Beruflich Dokumente
Kultur Dokumente
Cyberwarfare:IranopensanewfrontFT.com
Clickheretotryournewwebsiteyoucancomebackatanytime
April26,20166:53pm
Cyberwarfare:Iranopensanewfront
SamJones
Share
Author alerts
Clip
Gift Article
Comments
Withitsnuclearprogrammecurbed,digitalweaponryhasbecomeevenmorecentraltoTehrans
arsenal
hefirstneighbourhoodtheyunpluggedwasOlaya,Riyadhswealthiestandgaudiestcentraldistrict.Bythetimetheyhadfinished
theirrampagethroughthecomputersystemsbehindthepowergrid,theinfiltratorsbelievedtheyhadleftmillionswithout
electricity,cripplinghospitalsandmilitaryfacilities.
Whatthehackers,whoseuseofFarsiandbespokemalwaregaveawaytheirIranianorigins,didnotrealisewasthatthecritical
computernetworkstheyhadcompromisedwerefake.
Thenetwork,completewithArabicscriptingandprecisenamesofindividualsubstationsandpylons,
wastheworkofMalCrawler,acybersecuritygroupspecialisinginprotectingindustrialcomputersystems.Itwasjustoneofasetof
intricatedigitalhoneytrapsdesignedtogaugetheintentionsoftheattackerswhoroutinelytriedtocrackintothesystemsownedby
MalCrawlersclients.EquallyintricatemodelsweremadeofEuropean,AmericanandIsraelipowersystems.
Theevidencefromthemodelsaligned.TheChinesehungrilyscoopedupanythingthatlookedlikenoveltechnicalinformation.The
Russianspermeateddeepintosystems,mappingthemandimplantinghardtofindbackdooraccessforpotentialfutureuse.But
http://www.ft.com/intl/cms/s/0/15e1acf00a4711e6b0f161f222853ff3.html#axzz47ENS5tSL
1/6
4/29/2016
Cyberwarfare:IranopensanewfrontFT.com
neitherdareddodamageunlikeIran.
AmongtheworldsbigfivecybersuperpowerstheUS,UK,Israel,RussiaandChinaMalCrawlerconcludedtherewasadigital
equilibriuminmilitarycyberoffencebasedonassumptionsoverdeterrenceandreprisal.
ButintheMiddleEast,thatsnotthecaseatall,saysDewanChowdhury,MalCrawlerschiefexecutive.Themindsetjustseemed
completelydifferentitwasntespionageorsomekindoftargetedoperationnecessarily,itwasjusttodoasmuchdamageas
possible.
ThemodelMalCrawlerdesignedtoreplicatetheIsraelipowergridwashitjustashardastheSaudione.Thehackers,againdisplaying
telltalesignsofIranianorigin,fatallycompromisedthesafetysystemsofwhattheythoughtwasoneofIsraelsnuclearpowerstations.
Iranisrapidlyemergingasthesixthmemberofthecybersuperpowerclub.Denudedofitsnuclearambitionsbythelandmarkdeal
strucklastyeartolimituraniumandplutoniumenrichment,somefearTehranwillwielditscyberarsenalasanequallylongrange
weaponwithwhichtomenaceitsadversaries.
Beforethe[nuclear]deal,cyberwasjustoneoptiontheyusedforleverage,butnow,postdeal,itisevenmorecentraltotheirtoolkit,
saysoneseniorMiddleEasternintelligenceofficial.Iranispoisedtodosomethingincyberthatwillchangethewaytheworldlooksat
it...theUSknowsthis.[TheUS]sawwhatthey[Iran]didduringtheagreementandtheyknowwhattheyaredoingafterit.
Industrialsabotage
Whilehightechespionageisrifeforstrategicstateadvantageandcommercialandcriminalgaindestructiveactsofcyberattack
remainrare.
