program in defiance of multiple UN Security Council resolutions.77
At Natanz, the Stuxnet virus quietly sabotage the Iranian nuclear program.78 The virus sped up and slowed down the speed of the centrifuges, causing them to self-destruct.79 Even more disorienting for Iran’s nuclear scientists, the infected computer systems would report only normal activity. The scientists thus assumed there was an equipment or engineering problem and often shut down entire centrifuge cascades after one machine failed.80
Early iterations of the virus disabled a few centrifuges at a time, but then in the summer of 2010, a new variant knocked out about 1,000 machines, or roughly 10 percent of Iran’s equipment.81 After the virus was inadvertently discovered,82 Iran had to briefly shut down the entire Natanz facility to contain the virus.83 It confirmed that the virus had infected 30,000 computers.84
One of the most pivotal moments for the Iranian regime was the 2009 Green Movement. Following the June 2009 presidential election, demonstrations rocked the country as Iranian citizens protested what they viewed as a rigged outcome. The regime responded aggressively, deploying volunteer and regular forces to scatter, beat, and arrest thousands of protestors.
While the regime crushed the protests in relatively short order, the Iranian population’s use of the internet to mobilize spontaneously and rapidly share information convinced the leadership that the cyber battlefield was a key weakness. The government sought to develop its cyber capabilities for regime security, as well as to protect the ideological purity of the Islamic Republic by surveilling and censoring internal dissent and blocking the infiltration of Western ideas.85 The regime leverages an elaborate network of private actors to execute these policies.86 To date, most victims of Iranian cyber operations are Iranians.87
New evidence suggests that Iran is expanding the ideological battle beyond its “internal enemies.” Facebook, Twitter, and Google announced in August 2018 the dismantling of an Iranian social media influence campaign aimed at U.S., UK, Latin American, and Middle Eastern audiences.88 The operation is one of the first reported cases of actors from the Islamic Republic exploiting social media to target audiences outside Iran. 89
In the years following Stuxnet, the Islamic Republic dramatically improved its cyber capabilities.90 Prior to 2011, Iran’s entire cyber budget was believed to be about $76 million.91 By 2016, Tehran was claiming to spend $1 billion per year on cyber programs,92 although some experts have raised doubts about this figure.93 Examining the Ministry of Information and Communications Technology’s budget may provide a sense of Iran’s cyber security investment: between 2013/14 and 2015/16, the ministry’s cyber security budget increased more than tenfold.94 Following the nuclear deal, Iran’s budget for information technology infrastructure increased another 20 percent.95
To consolidate government bodies responsible for cyber space and internet policy,96 Khamenei created the Supreme Cyberspace Council in March 2012 to oversee the full range of Iran’s cyber activities.97 Members of the council include the president, cabinet ministers, the head of the Islamic Republic of Iran Broadcasting, the commander of the IRGC, and other high-ranking officials from its intelligence and security agencies. In 2015, Khamenei reshuffled the membership, and as a result, the number of President Hassan Rouhani’s cabinet ministers on the council increased.98 The Supreme Cyberspace Council is not answerable to the Iranian parliament but rather reports to the supreme leader.99 Seven months after creating the council, Iran reportedly held its first nation-wide cyber defense exercise.100
In the early 2000s, Iranian hackers defaced tens of thousands of websites in the United States, Israel, the UK, and France with crude attacks.101 Stuxnet and the widespread domestic protests, in response to the fraudulent presidential election in 2009 (now known as the Green Movement), changed the Islamic Republic’s relationship with these hackers.
In the immediate aftermath of the Green Movement and Stuxnet, the regime wanted to create a formal offensively oriented cyber organization but was unable to build a “politically and religiously reliable workforce.”102 Instead, the government and IRGC employed “an ideologically and politically trusted group of middle managers” to delegate specific tasks to hackers or groups of hackers, at times employing “sub-contractors” to assemble and deploy the tools for a single objective.103 For example, two different hackers or groups might work on separate components of malware rather than Iran assigning the entire task to one operator.
