Iranian hacking operations stand apart from other nation-states threat groups, according to new research from threat...
intelligence firm Recorded Future.
The company, based in Somerville, Mass., released a report, titled "Iran's Hacker Hierarchy Exposed," earlier this month that shows the inner workings of the Iranian government's cyber operations. Recorded Future's Insikt Group, which expects major cyberattacks from Iran following the Trump administration's exit from the Iran nuclear deal, offers a view of the country's network of contractor organizations, including academic universities. Insikt Group's research is based in part on interviews with a former Iranian hacker with direct knowledge of the country's cyber operations.
Levi Gundert, vice president of threat intelligence at Recorded Future, explains why Iran's state-sponsored cyber operation is different from other nation-states and how that uniqueness presents challenges for the country. In part one of the interview with Gundert, he discussed the history of Iranian hacking campaigns and the patterns exhibited by various advanced persistent threat groups working on behalf of the government. Here, he describes the Iranian government's strategy of using contractors and weighs in on the potential for new types of damaging cyberattacks from the nation.
We've seen nation-state groups use obfuscation to muddy the attribution waters and even engage in false flag attacks recently. Does Iran care about attribution or does the government want the public to know it is behind a cyberattack?
Levi Gundert: Iran enjoys using proxies the same way Russia uses proxies. If you look at how Russia has used different people in different capacities with different connections to the Russia government, especially with the election influencing operations, Iran enjoys that approach as well. It makes it more difficult to do attribution, and that helps Iran on a policy level when the government is sitting down with other nations. Putting a little doubt into the equation is only going to be good for them. But that hasn't always been the case. For example, in the [Las Vegas] Sands Casino attack, the hackers actually released a YouTube video as the attack was going on. The video documented all of the access the hackers got throughout the Sands network, and it even had subtitles and captions mocking the company for all of the insufficient security and left all these files open on the network. It was interesting because it was a piece of propaganda, even though it was deleted off YouTube pretty quickly. It was interesting because if you really have the ability to perform that activity consistently and you have a developed capability, then you probably don't want to act like you've never been there before. If you were Iran, you probably want it to look like it's just another day and another attack. But the way they celebrated it in a public way was very emotional. And I've had people tell me on Twitter that emotion doesn't play into this with the Iranian government, and I actually think it does. What we saw in the Sands attack was very much an emotional component, and whether it was just the contractors or it was the other people involved in mandating that video, it said a lot about their mindset both during and after the attack.
Levi Gundertvice president of threat intelligence, Recorded Future
The interesting thing about Iran is that their proxies are in-country. Everything we've see from them will come back to a company or a university that's based in Iran. North Korea, on the other hand, will use folks in other countries for a lot of these attacks. They'll find people who have skill sets for particular attacks in countries like Malaysia or India, so those attacks don't physically come back to them the way they do for Iran. Whether or not Iran will continue to use only in-country proxies will be something to watch over time. The problem that Iran has is this ideological component where the government wants to give a specific task to a contractor, but they want to know that contractor can be trusted and won't share inside information with adversaries. Having the contractors in-country helps give the government that feeling of trust, but it also makes it harder to evade attribution, so it cuts both ways.
On that point, Insikt Group got information from a source within Iran that proved pretty valuable for your report. Do Iranian hackers have any ideological loyalty to the government or are they mostly motivated by financial gain? And do you have a sense of how these proxies and contractors are compensated?
Gundert: We don't have specific numbers, but we've heard that it's good pay. And Iran has set up this quasi-capitalist system where contractors are sometimes pitted against each other to see who can actually deliver. And you only get paid when you deliver. It's a competition. From what we understand, being able to deliver and being first to deliver equates to significant wealth in Iran and influence for future operations. It seems to be pretty good gig.
And it's the younger generation that has those types of skills, and all they care about is the money. They care about getting paid. They don't buy into the regime's ideology, and they don't buy into the religious component. They play the game because they have to play the game to get the work, but they're really just interested in making money.
Is there any indication that Iranian hacking may move toward election influencing operations and the sort of activity that we've seen from Russian threat groups?
Gundert: We haven't seen any evidence that Iran has been involved in any influence operations, but that's something I think is worthwhile to look at going forward, primarily because of the success Russia has had and the close ties between those two countries. I don't think it's a far cry to say that Iran may look at the success Russia had and decide they want to emulate that where possible. But I also think that the Iranian government's budget for that type of operation isn't what Russia's is in terms of buying advertisements, resources and the people necessary to do it at scale. Iran may want to that, but it may be cost-prohibitive. Regardless, it's certainly possible.
Iranian hackers frequently used DDoS attacks in the past. Can those attacks still be effective or will Iran move toward more destructive types of attacks?
Gundert: In 2012, there was a wave of DDoS attacks on the financial services sector, which they weren't really prepared for, and they were very successful. Today, financial services companies are much more prepared for another attack like that. And there are only so many ways to create a denial-of-service attack. We've seen a lot of variations on reflection and amplification attacks that tend to be the most powerful types, but it's a lot less likely that they'll be as successful this time around. It would be quite an accomplishment in 2018 if they could design a denial-of-service attack that would knock online banking systems offline. The financial services sector has multiple layers of defense in place for DDoS attacks, so even if attackers do have a million IoT devices that are sending packets your way, those layers can quickly saturate that traffic and start blocking it. The destructive wiper malware like WannaCry is a much bigger problem.
Have you shared this report with the federal government, and if so, what was the response? Are agencies aware of and actively preparing for a spike in Iranian cyberattacks?
Gundert: That's a good question. We did share the report with a lot of government agencies prior to publishing it, and all of the feedback we received was overwhelmingly positive. But that's all I can say. I haven't spoken with the folks on our team that have government experience about that, so I don't know how much thought the government has put into this prior to our report. I do know the Department of Homeland Security [DHS] is very concerned about ICS attacks in particular. That's been one of DHS' focuses lately. But that's at a high level and not specific to Iran.