Did Iran’s Cyber-Army Hack Into the IAEA’s computers?

The latest hack against the computer servers of the International Atomic Energy Agency (IAEA) that culminated with the posting of a smattering of blueprints, charts, and other data online in late November could be a bunch of kids on the Internet having fun, as is often the case with many small-time hacks. But some early signs suggest it may be the latest assault from Iran’s shadowy cyber-army formed in early 2011 to respond to the nasty worms and trojans launched by Israel and the United States against the country’s nuclear centrifuges. A group calling itself by the Persian name Parastoo claimed responsibility for the hacking. Some experts are saying the previously unknown group appeared to have ties, or at least common goals, with the Iranian government.

Assigning responsibility for cyberattacks is a persistent problem for governments. A hacker in one country could route his malicious code through servers in a third country. There are often steps taken by hackers to use sophisticated mathematical formulas to encrypt their communications. For instance, in October, U.S. officials anonymously told reporters that a hack that disabled the servers of Saudi Arabia’s national oil company was the work of Iran. But Mohsen Kazemeini, the commander of the Greater Tehran division of the Iran Revolutionary Guard, not surprisingly denied any role in those attacks. Even if a U.S. intelligence agency had evidence the attack was from Iran, public disclosure of that evidence would provide hackers with handy road map as to how to make sure the next illicit cyber-intrusion would not be detected.

“It’s very hard to know who is behind the clickety clack of the keyboard at the time of a breach,” said Frank Cilluffo, the director of the Homeland Security Policy Institute at George Washington University. But regarding the most recent hacking, he said there were clues. “[C]learly whoever was behind the IAEA incident shares the intentions of the Iran Revolutionary Guard Corps, and if not them directly, this could be a cyber-assassin, a hired gun Iran has enlisted to do their bidding.”

James Lewis, a senior fellow and cyber expert at the Center for Strategic and International Studies, would not say he knew for sure Iran was responsible for the IAEA hack. But he did say that the attack “serves Iranian purposes. It’s similar to earlier Iranian actions and it’s within their capabilities.”

The latest attack is from a group called Parastoo, which is the Persian word for the small bird, the swallow. Last Friday, Parastoo published what it said were sensitive diagrams, satellite photos, and other documents it had pilfered from the IAEA servers on a website devoted to exposing state secrets called Cryptome.

In a message that included downloadable images, email addresses of IAEA officials, and other IAEA data, Parastoo issued an open letter demanding the IAEA “start an INVESTIGATION into activities at Israel’s secret nuclear facilities.” Unlike Iran, Israel is not a signatory to the Nuclear Non-proliferation Treaty, which requires member states to allow IAEA inspections of nuclear facilities.

IAEA officials have confirmed the hack, but also downplayed its damage, saying the new group managed to get inside an older server. IAEA spokesperson Gill Tudor said Monday, “The IAEA deeply regrets this publication of information stolen from an old server that was shut down some time ago. In fact, measures had already been taken to address concern over possible vulnerability in this server." One of the items published by Parastoo was a blueprint for a substation at a proposed nuclear plant in South Carolina. A spokesman for Duke Energy, the company building the nuclear plant, said the item that was published was already publicly available on the website of the Nuclear Regulatory Commission. “This schematic is not sensitive,” the spokesman, Jason Walls, said.

Efforts to contact Parastoo and Iranian government spokespeople were not successful. But John Young, a proprietor of Cryptome, the website that published the IAEA data, said he received the information through anonymizer software that hides the IP address of the sender of a message.

“I know nothing about the source except what is in the messages,” Young said. “The two hacks came from via anonymizer and may not be a single source—the second one could have adopted and phished the features of the first.”

Young said that most hacks are either from governments or are hackers he believes are “hoping to be hired or contracted as a result of preening hacks.” Bob Gourley, the former chief technology officer for the Defense Intelligence Agency and the editor of CTOvision, said it would be unwise to underestimate Iran’s cyber-capabilities. “The Iranians have great universities, a lot of computer scientists, and savvy technical teams. I believe they do have the capabilities to hit our banks and infrastructure,” he said.

Cilluffo said one of the key challenges for analysts of Iran's cyber-army is determining the extent of cooperation between independent hackers based in Iran and the country’s security services like the Revolutionary Guard Corps.

On the IAEA hack, Gourley said he did not know that it was Iran, but he also said he didn’t think it was just a prank either. “I would caution everyone away from saying the IAEA hack was a just a bunch of kids,” he said. “It could be teams of hackers working in coordination with more sophisticated teams, the open attacks and obvious intrusions might be covering more sophisticated intrusions at the same time.”