Iranian journalism students work at an internet cafe in central Tehran, Iran, Tuesday, Jan. 18, 2011.

Iranian journalism students work at an internet cafe in central Tehran, Iran, Tuesday, Jan. 18, 2011. VAHID SALEMI / AP

Can Iran Turn Off Your Lights?

Is Iran all bark and no bite on cyberwar? By Patrick Tucker

Online security company Cylance released a report last week showing that an Iranian cyber-espionage operation “Operation Cleaver” had successfully breached U.S. and foreign military, infrastructure and transportation targets. The report claimed to confirm widely-suspected Iranian hacks of the unclassified Navy Marine Corps Intranet system, NMCI, in 2013. It describes (with explicitly naming) more than 50 targets around the world, including players in energy and transportation.

But is the Iranian cyber threat overblown?

The tactics detailed in the report show an escalation of Iranian hacking activity, which the report’s writers, in several instances, refer to as rapid.

“We observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort. As Iran’s cyber warfare capabilities continue to morph the probability of an attack that could impact the physical world at a national or global level is rapidly increasing. Their capabilities have advanced beyond simple website defacements, Distributed Denial of Service (DDoS) attacks, and Hacking Exposed style techniques,” the report states.

The Operation Cleaver team found vulnerabilities in the Search Query Language or SQL coding in various target systems and then used those SQL vulnerabilities to inject secret commands into back servers (a tactic called SQL injection). They were then able to upload new tools into the systems allowing for more data theft and access. The tools enabled the hackers to capture a wide number of administrator passwords (a technique known as credential dumping) and even log keystrokes on affected computers.

Among the targets were some 50 companies in 16 countries, representing 15 industries including “military, oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, defense contractors, chemical, companies and governments.”

(RelatedMajor Cyber Attack Will Cause Significant Loss of Life By 2025, Experts Predict)

The report’s most dramatic assertion appears on page 5, “Iran is the New China” it declares.

But is it true?

The Not-So-New China of Cyber-Attacks

Speaking before the House Intelligence Committee last month, Vice Admiral Michael Rogers, the commander of U.S. Cyber Command, said that China and perhaps “one or two others” could effectively blackout portions of the United States. “It is a matter of when, not if, that we are going to see something dramatic.”

What does “something dramatic” look like? In a word: dark. “If I want to tell power turbines to go offline and stop generating power, you can do that,” Rogers said. “It enables you to shut down very tailored parts of our infrastructure.”

Rogers declined to mention which “one or two others” had the ability to turn off your lights, but Iran’s burgeoning cyber-capabilities occupy a growing portion of Roger’s job.

In 2013, when hackers within Iran attacked NMCI, it was Roger’s job to fix the gaps, an issue that members of the Senate Armed Services committee asked him about during his 2014 confirmation hearing. At the time, he said that NMCI was “properly architected and constructed against external cyber attacks.”

Other cyber hawks have been more eager to play up the Iranian threat. House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., speaking to The Washington Free Beacon last month, noted, “We have seen some very, very devastating efforts on behalf of Iran.”

To understand what those efforts may be, it makes sense to consider the history of Iran’s cyber capabilities.

In the 2009, as the Green Movement was fomenting popular resistance the Iranian government, the formation of the “Iranian Cyber Army” marked “a concentrated effort to promote the Iranian government’s political narrative online,” according to OpenNet Initiative’s 2013 analysis of Internet Controls in Iran from 2009-2012. The Army attacked news organizations and opposition Websites within Iran with great success.

We have seen some very, very devastating efforts on behalf of Iran.
Rep. Mike Rogers, R-Mich.

Around the same time, the pro-government Basij paramilitary organization launched the Basij Cyber Council, which recruited hackers to develop cyber attacks and spy on Iranian dissidents through malware and “phishing campaigns” where victims were lured to fake websites and tricked into surrendering information. Not long afterward, Iran’s pro-government hacker community turned its attention outward. 

The most severe attack that can be linked to Iran was the 2012 “Shamoon” attack against Saudi Arabian oil company Aramco. It emerged from a shadowy group called the “Cutting Sword of Justice” and effectively took out 33,000 Aramco computers, erasing the data on the hard drives. Then-Defense Secretary Leon Panetta called it “a significant escalation of the cyber threat and they have renewed concerns about still more destructive scenarios that could unfold.” Escalation sounds troubling until you consider the baseline state from which said escalation ascends.