Initially adopted for expediency, this “contractor” model has endured. Since Stuxnet, Iranian hackers have professionalized. The marketplace has expanded, and there has been a proliferation of Iranian cyber groups.104 In an in-depth study of the hacker landscape in Iran, experts at the cyber threat intelligence firm Recorded Future concluded that there are as many as 50 contractors “vying for Iranian government-sponsored offensive cyber projects.”105 These actors often work within Iranian corporate entities or for the security services.106 Iranian private companies and government entities “blur the line between legitimate engineering companies and state-sponsored cyber hacking teams.”107 The same cyber operatives may simultaneously engage in criminal activity, legitimate software development, and regime-sponsored operations.108 There are also indications that the government adopts successful, independently initiated operations and throws its support behind enterprising hackers.109
Iranian cyber actors have since become resourceful and astute students, reportedly learning not only to use existing tools but also to replicate the kinds of attacks Iran has suffered.110 They combine off-the-shelf malware with custom tools.111 Whereas the distributed denial of service (DDoS) attacks on U.S. banks between 2011 and 2013 may have relied on “botnets-for-hire,”112 Operation Saffron Rose in 2013-14, which targeted both internal dissidents and U.S. defense companies, was the first reported case of Iranian operatives using custom malware tools.113 Tehran has been able to cause significant damage even while relying on mostly rudimentary cyber tools – DDoS techniques, spear phishing, and wiper malware.
As the Islamic Republic was dealing with the aftershocks of Stuxnet and expanding its own cyber capabilities, it became the target of a second campaign that shaped its thinking on cyber. By 2012, the regime began to feel the full power of U.S. economic warfare capabilities. Beginning in 2006, when the U.S. Treasury initiated a campaign to convince banks around the world to cease doing business with Iran, hundreds of Iranian companies and individuals found themselves cut off from the global banking system and their assets frozen, as the United States systematically sanctioned Iranian nuclear and weapons proliferators, terrorist supporters, human rights violators, and their financial enablers.114 By 2010, U.S. sanctions were having a significant effect on the Iranian economy. In the latter half of that year, Iran lost between $50 and $60 billion in potential energy investments.115 Over the next two years, additional U.S. and EU measures116 jointly reduced Iran’s crude oil exports – which accounted for approximately 80 percent of the country’s export earnings – from 2.5 million barrels per day to approximately 1 million.117
In March 2012, the global financial messaging system SWIFT removed sanctioned Iranian banks from its network, while permitting some to remain on the network to facilitate permitted humanitarian trade.118 Without this access, Iranian banks and businesses reportedly resorted to conducting business using suitcases of cash.119 Then, Congress passed legislation requiring purchasers of Iranian crude oil to deposit payments to Iran in escrow accounts, significantly restricting Iran’s access and use of its foreign currency.120 By the end of 2013, Tehran was facing a balance of payments crisis with as little as $20 billion in fully accessible foreign currency reserves.121
Facing an economic crisis, Iran responded aggressively – and directly – against the United States by launching widespread distributed denial of service (DDoS) attacks against U.S. banks. Iran sought to show the world that it, too, could cause economic damage to its adversaries. Given the size of the American economy and the role of the dollar in global commerce, it would have been pointless for Iran to respond using conventional economic or financial tools. Rather, to engage in its own form of economic warfare, Iran turned to cyber.
The offensive began in December 2011 and continued into mid-2013, comprising a series of DDoS attacks known as Operation Ababil.122 The attacks occurred only intermittently for the first ten months and then escalated to a near-weekly basis starting in September 2012,123 six months after the “de-SWIFTing” of Iranian banks. The attacks targeted 46 banks and financial systems including Bank of America, Wells Fargo, JPMorgan Chase, and the New York Stock Exchange, according to a U.S. Department of Justice indictment. Using infected internet servers around the world to flood the banks’ websites with an overwhelming volume of traffic, the attackers paralyzed the websites of banks and other financial institutions,124 preventing hundreds of thousands of individuals and businesses from accessing their online accounts, and costing these financial firms tens of millions of dollars to remediate.125 At the time, the Obama administration appealed to 120 countries to intercept the malignant traffic and debug the internet servers located in their territory. While many countries assisted, the response was not fully effective, and some attacks continued.126
A group calling itself Izz ad-Din al-Qassam claimed responsibility for the DDoS attacks127 and denied state sponsorship. The Islamic Republic likewise denied official involvement.128 Press reporting concurrent with the attacks, however, confirmed that U.S. officials believed the Iranian government was responsible.129 In March 2016, the U.S. Department of Justice formally accused Tehran of sponsoring the attack, unsealing an indictment against seven Iranian hackers and alleging that their employers, ITSec Team and Mersad, “performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps.”130
In the same indictment, the Justice Department charged Hamid Firoozi of ITSec with hacking into New York’s Bowman Avenue Dam between August and September 2013.131 While the dam itself is small and inconsequential to national critical infrastructure, experts and officials speculated that the hacker had either confused the dam for a much larger one with a similar name, or was conducting a dry run for a future, more destructive attack.132