Iranistheonlycountrythathasbothbeenonthereceivingendofamajoractofphysicalcybersabotageandtheperpetratorofsuch
anattack.In2008,theStuxnetcomputerworm,createdbytheUSandIsraelwasunleashedonIransnuclearprogramme.
In2012,IranianhackersstruckSaudiArabiasnationaloilcompany,SaudiAramco,nearlyobliteratingitscorporateITinfrastructure,
andbringingthecompanyclosetocollapse.
AramcowasawakeupcallforIransadversaries.Nearlyfouryearson,justhowstrongareIranscybercapabilitiesandwhat,if
anything,willTehranseektodowiththem?
Theirabilitiesaregrowingfastandtheyarediversifying.Theyregettingharderandhardertotrack,saysoneseniorintelligence
officialfromwithinthefiveeyesalliancethedigitalintelligencesharinggroupcomprisingAustralia,Canada,NewZealand,theUK
andUS.Thereiscertainlyabigmovetowardshavingmoredestructivecapability.TheywanttobeabletodomoreAramcos.Right
nowtheyareresearching,practising.Tehransaysitspends$1bnayearoncyberprogrammes.BycontrastGCHQ,Britainselectronic
surveillanceandcyberdefenceservice,annuallyspendsaround$2bn.
Whileitsindustrialoilproductionsystemswereunaffected,Aramcowasnearlyfatallycompromisedbecausesomuchofitscorporate
infrastructurewasdestroyed.Companyofficialshadtousetypewritersandfaxestotryandkeepbillionsofdollarsofoiltradesfrom
http://www.ft.com/intl/cms/s/0/15e1acf00a4711e6b0f161f222853ff3.html#axzz47ENS5tSL
2/6
4/29/2016
Cyberwarfare:IranopensanewfrontFT.com
fallingthrough.Domestically,thecompanygaveoilawayforseveraldaysfollowingtheattackbecauseitcouldnotprocess
transactions.
ChristinaKubecka,acybersecurityexpertwhoworkedfortheoilcompany,toldCNNlastyearthatcompanyofficialsflewto
SoutheastAsiatoacquireasmanycomputerharddrivesastheycouldstraightofffactoryfloors.
ButtheAramcoincidentwasalsoarelativelyunsophisticatedhack.OneseniorsecurityconsultantwhoworkedfortheSaudi
governmentin2012toldtheFinancialTimesthatduringtheveryearlystagesoftheoperation,theIranianinfiltratorswhodubbed
themselvestheCuttingSwordofJusticestumbledonaWorddocumentsavedonanITdepartmentharddrive,entitled:
Administratorpasswords.
IransotherbigcyberoperationatthattimewasOperationAbabil,attributedtoahackinggroupknownastheCyberFightersofIzz
adDinalQassam.Itlaunchedcrude,butsustainedattackstotrytooverwhelmthewebsitesofsomeoftheUSslargestbanks
includingJPMorganandBankofAmericaMerrillLynch.Thegroupclaimednoallegiance,buttwoseniorwesternintelligenceofficials
andotherindependentcybersecurityexpertssayitwasanIranianproxy.
InMarchthisyear,theUSjusticedepartmentbroughtchargesagainstsevenIranianswhoitsaidwereresponsiblefortheattacks.All
workedforIraniancompaniesfronts,saidprosecutors,forTehransIslamicRevolutionaryGuardsCorps.
Theattackswerethefirstshotacrossthebow,saysJohnHultquist,directorofcyberespionageanalysisatiSight.SinceAramco
[andAbabil],wehaveseensignificantdevelopmentfromIranintermsoftheiroperationsandcapabilities.Iwouldntcallthemtop
tierinsophisticationyet,butifIweretolistoffthemostimportantthreatsgloballyIwouldputthem[in]there.The[importance]of
whattheyaregoingafter,andtheirsheeraggression,thatstheissue.
