Online security company Cylance released a report last week showing that an Iranian cyber-espionage operation “Operation Cleaver” had successfully breached U.S. and foreign military, infrastructure and transportation targets. The report claimed to confirm widely-suspected Iranian hacks of the unclassified Navy Marine Corps Intranet system, NMCI, in 2013. It describes (with explicitly naming) more than 50 targets around the world, including players in energy and transportation.
But is the Iranian cyber threat overblown?
The tactics detailed in the report show an escalation of Iranian hacking activity, which the report’s writers, in several instances, refer to as rapid.
“We observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort. As Iran’s cyber warfare capabilities continue to morph the probability of an attack that could impact the physical world at a national or global level is rapidly increasing. Their capabilities have advanced beyond simple website defacements, Distributed Denial of Service (DDoS) attacks, and Hacking Exposed style techniques,” the report states.
The Operation Cleaver team found vulnerabilities in the Search Query Language or SQL coding in various target systems and then used those SQL vulnerabilities to inject secret commands into back servers (a tactic called SQL injection). They were then able to upload new tools into the systems allowing for more data theft and access. The tools enabled the hackers to capture a wide number of administrator passwords (a technique known as credential dumping) and even log keystrokes on affected computers.
Among the targets were some 50 companies in 16 countries, representing 15 industries including “military, oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, defense contractors, chemical, companies and governments.”
The report’s most dramatic assertion appears on page 5, “Iran is the New China” it declares.
But is it true?
The Not-So-New China of Cyber-Attacks
Speaking before the House Intelligence Committee last month, Vice Admiral Michael Rogers, the commander of U.S. Cyber Command, said that China and perhaps “one or two others” could effectively blackout portions of the United States. “It is a matter of when, not if, that we are going to see something dramatic.”
What does “something dramatic” look like? In a word: dark. “If I want to tell power turbines to go offline and stop generating power, you can do that,” Rogers said. “It enables you to shut down very tailored parts of our infrastructure.”
Rogers declined to mention which “one or two others” had the ability to turn off your lights, but Iran’s burgeoning cyber-capabilities occupy a growing portion of Roger’s job.
In 2013, when hackers within Iran attacked NMCI, it was Roger’s job to fix the gaps, an issue that members of the Senate Armed Services committee asked him about during his 2014 confirmation hearing. At the time, he said that NMCI was “properly architected and constructed against external cyber attacks.”
Other cyber hawks have been more eager to play up the Iranian threat. House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., speaking to The Washington Free Beacon last month, noted, “We have seen some very, very devastating efforts on behalf of Iran.”
To understand what those efforts may be, it makes sense to consider the history of Iran’s cyber capabilities.
In the 2009, as the Green Movement was fomenting popular resistance the Iranian government, the formation of the “Iranian Cyber Army” marked “a concentrated effort to promote the Iranian government’s political narrative online,” according to OpenNet Initiative’s 2013 analysis of Internet Controls in Iran from 2009-2012. The Army attacked news organizations and opposition Websites within Iran with great success.
Around the same time, the pro-government Basij paramilitary organization launched the Basij Cyber Council, which recruited hackers to develop cyber attacks and spy on Iranian dissidents through malware and “phishing campaigns” where victims were lured to fake websites and tricked into surrendering information. Not long afterward, Iran’s pro-government hacker community turned its attention outward.
The most severe attack that can be linked to Iran was the 2012 “Shamoon” attack against Saudi Arabian oil company Aramco. It emerged from a shadowy group called the “Cutting Sword of Justice” and effectively took out 33,000 Aramco computers, erasing the data on the hard drives. Then-Defense Secretary Leon Panetta called it “a significant escalation of the cyber threat and they have renewed concerns about still more destructive scenarios that could unfold.” Escalation sounds troubling until you consider the baseline state from which said escalation ascends.
