Only a few years ago, network security experts didn’t rank Iran’s abilities to carry out sabotage and cyber-espionage very highly compared to China, Russia and the United States.
That may be changing.
After falling victim to industrial sabotage in the now-famous Stuxnet attack, which went after centrifuges in Iran’s Nantz Nuclear Facility, the nation may be looking at ways to reach out and cause similar mayhem inside the borders of its adversaries.
Gen. William Shelton, Air Force Space Command commander, when asked how Iran racked and stacked as a cyberpower today, said he couldn’t say much publicly about it. Shelton also oversees the service’s cyber-operations.
“It is clear the Nantz situation generated a reaction by them. They are going to be a force to be reckoned with. And let me just leave it at that,” he told reporters.
A cyber-attack against Saudi Arabia’s state-owned oil company Aramco left 30,000 company computers down for a week, and scrambled data so it could no longer be retrieved. Suspicions have fallen on regional rival Iran, although it is often difficult to attribute these attacks. A group called “Sword of Justice” claimed responsibility, citing repression against Shiites in countries such as Saudi Arabia and Bahrain.
More recently, a shadowy group called the al-Qassam Cyber Fighters has launched a series of distributed denial of service (DDoS) attacks against U.S. banks.
It is tough to know what the truth is because the facts are often classified, said Jon Iadonisi, co-founder of Alexandria, Va.-based White Canvas Group, which specializes in network security.
“Whether or not those are attributed to Iran, I’m not sure it even matters anymore what country they are from when everything is pretty much for hire,” he said.
It isn’t necessary anymore to have deep technical knowledge of software codes. Readily available and easy-to-use tools allow an ordinary person — or nation — to launch DDoS attacks.
However, “If you look at the breadth, the planning and the complexity of mainly the al-Qassam Cyber Fighter attacks … they are much more advanced than a simple DDoS attack,” he said.
They required months of planning. The social engineering, or spearphishing attacks, were well engineered. The group claimed the attacks were in response to an anti-Islamic video, The Innocence of Muslims, posted on YouTube. Iadonisi believed that was a red herring since there is evidence the operation was being planned before the video was released, he said.
Iadonisi thinks Iran has a cyber-unit. The question is whether the government would risk exposing itself by employing it.
“I wouldn’t if I were them. I would use a freelance unit,” he said. “You can hire somebody with any sort of technical background, and they are nationality agnostic.”
As far as the Aramco attack, “Somebody had to do a lot of planning to understand all their vulnerabilities and their network. Who is that planning being done by? I don’t necessarily know, and I can’t necessarily talk about that,” he said.
More recently, a virus that went after the hardware at an unnamed U.S. gas turbine company had the goal of taking control of the machinery, much like the Stuxnet virus, he said.
The ability to carry out attacks from across the world that can do real physical or economic damage without ever launching a jet fighter or sending in suicide squads is tempting for adversaries such as Iran, U.S. officials and cybersecurity experts have pointed out.
“An individual or a group of people can wield, in some cases, their own elements of national power,” said Iadonisi.Photo Credit: Thinkstock