Washington Punishes Iranian Cyber Actors While Preparing to Enrich Regime

The U.S. Treasury Department issued two sets of sanctions against Iran in mid-September for its malicious cyber operations. While the sanctions and other corresponding U.S. government actions raise awareness of the Iranian cyber threat, their impact will be undermined by the sanctions relief the Biden administration is reportedly prepared to give Tehran as part of a nuclear deal.

First, on September 9, Treasury sanctioned Iran’s Ministry of Intelligence and Security (MOIS) and Minister of Intelligence Esmaeil Khatib, blaming MOIS for a July attack on NATO ally Albania. The White House called the attack — which disrupted government services and destroyed data — an “unprecedented cyber incident,” and pledged to “hold Iran accountable for actions that threaten the security of a U.S. ally.”

Days later, Treasury imposed sanctions on 10 individuals and two companies for ransomware, data exfiltration, and other attacks against U.S. and global targets. A corresponding Department of Justice (DOJ) indictment elaborated that the hackers were responsible for “hundreds” of attacks against small businesses, nonprofit organizations, religious institutions, healthcare centers, and utility providers. The victims included electric utilities in Mississippi and Indiana and a domestic violence shelter in Pennsylvania.

While DOJ said that the hackers were not acting on orders of the Iranian government, both the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and Treasury affirmed they are affiliates of Iran’s Islamic Revolutionary Guard Corps (IRGC).

In parallel to the sanctions, CISA issued a cyber advisory providing technical details about the attacks, which network defenders can use to determine if their companies might also have been victimized and to prevent future attacks. The advisory co-authors included the DOJ, Treasury, the National Security Agency, and U.S. Cyber Command, signifying the high-degree of confidence in the reported information. Cybersecurity agencies from Canada, Britain, and Australia co-signed the advisory, demonstrating the breadth of allied concern.

Sanctions, indictments, and technical advisories are valuable: They provide useful, actionable information to network defenders. They disrupt active cyber campaigns. And they demonstrate America’s ability to definitively attribute cyberattacks to their perpetrators — a prerequisite for holding malicious actors accountable. Public attribution also undermines the plausible deniability of those who ordered the attack, limiting the appeal of offensive cyber operations.

Yet the coordinated steps by Treasury, DOJ, and CISA and their domestic and international partners fall short of the White House promise to “hold Iran accountable.” The new sanctions on MOIS amount to a slap on the wrist: The ministry has been subject to U.S. sanctions since February 2012 for supporting terrorist organizations, including Hamas, Hezbollah, and al-Qaeda, and for facilitating human rights abuses in Iran and Syria. Designation under another sanctions program will not materially affect the ability of MOIS to engage in global operations.

Furthermore, while the State Department offers up to $10 million for information about IRGC-affiliated hackers as part of its Rewards for Justice program, the Biden administration is reportedly offering Tehran a nuclear deal with sanctions relief worth $275 billion in the first year and $1 trillion by 2030. And that means increased budgets for the MOIS and IRGC, far outweighing the effects of sanctions.

Annie Fixler is the deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). Richard Goldberg is a senior advisor. They both contribute to FDD’s Iran Program and Center on Economic and Financial Power (CEFP). Michael Sugden is a CCTI intern. For more analysis from the authors, CCTI, CEFP, and the Iran Program, please subscribe HERE. Follow Annie and Richard on Twitter @afixler and @rich_goldberg. Follow FDD on Twitter @FDD, @FDD_CCTI, @FDD_CEFP, and @FDD_Iran. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.