Iran also turned its attention to its primary regional rival (and American ally): Saudi Arabia. Iran sought to damage Riyadh by undermining its oil industry, on which the U.S. would increasingly rely to stabilize oil markets as U.S. sanctions began cutting Iranian oil exports and production. On August 15, 2012, the Shamoon malware wiped the data on 35,000 network computers at Saudi Arabia’s Aramco, the world’s largest oil producer.133 The virus erased the data on three-quarters of Aramco’s corporate computers and replaced the files with an image of a burning American flag.134 While Shamoon did not affect Aramco’s oil production, the virus disrupted a majority of Aramco’s business processes, including its supply management, shipping, and contract management.135
Overnight, the company had to revert to faxes, inter-office mail, and typewriters. Aramco professionals physically unplugged the firm’s computers to stop the virus from spreading, and representatives purchased 50,000 new hard drives, temporarily causing a spike in global hard drive prices. It took approximately five months to get the entire organization back online.136
The Iranian hacker group Cutting Sword of Justice claimed responsibility, stating that the attack was in retaliation for Saudi Arabia’s oppression and regional crimes.137 After investigating the virus, FireEye concluded it showed the characteristics and sophistication of a state actor.138 U.S. officials later confirmed Iran’s involvement.139
The attack was part of a longstanding rivalry between Saudi Arabia and Iran and likely had multiple intended outcomes. At the time, Iran’s oil exports were dropping rapidly as the EU imposed its ban on imports of Iranian crude. It is possible that Tehran hoped an attack on a major oil producer would drive up prices so that Iran’s limited exports would bring in more revenue. If that was the goal, the operation failed. Global prices did not experience a sustained spike following the attack.140
The campaign may also have been retaliation for a suspected cyber attack on Tehran’s Oil Ministry and various Iranian energy companies in April 2012.141 The Shamoon malware reportedly mimicked the wiper malware used against the Iranian Oil Ministry and the National Iranian Oil Company.142
While each of these motivations may have been a factor, Iran likely targeted Saudi economic assets to undermine Saudi energy power and its related geopolitical power because the Islamic Republic understands the connection between economic and geopolitical power. From its founding, the Islamic Republic conceptualized its own economy as providing the means to fortify the revolution at home and export it abroad. The Iranian constitution states that the economy “is a means that is not expected to do anything except better facilitate reaching the goal [of advancing the Islamic revolution].”143 This is also why the IRGC – created to consolidate, defend, and export the ideology of the revolution144 – plays a dominant role in the Iranian economy.145 Supreme Leader Ayatollah Ali Khamenei has called the U.S. Department of the Treasury “America’s war chamber,” and noted that the “method of the US is to confront the freedom-seeking and independent system of the Islamic Republic by pursuing this economic war.”146 The Saudi Aramco hack applied this logic to weaken the House of Saud and undermine an energy superpower on which the U.S. and global economy depends.
While Operation Ababil and the Saudi Aramco hack showed that Iran could retaliate in the cyber domain, neither offensive relieved the economic pressure imposed by Western sanctions. Tehran realized that it could not financially sustain its quest for nuclear capabilities and therefore sought to negotiate a reprieve from economic sanctions.147 In the middle of 2013, Supreme Leader Ali Khamenei empowered President Rouhani to pursue a nuclear deal using the same strategy Rouhani, a regime loyalist,148 had used a decade earlier in negotiations with the Europeans: In exchange for sanctions relief, Iran would suspend nuclear work in areas where it had completed its research while preserving the ability to continue work on other components of the nuclear cycle that its scientists had not yet perfected.149
From the beginning of nuclear negotiations in 2013 through the implementation of the deal in January 2016, the clerical regime did not curtail its support for violent militias and terrorist groups throughout the region.150 It continued to advance its ballistic missile program, take Western hostages, and threaten U.S. and Western shipping in the Gulf.151 Similarly, Tehran did not cease its malicious cyber activity. Israeli Prime Minister Benjamin Netanyahu said in June 2013 that Israel had seen a “significant increase in the scope” of cyber attacks on its “vital national systems” by hackers backed by Iran and its terrorist proxies Hezbollah and Hamas.152
Iranian cyber operatives targeted nearly every country in the region, with its most aggressive actions aimed at Saudi Arabia.153 It does appear, however, that the regime made a decision, starting in 2013, to refrain from conducting destructive cyber operations against U.S. targets, with the exception of the February 2014 Las Vegas Sands casino attack.154
Tehran may have reasoned that its hackers could better hone their skills by practicing on the Gulf Arab states – targets with weaker cyber defenses. That said, Iran occasionally sought to challenge Israel in the cyber domain. During the summer 2014 conflict between Israel and Hamas, Israeli experts noted an increase in website defacements and DDoS attacks by Iranian and proxy hackers.155
By limiting the majority of its destructive attacks to the region, Iran exploited the rift that formed between the United States and its regional allies during the nuclear negotiations.156 The clerical regime likely calculated (correctly) that just as the Obama administration was not going to scuttle the nuclear negotiations over Iranian-backed violence in Syria, Gaza, or Yemen, its hackers could continue to attack America’s regional allies without provoking a response from Washington.