Here’s what Shamoon did not do: affect any of the computers that actually controlled vital mechanical processes at Aramco. It did not cause any industrial accidents and did not shut down oil production. The attack was costly, caused inconvenience on a large scale, but was not a black-out attack.

“There was nothing about Shamoon that was sophisticated. In fact, Shamoon was only 50 percent functional according to one of the labs that I spoke with,” Jeffrey Carr, CEO of the cyber-security firm Taia Global and the author of Inside Cyber Warfare: Mapping the Cyber Underworld, told Defense One.

The level of technical expertise displayed by Shamoon, and hinted at in the Cylance report, suggest that the sophistication of Iran’s cyber capabilities has not reached that of China or Russia or the United States. SQL injection hacks can be severe but are not exotic. The attacks detailed in the Cylance report also make use of a widely known security bug, the MS08-O67 flaw in Microsoft Windows.

Today Is Not Zero-Day

Cylance claims that they uncovered “only a fraction” of the systems that Operation Cleaver likely targeted. But as Dan Goodin, writing for Ars Technica, reports “there's no evidence any zero-day vulnerabilities were exploited.” That suggests that the gaps Operation Cleaver took advantage of are fixable at relatively low cost.

So-called zero-day attacks exploit new classes of vulnerabilities in systems, vulnerabilities for which there is no effective patch. When a zero-day attack occurs, the security team has “zero” days to come up with a solution a very novel problem. Stuxnet, the worm that effectively shut down the Iranian nuclear refinement centrifuges in 2010, was a zero-day weapon and actually did succeed in shutting down vital mechanical processes outside of cyberspace.

Hackers within China are practiced at zero-day attacks, including a reported global attack against shipping interests occurring in July. That attack, while sophisticated, amounted to little more than industrial espionage, which fits with China’s modus operandi.

China vs. Iran: Differing Capabilities and Motivations

Therein lies the big difference between China and Iran as a cyber adversary. China is more capable and more focused on narrow objectives, which Cole defines as “stealing intellectual property and national secrets primarily to give itself a competitive edge in competing in the global market.”

Government officials have echoed that view. Speaking before the Senate Intelligence Committee in January, James Clapper, the Director of National Intelligence, said “China’s cyber operations reflect its leadership’s priorities of economic growth, domestic political stability, and military preparedness.” Read that to mean a likely continuance of data theft, not terrorist acts that could damage both economies.

Iran, as a cyber adversary, is both less capable and more bellicose than China. The Iranian economy, unlike China’s, is largely divorced from that of the United States. And Iran was the only nation to actually suffer a catastrophic cyber attack, for which it blames Israel and the U.S. As a result of these and other factors, Iran may have more of a will for cyber-mayhem even if it lacks the most dangerous tools.

In this way, Iran is the perfect cyber adversary for Washington’s hawks to rattle sabers against, and the rattling is becoming more frequent.

Speaking to The Hill’s Cory Bennett on Nov. 22, Rep. Rogers speculated that a breakdown in negotiations between Iran and the United States on an upcoming nuclear deal could compel Iran to attack water and oil and water systems in the United States.

“As soon they believe it’s to their advantage to begin again in more aggressive cyber activity toward the United States, they’re going to do it,” Rogers said. “It would be logical to conclude that if the talks fail completely, they’ll re-engage at the same level.”

The deadline for a deal passed—peacefully—two days later, with the parties agreeing to a seven-month extension.

“Are they the new China? At this point they haven’t shown us enough capability to overshadow the continuous attacks of various levels of sophistication from China,” Tony Cole, the global government chief technical officer for the cybersecurity group FireEye told Defense One. “They might be simply showing the world that they have a capability at this point in the cyber arena or it could be for more nefarious purposes where they plan on creating a cyber attack to have a kinetic and damaging effect in the real world. We hope it’s not the latter.”

(For a history of Iranian cyber capabilities, check out FireEye’s 2013 paper.)

Despite its growing capabilities, Iran probably lacks the means to turn off your lights. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.