Lethalkittensandcleavers
TwohackinggroupsinparticularhighlightthedevelopmentofIranscybercapabilities.Thefirst,knownasRocketKitten,hasbeen
closelytrackedbymanyinthecybersecurityindustrysince2014.
http://www.ft.com/intl/cms/s/0/15e1acf00a4711e6b0f161f222853ff3.html#axzz47ENS5tSL
3/6
4/29/2016
Cyberwarfare:IranopensanewfrontFT.com
FireEye,aUSdigitalsecuritycompany,firstidentifieditasAjaxsecurityteam,notingitsuseofaspearphishingcampaigntheuse
oflegitimatelookingemailstosnaretargetedvictimsintoopeningmaliciousattachmentsorfollowinglinkstotargetIranian
dissidentsandIsraeliorganisations.By2015,however,othercybersecuritygroupsrealisedthatRocketKitten,asitwasrechristened,
wasusingitsowncustomisedmalware,notjustofftheshelfcode,andwasbroadeningitsreach.
LastNovember,lapsesintheRocketKittensecurityproceduresallowedtheCheckPoint,anIsraelicompany,toaccessthehackers
ownsoftwareplatform,calledOyun.CheckPointdiscoveredasophisticateduserfriendlyapplicationandwithinitalistofmore
than1,842projectsindividualstargetedbyhackers.Whentheyranthroughthelist,theycameupwithacomprehensive
breakdownofRocketKittenstargets:18percentwereSaudi,17percentfromtheUS,16percentIranianand5percentIsraeli.They
rangedfromdefenceofficialsandcontractors,todissidents,journalistsandpoliticians.
Twointelligenceofficials,onefromEuropeandtheotherfromtheMiddleEast,separatelytoldtheFTthatRocketKittenwaslinkedto
theIRGC,which,theybothadded,dominatesTehranscyberwarfareagenda.
ItisasecondIRGCbackedgroup,however,thatisofevenmoreinteresttowesterndefenceandsecurityexperts.
InDecember2014,Cylance,aUScybersecurityfirm,informeditsclientsoftheactivitiesofIranianhackersengagedinaprojectit
calledOperationCleaver.Basedonaforensicanalysisofthehackersactivities,CylancepointedtoagroupthatdubbeditselfTarh
AndishanthethinkersinFarsiasbeingbehindtheaction.Thankstodomains,IPandresidentialaddressesusedbythe
hackersinTehrantheresearchpointedtogovernmentbackedorganisationsasbeingultimatelyresponsible.
CylancedeclaredIranthenewChinaforitsaggressiveactionsincyberspace.Itsreportdetailedasophisticatedonlinecampaign,
trackedovertwoyears,thatwasusingcustombuiltmalwaretodeliberatelyinfectandgainaccesstosensitiveindustrialcontrol
systemsandcriticalinfrastructureincompaniesacrosstheglobe.
ThehackersbehindCleaversuccessfullyinfectedthecomputersofhundredsofcompaniesandsensitiveorganisations,frommilitary
systems,tooilandgasproductioncontrols,toairportandairlinesecuritydatabases.Thecountrieshithardestwerenotjustthe
regionalandtraditionalfoesofIran.TheyincludedplacessuchasSouthKoreaandCanada.
WhatCleaverreallybroughttothesurfacewasthattheseguyswereaggressive,compromisingcriticalinfrastructureinmissionsthat
didnothaveanyclassicespionageoutcome...theIraniansarentgettingintoairportsandoilandgascompaniesforintelligence
collection...thesearesystemstocompromiseinordertodoharm,saysMrHultquist.Whatwasreallyeyeopeningisthattheywere
doingitglobally.
Complexpicture
KnowingwhatIranistechnicallycapableofisonlypartofthepicture.Since2012,whenAyatollahAliKhamenei,theIslamicrepublics
supremeleader,establishedthesupremecybercouncil,ithasbeenhardlinersthathavedominatedcontrolofit.