During the nuclear negotiations and after the nuclear agreement was reached, Iran also engaged in a global campaign of cyber espionage and infiltration. Between 2013 and 2017, at the direction of the IRGC, Iranian hackers infiltrated hundreds of universities, private companies, and government agencies in the U.S. and around the world, stealing more than 30 terabytes of academic data and intellectual property.157 The affected universities had spent $3.4 billion on subscription services alone to access the data in question. Iranian hackers simply stole it. The intellectual property was the result of thousands of hours of academic research. Data stolen from 11 technology companies, an industrial machinery company, and a biotechnology company may have helped Iran circumvent increasingly strict U.S. export controls as a means to improve its military capabilities.
In December 2014, cyber security firm Cylance published an in-depth study of another two-year global Iranian cyber operation named Operation Cleaver. The firm assessed the motivation of the attackers was to establish a “beachhead for cyber sabotage.”158 Another goal was to strategically pre-position assets for exploitation. The principal difference between computer network exploitation (CNE) and computer network attack (CNA) is the intent of the perpetrator. Exploitation and intelligence collection can create a persistent access route. If the intent of an attacker changes, that access route can easily be utilized to deliver a cyber weapon.
Cylance assessed that Operation Cleaver was “too significant to be a lone individual or a small group.” Leveraging publicly available hacking tools and custom malware, the group infiltrated companies worldwide in the energy, utility, and aviation sectors; military intelligence; and even hospitals and universities. Comparing the operation to those conducted by Chinese cyber operators, Cylance warned, “Iran is no longer content to retaliate against the US and Israel alone,” but rather seeks to “position [itself] to impact critical infrastructure globally.”159
In another case, Israeli cyber security firm Clearsky uncovered an Iranian cyber campaign they called Thamar Reservoir, dating back to at least mid-2014, whose purpose seemed to be neither stealing money nor conducting destructive cyber attacks. Instead, the attackers engaged in espionage, stole information, and potentially used their infiltration to enable future attacks. Clearsky did not identify the specific types of information the hackers stole, but noted that the majority of targets were academics, researchers, and practitioners in social sciences, as well as journalists and human rights activists.160
Interestingly, there may have also been a cyber-enabled economic warfare component to the operation identified by Clearsky. Some of the targets were physicists, security companies, and defense firms, and Clearsky noted that the hackers engaged in intellectual property theft.161 Again, the cyber security firm does not specify what kind of intellectual property the hackers stole so it is unclear if this refers to the research of social scientists or corporate secrets of defense firms.
Another Iranian group, “Leafminer,” has attempted to infiltrate government organizations and private businesses across the Middle East since at least early 2017. The group’s techniques “followed the recent trend among targeted attack groups for ‘living off the land’—using a mixture of publicly available tools alongside its own custom malware.” In addition to government targets – which made up 17 percent of affected entities – 37 percent of all Leafminer targets were in the financial and petrochemical sectors. The analysis, performed by Symantec, did not attempt to determine the group’s motivation but noted that the toolkits used indicate that the hackers were seeking “email data, files, and database servers.”162
Another group, APT33, began carrying out cyber espionage operations as early as 2013 and conducted its most significant infiltrations between mid-2016 and early 2017. APT33 gathered intelligence and stole trade secrets from a U.S. aerospace organization, Saudi business conglomerates in the aviation sector, and a South Korean petrochemical and oil-refining firm.163
Examining the forensic details of the malware and open-source reporting, FireEye concluded that APT33 is an Iranian government-supported group.164 Specifically, FireEye determined that an individual hacker developed the malware based on the inclusion of his handle in samples of the virus – a handle that open-source reporting tied to the Nasr Institute, an Iranian government-controlled entity. These facts, combined with the presence of “Farsi language artifacts” in the malware and the timing and tempo of APT33’s operations, consistent with the Iranian workday, led FireEye to name Iran as the entity behind APT33.