Here’s what Shamoon did not do: affect any of the computers that actually controlled vital mechanical processes at Aramco. It did not cause any industrial accidents and did not shut down oil production. The attack was costly, caused inconvenience on a large scale, but was not a black-out attack.
“There was nothing about Shamoon that was sophisticated. In fact, Shamoon was only 50 percent functional according to one of the labs that I spoke with,” Jeffrey Carr, CEO of the cyber-security firm Taia Global and the author of Inside Cyber Warfare: Mapping the Cyber Underworld, told Defense One.
The level of technical expertise displayed by Shamoon, and hinted at in the Cylance report, suggest that the sophistication of Iran’s cyber capabilities has not reached that of China or Russia or the United States. SQL injection hacks can be severe but are not exotic. The attacks detailed in the Cylance report also make use of a widely known security bug, the MS08-O67 flaw in Microsoft Windows.
Today Is Not Zero-Day
Cylance claims that they uncovered “only a fraction” of the systems that Operation Cleaver likely targeted. But as Dan Goodin, writing for Ars Technica, reports “there’s no evidence any zero-day vulnerabilities were exploited.” That suggests that the gaps Operation Cleaver took advantage of are fixable at relatively low cost.
So-called zero-day attacks exploit new classes of vulnerabilities in systems, vulnerabilities for which there is no effective patch. When a zero-day attack occurs, the security team has “zero” days to come up with a solution a very novel problem. Stuxnet, the worm that effectively shut down the Iranian nuclear refinement centrifuges in 2010, was a zero-day weapon and actually did succeed in shutting down vital mechanical processes outside of cyberspace.
Hackers within China are practiced at zero-day attacks, including a reported global attack against shipping interests occurring in July. That attack, while sophisticated, amounted to little more than industrial espionage, which fits with China’s modus operandi.
China vs. Iran: Differing Capabilities and Motivations
Therein lies the big difference between China and Iran as a cyber adversary. China is more capable and more focused on narrow objectives, which Cole defines as “stealing intellectual property and national secrets primarily to give itself a competitive edge in competing in the global market.”
Government officials have echoed that view. Speaking before the Senate Intelligence Committee in January, James Clapper, the Director of National Intelligence, said “China’s cyber operations reflect its leadership’s priorities of economic growth, domestic political stability, and military preparedness.” Read that to mean a likely continuance of data theft, not terrorist acts that could damage both economies.
Iran, as a cyber adversary, is both less capable and more bellicose than China. The Iranian economy, unlike China’s, is largely divorced from that of the United States. And Iran was the only nation to actually suffer a catastrophic cyber attack, for which it blames Israel and the U.S. As a result of these and other factors, Iran may have more of a will for cyber-mayhem even if it lacks the most dangerous tools.
In this way, Iran is the perfect cyber adversary for Washington’s hawks to rattle sabers against, and the rattling is becoming more frequent.
Speaking to The Hill’s Cory Bennett on Nov. 22, Rep. Rogers speculated that a breakdown in negotiations between Iran and the United States on an upcoming nuclear deal could compel Iran to attack water and oil and water systems in the United States.
“As soon they believe it’s to their advantage to begin again in more aggressive cyber activity toward the United States, they’re going to do it,” Rogers said. “It would be logical to conclude that if the talks fail completely, they’ll re-engage at the same level.”
The deadline for a deal passed—peacefully—two days later, with the parties agreeing to a seven-month extension.
“Are they the new China? At this point they haven’t shown us enough capability to overshadow the continuous attacks of various levels of sophistication from China,” Tony Cole, the global government chief technical officer for the cybersecurity group FireEye told Defense One. “They might be simply showing the world that they have a capability at this point in the cyber arena or it could be for more nefarious purposes where they plan on creating a cyber attack to have a kinetic and damaging effect in the real world. We hope it’s not the latter.”
(For a history of Iranian cyber capabilities, check out FireEye’s 2013 paper.)
Despite its growing capabilities, Iran probably lacks the means to turn off your lights.