Iranian hackers are trying to identify computer systems that control infrastructure in the United States, such as the electrical grid, presumably with an eye towards damaging those systems, according to a new report from a cyber security firm and a think tank in Washington, D.C.
The researchers from Norse, a cyber security company, and the American Enterprise Institute, a conservative think tank that has been skeptical of the Iranian nuclear agreement, found that Iranian hacking against the U.S. is increasing and that the lifting of economic sanctions as part of an international agreement over Iran’s nuclear program “will dramatically increase the resources Iran can put toward expanding its cyberattack infrastructure.”
What’s more, the current sanctions regime, which has helped to depress Iran’s economy, has not blunted the expansion of its cyber spying and warfare capabilities, the researchers conclude.
The technical data underlying the report’s conclusions, while voluminous, aren’t definitive, and they don’t answer a central question of whether Iran intends to attack the U.S. Using data collected from a network of Norse “sensors” around the world made to look like vulnerable computers, the researchers tracked what they say is a dramatic escalation in spying and attacks on the U.S. from hackers in Iran, including within the Iranian military. The researchers also traced hacking back to a technical university in Iran, as well as other institutions either run or heavily influenced by the Iranian regime.
“Iran is emerging as a significant cyber threat to the U.S. and its allies,” the report’s authors say. “The size and sophistication of the nation’s hacking capabilities have grown markedly over the last few years, and Iran has already penetrated well-defended networks in the U.S. and Saudi Arabia and seized and destroyed sensitive data.”
That assessment tracks with the view of U.S. intelligence officials, who’ve been alarmed by how quickly Iran has developed the capability to wreak havoc in cyberspace. In 2012, officials say that Iranian hackers were responsible for erasing information from 30,000 computers at Saudi Aramco, the state-owned oil and gas production facility, as well as a denial-of-service attack that forced the websites of major U.S. banks to shut down under a deluge of electronic traffic. Earlier this year, Director of National Intelligence James Clapper said that Iran was responsible for an attack on the Sands casino company in 2014, in which intruders stole and destroyed data from the company’s computers.
The Norse and AEI researchers found that Iran’s cyber capabilities, which U.S. officials and experts say have been growing rapidly since around 2009, have accelerated in the past year. Attacks launched from Iranian Internet addresses rose 128 percent between January 2013 and mid-March 2015, the researchers found. And the number of individual Norse sensors “hit” by Iranian Internet addresses increased 229 percent. All told, the researchers conclude that hackers using Iranian Internet addresses have “expended their attack infrastructure more than fivefold over the course of just 13 months.”
There’s little debate about among U.S. officials and experts that Iran poses a credible and growing danger online. But the technical data underlying Norse and AEI’s conclusions came into question when the report was released on Thursday.
The researchers relied on “scans” of Norse sensors that may indicate some interest by an Iranian hacker, but don’t prove his intent or that he was planning to damage a particular computer.
“They talk about ‘attacks,’ but what they really mean are ‘scans,’” which is more ambiguous, Robert M. Lee, a Ph.D. candidate at King’s College London who is researching industrial control systems, told The Daily Beast. Industrial control systems are the computers that help run critical infrastructure.
Essentially, Iranian hackers are casing a neighborhood, but that doesn’t necessarily mean they’re going to rob houses. Lee, who is also an active duty Air Force cyber warfare operations officer, said he agreed with the report’s assessment that Iran is building up its cyber forces and poses a threat. But the underlying technical data in the report doesn’t directly support that claim, he said. “They reached the right conclusions but for the wrong reasons,” Lee said.
The researchers didn’t find that Iran had successfully penetrated any industrial control systems and caused machinery to break down.
While the report concludes that Iran will use the sanctions relief to fuel its growing cyber warfare program, other researchers have suggested that Iran is likely to back off its most aggressive operations—like those against the Saudi oil company and U.S. banks—and will instead focus on cyber espionage that doesn’t cause physical damage.
“They’ll be far more targeted and careful,” Stuart McClure, the CEO and president of cybersecurity company Cylance, told The Daily Beast in a recent interview. Since the U.S. and its international partners reached a tentative agreement with Iran on its nuclear program this month, Cylance hasn’t tracked any attacks by an Iranian hacker group that it has been monitoring and documented in an earlier report (PDF).
But Norse’s conclusions are generally supported by Cylance’s research, which found that Iran had actually penetrated systems controlling a range of critical infrastructure in the U.S., including oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, and aerospace companies. The company’s report on those intrusions, which it said was based on two years of research, also didn’t attribute any failures of critical infrastructure to those Iranian intrusions.
“A lot of the work [the Iranians] were doing was quite sloppy, almost to the point that they wanted to get caught,” McClure said. He speculated that the Iranians may have been trying to send a signal to the U.S. and their partners in the nuclear negotiations that they were capable of inflicting harm if they didn’t get a favorable deal: “Coming to the table and knowing your adversary is in your house influences the negotiation.”
Iran still has a ways to go to join the ranks of the cyber superpowers. Its “cyberwarfare capabilities do not yet seem to rival those of Russia in skill, or of China in scale,” the Norse and AEI report finds. There is still a relatively small community of high-end hackers in the country, and the regime hasn’t been able to build as robust a tech infrastructure for launching attacks as other nations whose capabilities are more advanced, the researchers found.
The report identifies the Iranian government as responsible for the malicious activity, concluding that the traffic originated from organizations “controlled or influenced by the government” or moved over equipment that is known to be monitored and manipulated by Iran’s security services.
That claim is also likely to raise objection from technical experts, who generally demand more precise evidence to attribute a cyber operation to a specific actor.
“We are emphatically not suggesting that all malicious traffic emanating from Iran is government-initiated or government-approved,” the researchers said. However, they argue “that the typical standards of proof for attributing malicious traffic to a specific source are unnecessarily high” in this case, given that so much of the traffic they observed traversed systems either owned, controlled, or spied on by the Iranian government.
That’s ironic: This year, when Obama administration officials declared publicly that North Korea was responsible for hacking Sony Pictures Entertainment, Norse was one of the most prominent skeptics, arguing that the government was relying on imprecise technical data and leaping to conclusions.
Norse said its own research suggested that a group of six individuals, including at least one disgruntled ex-Sony employee, was behind the assault, which humiliated Sony executives and led to threats of terrorist attacks over the release of The Interview.
But that theory was undermined in January when FBI Director James Comey took the unusual step of publicly declassifying information that, he said, definitively linked North Korea to the attack. Current and former U.S. intelligence officials also told The Daily Beast that they’d been tracking the hackers behind the Sony operation long before it was ever launched.