FireEye also concluded that APT33 was state-backed because its targets aligned with the interests of the Islamic Republic. According to FireEye:
APT33’s focus on aviation may indicate the group’s desire to gain insight into regional military aviation capabilities to enhance Iran’s aviation capabilities or to support Iran’s military and strategic decision making. Their targeting of multiple holding companies and organizations in the energy sectors aligns with Iranian national priorities for growth, especially as they relate to increasing petrochemical production.165
Both FireEye and the infrastructure security firm Dragos raised concerns that APT33 might be pre-positioning for a more destructive attack. FireEye Director of Intelligence Analysis John Hultquist noted, “[w]e’ve seen them deploy destructive tools they haven’t used. We’re looking at a team whose mission could change to disruption and destruction overnight.” Similarly, Dragos founder Robert M. Lee observed, “This is economic espionage with the added ability to be destructive, but we have no reason to think they’ve gone destructive yet.”166
Even as Iranian operations expanded around the globe, Saudi Arabia has borne the brunt of the Islamic Republic’s malicious cyber activities.167 While Operation Cleaver, Thamar Reservoir (likely conducted by threat actor Rocket Kitten168), and Leafminer targeted a broad range of victims, the plurality of targets in each case were Saudi institutions and companies. OilRig likewise has focused its campaigns largely on the Saudi private sector, in particular financial institutions, technology companies, and the defense sector, dating back to at least autumn 2015.169
The reason that Riyadh is Iran’s primary target is two-fold. Obviously, Iran and Saudi Arabia are bitter regional rivals. Secondly, Saudi cyber defenses are perceived as being significantly less capable than those of Israel and the United States. Collin Anderson and Karim Sadjadpour explain:
Weak Saudi cyber defenses have not only made the country vulnerable to Iranian coercion but also made Riyadh a soft target for Tehran’s retaliation against destructive cyber operations performed by third countries. If Iran cannot cause significant damage to the United States during times of conflict, then damaging the economic institutions of American allies will suffice.170
Despite its partnerships with leading technology firms, Saudi Arabia remains vulnerable to Iranian cyber attacks.171 Riyadh is known to purchase expensive defense equipment but not invest in the human capital necessary to effectively deploy the hardware.172
In late 2016 and early 2017, a virus called “Shamoon 2” struck key Saudi companies and government ministries.173 Shamoon 2 rapidly spread to 15 government agencies and businesses within the Saudi civil and defense sectors.174 In testimony before Congress in March 2018, Director of National Intelligence Dan Coats publicly attributed the attack to Iran.175
While the Shamoon code itself was “largely unchanged,” the attackers used a different delivery system and devoted “a significant amount of preparatory work” to the operation.176 McAfee concluded the attack was “an intentional attempt to disrupt key organizations and the country of Saudi Arabia.”177 While in the 2012 attack on Aramco, hackers inflicted damage and then quickly disappeared, this time, “the actors penetrated networks and established remote control to gather intelligence for future planned wiping attacks.”178 Additionally, the virus infected a wide range of targets throughout the Middle East, Symantec noted, but “[o]nly specific organizations affiliated with Saudi Arabia appear to have been earmarked for destructive wiping attacks.”179
The Saudis retained Junaid Islam, a cyber security researcher with decades of experience, to provide an independent assessment of the attack. He and the Saudi security team discovered that the malware was able to spread so effectively because it used Microsoft Active Directory (AD) credentials to propagate throughout the network.180 The local Saudi security team thus changed the AD credentials within 48 hours of the initial outbreak. It worked only briefly, however, and a new wave of the attack using the new AD credentials followed. The attackers likely had established a clandestine presence in the network and had knowledge of the systems in place and how to bypass them.
Shamoon 2 spread and installed itself without human interaction or enablement – without a user “click.” The malware autonomously scanned the network for other Windows devices and repeated the process while deleting data.181 There was no exfiltration of data or ransom demanded, and thus the attack seems to have been aimed at disrupting systems.
