Iran’s Cyber Capabilities

By Frank Wood on December 2, 2021

(By Frank Wood on December 2, 2021)

Executive Summary

Iranian cyber capabilities are meager in comparison to many well-developed nations. However, it is rapidly expanding its cyber operations and becoming a more significant advanced persistent threat (APT) actor in the cyberspace environment. Receiving technical support from Russia and China [1], Iran’s cyber operations are more robust than a decade ago.

Accustomed to covert operations and strategic planning, Iran appreciates the use “of cyber as an instrument of national power” [5] and “using cyber as a tool for coercion and force” [5]. Furthermore, “Tehran views these operations as a safe, low-cost method to collect information and retaliate against perceived threats” [1].

These threats included its citizens. Iran fears its population the most and believes that influences from the internet could spark civil unrest within the nation. To minimize these threats, Iran “began to develop their hacking abilities during the 2009 “Green Revolution” to extend domestic surveillance and control” [5]. As a result, it has effectively limited the population’s exposure to outside internet sources and conflicting ideologies.

Background

After the infamous Stuxnet cyberattack on Iranian nuclear centrifuges in 2010, Iran realized the importance of cyber defense and operations, prompting the country to invest and develop its cyber capabilities. Shifting from local censorship to utilizing “phishing and defacing campaigns against commercial enterprises, as well as cyberespionage against military and government data” [1].

Some of Iran’s favorite targets are “aerospace companies, defense contractors, energy and natural resource companies, and telecommunications firms for cyberespionage operations” [2]. However, Iran is very cautious not to push the boundaries of what could be perceived as an act of war and invoke a violent response. Typically, Iran is retaliatory in nature. For example, “after a 2012 malware attack targeting an Iranian oil facility, Iran responded with a cyberattack on Saudi Aramco and Qatari RasGas, using malware to cause irreparable damage to thousands of computers” [1]. The malware in question was called “Shamoon” [4], which “ renders infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data” [4].

Many of these attacks are executed in part by Iran’s Islamic Revolutionary Guard Corps (IRGC) [2] or one of the many state-sponsored APT actors such as Magic Hound [6]. Utilizing state-sponsored APT actors shifts the responsibility from Iran to independent actors within the country. One example of the use of these actors is the September 2020 Pulse Secure virtual private network (VPN) exploit. Conducted by a group named Pioneer Kitten, or UNC757, the cyber actors conducted reconnaissance using mass-scanning tools like “Nmap, to identify open ports” [3]. Once the ports were identified, vulnerabilities within the VPN were exploited, privileges escalated, and persistence within the systems was maintained. This attack intended to exfiltrate and sell data to “serve the threat actor’s own financial interests” [3].

Impact

Targeting infrastructure and SCADA systems, Iranian APT actors could potentially disrupt facilities within the United States and cause irreparable damage like the Shamoon attacks on Saudi Aramco and Qatari RasGas. It also has proved its capability of disrupting financial institutions in the United States with “massive denial of service attacks” [5] in 2011 through 2013. However, modern cyber defense operations and tactics have significantly reduced Iran’s capabilities, for now.

Significance

Iran’s cyber capabilities may not be the world’s greatest threat, but it is a force to watch due to its rapid development. Especially with backing from two of the most significant threats to the United States government and the private sector, Russia and China. Proving that it can conduct advanced offensive attacks and cyber espionage, it would be wise to monitor the region.

References

[1] Defense Intelligence Agency (August 2019). “Iran Military Power: Ensuring Regime Survival and Securing Regional Dominance.” dia.mil. Accessed November 2, 2021. https://www.dia.mil/Portals/110/Images/News/Military_Powers_Publications/Iran_Military_Power_LR.pdf.

[2] CISA. (n.d.). “Iran Cyber Threat Overview and Advisories.” us-cert.cisa.gov. Accessed November 2, 2021. https://us-cert.cisa.gov/iran.

[3] CISA. (September 15, 2020). “Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities.” us-cert.cisa.gov. Accessed November 2, 2021. https://us-cert.cisa.gov/ncas/alerts/aa20-259a.

[4] CISA. (July 20, 2021). “ICS Joint Security Awareness Report (JSAR-12-241-01B): Shamoon/DistTrack Malware (Update B).” us-cert.cisa.gov. Accessed November 2, 2021. https://us-cert.cisa.gov/ics/jsar/JSAR-12-241-01B.

[5] Lewis, James A. (June 25, 2019). “Iran and Cyber Power.” csis.org. Accessed November 2, 2021. https://www.csis.org/analysis/iran-and-cyber-power.

[6] ThaiCert. (n.d.). “Threat Group Cards: A Threat Actor Encyclopedia: APT group: Magic Hound, APT 35, Cobalt Gypsy, Charming Kitten.” thaicert.or.th. Accessed November 2, 2021. https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Magic%20Hound%2C%20APT%2035%2C%20Cobalt%20Gypsy%2C%20Charming%20Kitten.