Washington, D.C., Nov. 6, 2018 – As new U.S. sanctions on Iran’s economy take effect, a desperate Tehran is likely to retaliate with more aggressive cyber attacks on its regional neighbors and expand its global cyber infiltration operations, according to a new study from the Foundation for Defense of Democracies’ Center on Sanctions and Illicit Finance issued today.
In “Evolving Menace: Iran’s Use of Cyber-Enabled Economic Warfare,” authors Frank Cilluffo and Annie Fixler write that Iran responded to previous U.S. sanctions against the Islamic Republic with cyber operations against the U.S. financial sector. And while Tehran eased its overt cyber operations against U.S. targets during Iran deal negotiations, the regime continued its attacks on U.S. allies and its cyber infiltration operations, positioning Iran to potentially launch disruptive and destructive campaigns at the time of its choosing.
The report comes as the United States imposed sanctions against Iranian oil imports, the regime’s most important source of hard currency, on Nov. 5.
“No nation has felt the full power of U.S. economic coercion quite like Iran, and therefore no regime is better positioned to understand how attacks on economic assets can undermine a nation’s military capabilities,” said Samantha Ravich, senior advisor and Principal Investigator of FDD’s Cyber-Enabled Economic Warfare (CEEW) project. “Iran cannot compete with the United States on the traditional military or economic battlefields. But by using cyber campaigns, the regime has already demonstrated the capacity and will to cause massive economic damage to U.S. allies.”
Cilluffo, director of the McCrary Institute for Cyber & Critical Infrastructure Security at Auburn University and member of the Homeland Security Advisory Council, and Fixler, policy analyst at FDD’s Center on Sanctions and Illicit Finance, write that Iran experienced the power of cyber weapons from the Stuxnet attack on its nuclear infrastructure. As a result, Tehran invested in its own capabilities and leveraged a dispersed hacker community into a full-spectrum regime tool.
The authors write that the Islamic Revolutionary Guard Corps (IRGC) oversees the majority of the Iran’s cyber operations. But rather than establishing an elite hacking unit within the security services, the regime delegates its cyber operations to a series of independent and semi-independent hackers. These cyber actors simultaneously engage in regime-sponsored operations, criminal operations, and legitimate software development.
Recent Iranian cyber operations include the APT Leafminer cyber infiltration against Middle East governments and businesses; global intrusions of universities and U.S. and foreign private companies; the Shamoon 2 malware attack against Saudi government agencies and companies; and the APT33 cyber infiltration and trade secret theft against a U.S. aerospace company, Saudi aviation conglomerates, and a South Korean petrochemical company.
The report contains 10 recommendations to better understand the Iranian cyber threat landscape, strengthen U.S. and allied defenses, and impose costs on Iran for its malicious cyber operations. Among the recommendations:
This report is the fourth in a series of studies on the capabilities and strategies of U.S. adversaries to engage in CEEW against America and its allies. The previous reports examined the strategies of the Russian government, Chinese Communist Party, and North Korea’s government.
The Foundation for Defense of Democracies (FDD) is a Washington, DC-based non-partisan policy institute focusing on foreign policy and national security. Visit our website at www.fdd.org and connect with us on Twitter, Facebook, and YouTube.
The Center on Sanctions and Illicit Finance (CSIF) expands upon FDD’s success as a leading think tank on the use of financial and economic measures in national security. The Center’s purpose is to provide policy and subject matter expertise in areas of illicit finance, financial power, and economic pressure to the global policy community.
Hackers from different countries typically exhibit distinct behaviors. Chinese hackers pilfered “anything that looked like novel technical information.” Russians penetrated systems, “mapping them and implanting hard-to-find backdoor access for potential future use.” In contrast, Iranian hackers sought to do “as much damage as possible.” This is consistent with Iranian cyber behavior: Over the past decade, the Islamic Republic has shown it will exploit deficient cyber defenses to wreak havoc on its adversaries’ networks. The regime is now bolstering its capacity to cause even greater harm in the future. Read the report