Following the 2015 nuclear deal, Iran’s GDP growth rebounded from negative 6 percent in 2012/2013 to a positive 4.3 percent in 2017/2018, after spiking to 12 percent in 2016/2017.182 The Islamic Republic used the economic breathing room provided by sanctions relief183 to expand its military budget, including its spending on cyber.184
The U.S. withdrawal from the nuclear deal in May 2018 may upset the regime’s plans. Even before the reinstatement of U.S. sanctions, the Islamic Republic experienced a rapid depreciation of its currency.185 Between May and September of this year, the value of the Iranian rial dropped 160 percent.186 By September 2018, three months before the full re-imposition of sanctions, Iran’s oil exports had already fallen by 35 percent.187 Scores of foreign investors are leaving the Iranian market.188 The International Monetary Fund and the World Bank both predict that Iran’s economy will shrink modestly before the end of 2018 and more than 3.5 percent in 2019.189
Experts warn that Iran may respond to the withdrawal and re-imposition of sanctions by lashing out with new destructive cyber attacks.190 Secretary of Homeland Security Kirstjen Nielsen testified before Congress that Washington is “anticipating” the “possibility” of increased Iranian cyber attacks.191 Analysts at Recorded Future warn that as economic sanctions pressure escalates, “the IRGC may forgo careful contractor selection and planning in an attempt to deliver a destructive attack within a short period of time.”192
Even before the U.S. withdrew from the nuclear deal, Iranian hackers appear to have gotten bolder. By March 2018, cyber security experts were noting that OilRig’s campaigns had evolved, using more sophisticated malware and “new data exfiltration methods,”193 and assessed that the group’s operations “are likely to accelerate even further in the near future.”194
FireEye also reported at least a ten-fold increase in the number of phishing emails APT33 sent in the month of July 2018 to Middle Eastern, North American, and Japanese companies in the oil and gas, utilities, and other industries.195 The firm warned that this spear phishing campaign might be part of a larger effort to engage in disruptive attacks or to pre-position assets for later disruptive or destructive attacks.
As Iran begins to feel the full effects of renewed sanctions pressure, the regime may instruct OilRig, APT33, and others to respond by hitting the American economy like its hackers did during the previous escalation of sanctions. Days before Washington re-implemented sanctions, Khamenei urged Iranian officials responsible for civil defense and cyber operations to “confront” the United States with “scientific, accurate, and up-to-date … action.”196 Having honed its cyber capabilities against U.S. allies, the Islamic Republic may turn to cyber-enabled economic warfare attacks against American private companies. Washington must implement strategies now to prevent such campaigns.
U.S. policy to counter Iran’s malicious cyber activity must be built on three pillars: understanding the threat, strengthening defense, and imposing costs on Tehran including through cyber and kinetic capabilities. This report offers 10 recommendations to that end.
1. Analyze Tehran’s cyber escalatory ladder.
Policymakers need to understand Iranian strategies and escalatory ladder so that the United States can implement policies that convince Tehran to de-escalate. Put simply: “A better understanding of the history and strategic rationale of Iran’s cyber activities is critical to assessing Washington’s broader cyberwarfare posture against adversaries, and prudent U.S. responses to future cyber threats from Iran and elsewhere.”197 The U.S. government should task the intelligence community (if it has not already) to produce an assessment of how Iran’s cyber capabilities are (or are not) affecting Tehran’s national strategies and when and how the Islamic Republic is most likely to deploy cyber capabilities.
2. Analyze the Islamic Republic’s cyber investments, industrial base, and partnerships with other rogue actors in order to target these assets as needed.
The U.S. government should task the intelligence community (if it has not already) to develop a deeper understanding of Iran’s cyber investment, capabilities, industrial base, and actors (including linkages between and among them). The intelligence community should study the regime’s annual spending on cyber and information technology infrastructure and its technology imports and domestic production capacity. This analysis will paint a fuller picture of the Iranian cyber threat and better enable the U.S. and its allies to prevent Iran from importing military and dual-use technology relevant to its cyber warfare capabilities.
A technical analysis of how the release and leak of nation-state toolkits has affected the evolution of Iranian cyber operatives would also shed additional light on whether Iranian cyber capabilities are maturing more substantially due to this leaked information or because of relationships with other cyber actors.
The intelligence community should also be tasked with understanding the full extent of the cyber cooperation between Iran, North Korea, Syria, and other rogue actors, possibly including Russia. This area in particular is where Congress can play an important role by including in legislation reporting requirements and assessments of the Iranian cyber cooperation with Russia, North Korea, and Syria.
Iran has already collaborated with such partners on various military enterprises.198 In particular, in 2012, the Islamic Republic and North Korea signed a technology cooperation agreement,199 and Tehran and Moscow have cyber security cooperation agreements.200 Improved intelligence would allow the United States to better understand and disrupt these efforts, as well as to exploit any potential divisions between Iran and its collaborators.
