A period of relative calm between the United States and Iran in the cyber domain could be over.
According to new research from threat intelligence firm Recorded Future, headquartered in Somerville, Mass., major Iranian cyberattacks are likely to resume and possibly escalate in the wake of the Trump administration's withdrawal from the Iran nuclear deal.
The report, titled "Iran's Hacker Hierarchy Exposed," is based largely on interviews conducted by Recorded Future's Insikt Group with a hacker who has firsthand knowledge of Iran's cyber operations. It includes analysis of intelligence, as well as technical data gathered between March 1 and April 30 this year. The report explains that "Iran is likely to respond by launching cyberattacks on Western businesses within months, if not faster."
Levi Gundert, vice president of threat intelligence at Recorded Future, discussed the historical patterns of Iranian cyberattacks and the capabilities of contracted nation-state hacker groups such as the Mabna Institute. He also discussed the potential for industrial control system (ICS) attacks and critical infrastructure threats in the near future.
Here is part one of the discussion with Gundert.
When did you start looking at state-sponsored threats out of Iran, and what stood out to you as you researched the prospect of resumed Iranian cyberattacks?
Levi Gundert: It's a subject that we've been working on for a while. We started working on this many months ago, and the timing with [President Donald] Trump's decision worked out pretty well. The interesting thing I saw after digging into this was how Iran operates differently than any other country, whether it's China or Russia or Israel or the U.S., in terms of how the government works and the tradeoffs between ideology and getting things done in the cyber domain.
When we stepped back and looked at how Iran operates through cutouts and proxies in the kinetic domain with Hezbollah or Houthi rebels in Yemen, we saw that they operate very similarly in the cyber domain. We dug into that approach and also started looking at data points from DOJ [Department of Justice] indictments and public reporting on various contractor groups, as well as our own data on things like [the Iranian hacker group] Ashiyane, as well as talking to our human source in this case.
It built this picture of how things seemed to be connected in terms of hackers and threat actors on forums, the government contractors and the Iranian government. They've only been developing this capability on the cyber side for the last eight years, ever since the Green Movement. But they continue to be very capable in terms of offensive attacks and operations and groups like APT33, APT34 and APT35. They're effective. We have not tied threats like Trisis or Triton specifically to Iran, but it seems very plausible that Iran is behind those ICS attacks.
The report discusses the historical patterns of Iranian cyberattacks. How has this played out in the past?
Gundert: The history is very interesting. Between 2012 and 2015, you had a lot of these attacks. There was the Shamoon attack on Saudi Aramco, for example. That was the period when you saw these very reactionary attacks in response to U.S. economic sanctions. When those sanctions were rolled back in 2015, you saw a cessation of those types of destructive attacks. And while the APTs [advanced persistent threats] continued, it was a very different tone from Iran in terms of their cyber operations.
We're going to continue looking at the pieces of the puzzle. We're working on the history and current status of Ashiyane, in particular, because we have 20,000 actors or monitors that we track in Recorded Future for that group, and also Behrooz Kamalian, the founder of the [Ashiyane] group, and the role he has played.
You said the timing worked out well for this report. Was there any indication prior to the nuclear agreement exit that this type of activity would resume?
Gundert: We didn't say anything specific to destructive attacks. We continued to see activity that was most likely attributed to APT33 and the others. But, again, that activity has never really stopped. Last fall, we saw additional data points related to something that FireEye put out about spear phishing attacks on government contractors in the Middle East, so things like that have been very consistent.
As we detailed in the report, we saw activity related to foreign universities, which is very consistent with the Silent Librarian [APT group] attacks that have been going on for years. The Mabna Institute was carrying out most of that activity. We saw that less in the United States over the last couple of months and more in foreign destinations. We can't say whether or not that activity was in preparation for the U.S. exiting the nuclear agreement, but it would seem to be suspicious at the very least.
ICS and energy grid threats have been a hot topic of late, and some experts have argued there's been a bit of an overreaction to those threats. But are those types of attacks a possible outcome of Iran resuming destructive cyberattacks?
Gundert: It's really hard to say. We saw in 2016 that Iran had gained access to a small dam in New York, which was really inconsequential. And there was speculation that the hackers were actually trying to gain access to a different water facility on the West Coast, and there was a case of mistaken identity.
Levi Gundertvice president of threat intelligence at Recorded Future
In terms of ICS attacks, I do think there's been a little overreaction going on. The number of events that would have to occur to actually trigger a true blackout on a meaningful scale is pretty substantial. That's not to say that foreign adversaries aren't capable of doing that, but I'm not sure the reaction has been commensurate with the actual level of risk here. That's my two cents on the matter, but I do think there's been a dearth of data points here.
You can talk to companies that specialize in the ICS sector that have done a lot of work and have had boots on the ground in places like the Ukraine. But beyond that, there aren't a lot of data points. There's been a lot of speculation and a lot of opining, but not a lot of information to do a quantitative risk analysis.
Is the level of coordination for these types of ICS attacks currently out of reach for these state-sponsored groups?
Gundert: I wouldn't put it out of the realm of possibility. I do think these groups are capable. I don't think they've demonstrated the sophistication level that's on par with China or Russia or the U.S. But they are very capable, and it would not be good to underestimate them in terms of their motivations and capabilities.
Even though it's been quiet over the last three years, they've continued to build up their skills, knowledge base, infrastructure and number of contractors to perform these types of attacks. And what Iran showed in 2014 with the attack on the [Las Vegas] Sands [Casino] Corporation is that it can become operational very quickly when it wants to be, so I think it's realistic to say those groups can affect an ICS target.