U.S. Cyber Command warned last week of an active campaign to exploit a known software vulnerability that Iranian hackers have used in the past. Iran’s months-long cyber campaign predates the recent rise in tensions in the Gulf; it is part of Tehran’s attempt to counter U.S. economic pressure via cyber-enabled economic warfare.
After Iran shot down an American drone last month, U.S. Cyber Command (CYBERCOM) conducted operations to disable the computer systems Iran uses to control rocket and missile launches. U.S. operations also targeted a hacking group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). But Iran’s escalation in cyberspace predates these operations; it is part of a long-term response to U.S. sanctions, not a reaction to CYBERCOM’s efforts.
The cybersecurity firms Crowdstrike, Dragos, and Fireeye all told WIRED that prior to CYBERCOM’s operations, they had already seen new, widespread phishing campaigns targeting government and private industry in the U.S. and Europe. It is unclear if the Iran-affiliated hackers compromised any of the networks they attacked, but these hackers have shown they can cause extensive damage. In March, Microsoft estimated that the same group had cost energy companies, heavy machinery companies, and other multinational firms hundreds of millions of dollars over the past two years. Those attacks surged in late 2018, corresponding with the reinstatement of U.S. sanctions on Iran after the Trump administration withdrew from the 2015 nuclear deal.
The last time Tehran faced escalating sanctions that threatened to cripple its economy, Iranian hackers working on behalf of the IRGC launched widespread distributed denial-of-service attacks against U.S. banks. Between December 2011 and the middle of 2013, the attacks targeted 46 financial institutions and cost the banks tens of millions of dollars, according to a U.S. Department of Justice indictment. Facing a balance of payments crisis and a severe recession, Iran sought to show the world that it, too, could cause economic damage to its adversaries by operating in cyberspace.
Iran is relying on the same playbook today. In January, the U.S. Intelligence Community’s Worldwide Threat Assessment warned that Iran “has been preparing for cyberattacks against the United States and our allies.” From April through June of this year, cybersecurity researchers at Recorded Future observed a hacking group connected to the IRGC amassing a vast infrastructure from which to launch future attacks. Unable to match Washington’s ability to impose financial sanctions, Tehran views its cyber program as an asymmetric means to retaliate.
One day after press outlets broke the story of CYBERCOM’s operations, the Department of Homeland Security issued a statement acknowledging the increase in malicious cyber activity by Iranian operatives and warning the private sector to “shore up” its “basic defenses.” Issuing tips and best practices are a useful first step, but the U.S. government must do more. While Iranian hackers are opportunistic, there is also a correlation between the targets of U.S. sanctions and the victims of Iranian hacking. For example, between 2011 and 2013, as the U.S. escalated sanctions on Iran’s financial and energy sectors, Iranian hackers attacked U.S. banks and state-owned oil company Saudi Aramco. Today, cybersecurity firms consistently list oil-and-gas companies among the list of Iran’s targets. Therefore, the most important thing that the U.S. government can do is share actionable information with the specific industries and companies the intelligence community determines are, or are likely to become, the targets of Iranian hacking.
Annie Fixler is the deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). Follow Annie on Twitter @afixler. Follow FDD on Twitter @FDD. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.