[Cyber]isfoldedintothelargercontextofpoliticalandmilitaryrelationshipsthatthe[Iranian]leadershiphastositdownand
calculate,WhendoIwanttodothis?,saysJimLewis,directoroftechnologyandpublicpolicyattheWashingtonbasedCenterfor
StrategicandInternationalStudies.
http://www.ft.com/intl/cms/s/0/15e1acf00a4711e6b0f161f222853ff3.html#axzz47ENS5tSL
4/6
4/29/2016
Cyberwarfare:IranopensanewfrontFT.com
MuchofIranscapabilityincyberspacestemsfromitseffortstocontroldissentandmonitormigrsinthewakeofproteststriggered
bytheflawed2009electionandemergenceoftheGreenmovement.TheBasijmilitiastheparamilitary,proregimeforcesunderthe
directionoftheIRGCthatwerecrucialinsuppressingthoseprotestsarenowacriticalpartofIranscyberforce.
Asecond,moresophisticatedandhighlytrainedgroupwithintheguardsisresponsibleforactivitiessuchasthoseseeninoperation
Cleaver,saysoneseniorBritishsecurityofficial.TheymakeupIransequivalentofanelitecyberforce,andarethemostworrying
threatforthewest.
IransproxycyberforcesformathirdcomponentwithTehranaccusedofbeingoneoftheworldsmostactivecyberproliferators,
providingdamagingmalwaretogroupssuchasHizbollah,theLebaneseShiamilitants.Sucharrangementsdoraisequestionsover
controlandjustwhatisbeingdoneinIransnamewithoutexplicitsanctionfromTehran.
ABasijCyberCouncilmobiliseshacktivistswithintheBasijoftendrawingfromIranslargepoolofyoung,computerliterate
studentstofurthertheIslamicRepublicsmessagebothinternallyandexternally.Itisthesegroupsthatareresponsibleformuchof
thecruderandmorebelligerentactivityincyberspacedefacingwebsitesandattackingUS,SaudiorIsraelicompanieswithdenialof
serviceattacks,forexample.WhiletheyarenurturedandencouragedbytheIRGC,thereisnotnecessarilyarigidcommandstructure
behindtheiractivities.Thatmakesthemunpredictableanddifficulttodeter.
Inthemonthssincethenucleardeal,MalCrawler,whosedigitalhoneytrapsarestillinuse,collectingdata,hasnoticedatailoffin
Iranianactivity.Wereinaperiodofreorganisationincyberspace,saysMrChowdhury.
Butfewexpectthattoremainthecase.Intheshortterm,assanctionscomeoff,theywantstability,saysoneIsraeliofficial,sothey
arerethinkingtheirattacks.Butpeopleneedtounderstandthattheyaredevelopingcapabilitiesforuseyearsfromnow.
Cyber,hesays,isascoretoIransstrategyasitsballisticmissileprogramme.
Beforecybertheywerepowerless,saysCSISsMrLewis.Theyhadtositthereandtakeit.Wehadsanctions,wehadaircraftcarriers
offtheircoast.Nowwithcybertheycanstrikeback.
RELATEDTOPICS
Share
Author alerts
Technologyturbulence
Clip
Gift Article
BrexitandtheCity
Comments
ExclusiveVijayMallya,
fugitivebillionaire,breakshis
silence
VIDEOS
http://www.ft.com/intl/cms/s/0/15e1acf00a4711e6b0f161f222853ff3.html#axzz47ENS5tSL
5/6
4/29/2016
Cyberwarfare:IranopensanewfrontFT.com
Printedfrom:http://www.ft.com/cms/s/0/15e1acf00a4711e6b0f161f222853ff3.html
Printasinglecopyofthisarticleforpersonaluse.Contactusifyouwishtoprintmoretodistributetoothers.
THEFINANCIALTIMESLTD2016FTandFinancialTimesaretrademarksofTheFinancialTimesLtd.
http://www.ft.com/intl/cms/s/0/15e1acf00a4711e6b0f161f222853ff3.html#axzz47ENS5tSL
6/6