3. Bolster information sharing with U.S. allies to improve allied defenses.
Coinciding with the White House’s release of the National Cyber Strategy, the U.S. Department of Defense also issued a new cyber strategy of its own. The summary notes that the Pentagon will “work with U.S. allies and partners to strengthen cyber capacity, expand combined cyberspace operations, and increase bi-directional information sharing in order to advance our mutual interests.”201 This is particularly important in the case of the cyber threats from the Islamic Republic. Iran is almost certainly using the Middle East as a testing ground to evaluate cyber tactics, tools, and capabilities that will later be unleashed against U.S. targets. Thus, greater cooperation with allies not only defends U.S. national interests and the security of its allies, but protects the U.S. homeland as well. Information sharing in real time with regional partners can provide a better understanding of the Iranian cyber threat and facilitate collective defense. As the Defense Department underscored, “[i]nformation-sharing relationships with allies and partners will increase the effectiveness of combined cyberspace operations and enhance our collective cybersecurity posture.”202
4. Develop a joint R&D agenda with U.S. allies to address common threats from Iran and other malicious cyber actors.
Both the National Cyber Strategy and the Pentagon’s cyber strategy note that our allies have capabilities that “complement our own.”203 Washington should work with its allies to develop a joint research and development agenda to leverage such comparative advantages to develop, pilot, and scale solutions to shared problems.
Joint U.S.-Japan research on ballistic missile defense can serve as a potential model of how allies can utilize their comparative scientific advantages. In the late 1990s, the two governments reached an agreement to conduct joint research on lightweight nose cones, stage-two rocket engines, advanced kinetic warheads, and two-color infrared sensors.204 They chose these areas (at least in part) because they were priorities of the U.S. Navy’s risk reduction initiatives205 and were areas where Japan possessed a comparative advantage.206
A joint R&D agenda could also provide a trusted forum for evaluating and testing sensitive, best-of-breed technologies. The research agenda could be informed by small groups of stakeholders who would gather to discuss R&D requirements and goals.
5. Conduct joint cyber wargames with allies in the Middle East to demonstrate our resolve to defend our allies.
True interoperability and collective defense can only occur if the United States and its allies demonstrate their commitment to work together. The United States should establish working groups with its allies to resolve legal, jurisdictional, and other constraints that the nations will face in the event of a “hot” cyber conflict and to identify what effective interoperability entails.
Working groups, however, will be insufficient if their assessments are not tested and the parties do not resolve to work together. Therefore, U.S. regional allies should conduct joint war games with one another under the auspices of the United States. In recent years, the press has reported quiet cooperation and intelligence sharing between Israel and Arab states.207 Washington should explore whether it can leverage these relationships into additional cooperation in the form of regional cyber exercises to respond to the common Iranian cyber threat.
The cyber exercises should bring together decision makers, analysts, operators, technologists, and other relevant parties to discern the capability gaps, recommend ways to prioritize new research and analysis, and determine where legal authorities, command-and-control structures, and decision-making processes succeed or fail in battlefield situations. Joint wargames would help prevent disconnects between technical operators and strategic decision makers that could lead to mission failure. The wargames can also reveal where the United States and its allies have weaknesses and ought to make additional investments.
6. Announce that the U.S. will defend its key allies from significant Iranian cyber attacks.
If Tehran believes that it can attack U.S. allies in cyber space with impunity, Washington must disabuse Iran of this notion. Specifically, Washington should have a declarative policy that the United States will respond to, and defend its allies against, significant Iranian malicious cyber activity. Washington and its allies will need to determine in classified settings the precise details of this arrangement according to the unique needs of each country – for example, whether the U.S. pre-positions assets, has certain types of visibility into allied networks, or deploys cyber operators in crisis scenarios.
7. Share actionable information with the private sector, provide incentives for the private sector to implement better cyber defenses, and establish interoperability to allow the private sector to better defend itself.
Washington should identify mechanisms and technologies that would address both government and private sector vulnerabilities and develop specific strategies to encourage their widespread adoption.
Beyond identifying technological solutions, the U.S. government must provide specific, actionable information to the private sector. As former NSA Director Keith Alexander and Jamil Jaffer vividly describe, “In no other context do we rely on private sector actors to defend themselves against national-level threats. After all, we don’t expect Walmart or Tesco to put surface-to-air missiles on top of their warehouses to defend against Russian bombers. Yet when it comes to cyber attacks, we demand exactly that from JPMorgan and Barclays.”208 Instead, the U.S. government needs to distribute broadly operational, usable, and classified information with cleared private sector entities so that they can take defensive measures to protect themselves. The pilot project known as “Project Indigo”209 between U.S. Cyber Command and major American financial institutions may provide a useful model that can be replicated across other critical industries, including oil and gas, electricity, and transportation.
The new Pentagon cyber strategy announced that the Defense Department must “be prepared to defend, when directed, those networks and systems operated by non-DoD Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) entities.”210 To implement this, the U.S. government must work with its own private sector, partner governments, and foreign companies to develop rules and clear lines of responsibility and, most importantly, to engage in joint training and exercises to develop interoperability between the government and private sector.211 These trainings and exercises will also reveal when and how the U.S. government should deploy public-private teams of operators to engage in joint defensive operations.
8. Sanction key Iranian leaders for authorizing cyber attacks.
U.S. law enforcement has concluded that the IRGC is responsible for Iranian cyber attacks. The Treasury Department should thus sanction the IRGC under its existing cyber authorities. Sanctions can quarantine funds used to support illicit activities from the international banking system and deny the Islamic Republic financial resources to fund its cyber aggression. Designating the IRGC, however, is likely to have limited practical implications because the organization is already under extensive U.S. sanctions for weapons proliferation, terrorism, and human rights abuses.
It may therefore be effective to sanction Supreme Leader Ali Khamenei. He is the ultimate decision-maker in Iran and it is doubtful that any malicious Iranian cyber activity would occur without his approval. He also sits atop a multi-billion-dollar empire.212 Taking action against these assets and specifically designating Khamenei would send a strong message that the United States plans to escalate the economic pressure.
9. Use cyber-enabled information warfare capabilities to exploit and sharpen divisions between the regime and the Iranian public.
Sanctions alone are unlikely to change the Iranian regime’s behavior. “Doxing” Iranian officials could effectively complement financial sanctions. Washington should widely publicize information about how much the regime spends on overseas military and terrorist operations. Some of this information is publicly available and some may require cyber espionage to uncover. In December 2017 and January 2018, protesters in Iran repeatedly chanted slogans demanding the regime focus on economic growth instead of spending blood and treasure in Syria.213 The United States should exploit this already-sensitive issue and provide the Iranian people with information about how their government is wasting resources abroad.
Washington can further alienate the rulers from the Iranian citizenry by publicizing information about regime officials’ corruption, kleptocracy, and embezzlement. Using cyber and financial intelligence capabilities, the intelligence community should locate IRGC and regime funds and investigate whether regime officials and other designated persons are using family members to hide assets. In addition to using this information to impose more sanctions, the United States should publicize its findings using traditional media like the Voice of America Persian service and Radio Farda as well as through social media platforms popular in Iran. A component of this strategy must also ensure that the Iranian people have access to secure communications and can evade government censorship so that they can receive and share the information about their own government’s behavior.
More broadly, the United States should consider methods for building bridges with the Iranian people directly by providing resources and information that the Iranian people cannot access today. Specifically, these resources may include technical means for disrupting regime censorship and organizing the opposition.
10. Hold at risk Iranian assets using cyber and kinetic means.
To punish Tehran for its malicious cyber attacks, Washington must be willing to deploy the full range of its offensive capabilities – capabilities that far surpass those of its adversaries. When Iran or any adversary threatens American national security, the United States has the ability to – if it chooses – punch back ten times harder. For example, to deter or respond to an Iranian cyber attack on U.S. or allied energy assets, the United States should communicate to the leadership in Tehran that it can hold at risk214 – using cyber means and/or other military capabilities – Iranian tankers and the infrastructure of its energy sector. If Iran launches cyber attacks on another sector of the U.S. economy, Washington should be prepared to retaliate in the virtual or physical world against the assets that the Islamic Republic most values. Interagency task forces should bring together officials with regional, economic, and cyber expertise to develop offensive options across a range of modalities. Tehran must be made to understand the severe consequences of its malicious cyber activities.
Technological advancements are enabling U.S. adversaries to cause damage disproportionate to the resources deployed in a domain without clearly defined rules of engagement. While Iran does not have the cyber capabilities of China, Russia, or North Korea, Tehran is willing to take greater risks and cause greater destruction. The Islamic Republic cannot match Washington’s capabilities on the traditional military battlefield nor in the virtual world, but its hackers can still do serious damage. If U.S. decision makers begin to initiate more robust defensive initiatives with allies and the private sector, and simultaneously prepare cyber and kinetic countermeasures, Washington may well prevent a more devastating cyber battle in the future.
(https://www.belfercenter.org/sites/default/files/files/publication/cri-2.0-ksa.pdf); “Saudi Arabia to overhaul its cybersecurity preparedness: Potomac assessment,” CISO Magazine, September 26, 2017. (https://www.cisomag.com/saudi-arabia-to-overhaul-its-cybersecurity-preparedness-potomac-assessment/)