On January 3, 2020, Iran’s Qassem Suleimani, head of the Islamic Revolutionary Guard Corps Quds Force (IRCG-QF) was killed by a US drone strike. Iran’s Supreme Leader Ali Khamenei declared that “harsh revenge” awaits those who led the strike against Suleimani. The military advisor to Khamenei stated that Iran’s response would “for sure be military” and directed against US military sites. It is hard to tell what the full nature of Iran’s response will be, history has shown they have an ability to surprise. However, we assess the most likely response will be state sponsored destructive cyber attacks done in a way that implies they were launched by Iran but still offer some level of ambiguity over source. We also assess increased attacks by hacktivist supporters of Iran.

A key reason for this assessment is our opinion that Iran is very likely hesitant to confront the US with direct military attacks. Their proxies may seek to escalate terror attacks, but this is different from direct military engagement.

Additional information on the Iranian Cyber Threat: 

The US Department of Home Security (DHS) on Saturday issued a rare National Terrorism Advisory System (NTAS) alert warning about possible Iranian terror and cyber campaigns in retaliation for the Suleimani strike.

The operational cyber forces of Iran have been exercised for years. A key entity in Iran responsible for cyber war is called “The Cyber Defense Command”, which stood up in 2010. It officially works under the country’s “Passive Civil Defense Organization” in the Iranian Armed Forces. The government is known to contract out many cyber attack functions including development of exploits and sometimes operational attacks.

One of their most famous and costly cyber attacks was the 2012 devastating cyber attacks against Saudi Aramco, which destroyed over 60,000 computers and other equipment. Their forces have grown even more capable since then.

Some famous cyber attacks believed to be run by Iran include:

• 2012: Saudi Aramco attacks by Shamoon variants which destroyed data, networks and endpoints.
• 2012: Believed to have been behind attacks on US Banks
• 2013: DoJ levies charges against seven Iranians for cyber attack against banks and a dam in New York.
• August 2014: An IDF official told press in that Iran has launched numerous significant attacks against Israel’s Internet infrastructure.
• March 2015: Iranian hackers, possibly Iranian Cyber Army pushed a massive power outage for 12 hours in 44 of 81 provinces of Turkey, holding 40 million people. Istanbul and Ankara were among the places suffering blackout.
• June 2017: The Daily Telegraph reported that intelligence officials concluded that Iran was responsible for a cyberattack on the British Parliament lasting 12 hours that compromised around 90 email accounts of MPs. The motive for the attack is unknown but experts suggested that the Islamic Revolutionary Guard Corps could be using cyberwarfare to undermine the Iran nuclear deal.
• November 2017, Iranian national Behzad Mesri was charged with hacking HBO’s corporate systems, stealing intellectual property and proprietary data, to include scripts and plot summaries for unaired episodes. Mesri had previously hacked computer systems for the Iranian military and has been a member of an Iran-based hacking group called the Turk Black Hat security team.
• March 2018, nine Iranian hackers associated with the Mabna Institute were charged with stealing intellectual property from more than 144 U.S. universities which spent approximately $3.4 billion to procure and access the data. The data was stolen at the behest of Iran’s Islamic Revolutionary Guard Corps and used to benefit the government of Iran and other Iranian customers, including Iranian universities. Mabna Institute actors also targeted and compromised 36 U.S. businesses.
• Fall 2018, Malware designed to target and sabotage industrial control systems (ICS) detected throughout Saudi infrastructure.
• Nov 2019, reports indicate Iranian hacking group APT33 is laying groundwork for ICS and SCADA attacks including in the US. Microsoft research indicated a wide range of organizations targeted beyond just traditional ICS users, but also manufactures.

There are also pro-Iranian supporters that have hacking skills that may operate outside of government control. They are less capable but could execute attacks that put nation’s on escalatory paths. Hackers could draw the US and Iran into a larger cyber war and that could turn into a kinetic war. This is a slippery slope. This type of pro-Iranian hacker is probably the cause of the attack against a misconfigured US government server on 4 Jan 2020 which posted claimed to be part of a coming campaign.

We should also note that there have been documented cases of Russian state-sponsored groups hijacking and using Iranian cyber infrastructure for their attacks. This type of activity adds to the complexity of cyber attacks and can lead to mis characterization and mis attribution of attacks. It is not clear if an attack coming from Iranian instructor is coming from Iran or Russia.

Iranian cyber war groups have skills in espionage and attack. And have been known to use cyber espionage to position themselves for further exploitation and attack. They are known for using a combination of commonly available tools and custom developed code. They also have the skills required to operate as teams where multiple experts are continuously operating to take advantage of situations in dynamic environments. Historically some tactics are favored over others, but the biggest point here is the teams have the skills to alter tactics.

There are actions that all organizations can take to reduce the risk of loss during coming cyber attacks. They include:

• Use multi-factor authentication
• Backup all systems as a hedge against destructive malware
• Configure DNS settings to take advantage of DNS firewall capabilities
• Increase collaboration with trust-based security groups like ISACs for your sector
• Ensure systems are patched
• Put in place backup communications systems
• Ensure good communication with suppliers and partners and put motivation measures in place for any supplier who is under attack to minimize business disruption
• Ensure you have a well thought out and tested deception policy

For more defensive measures see:

• OODA Special Report on Best Practices for Agile Cybersecurity.
• OODA Research Report: What Business Needs To Know About Security In Space
• A Traveling Executive’s Guide to Cybersecurity
• Deception Needs to be an Essential Element of Your Cyber Defense Strategy

And for more on the Iranian Threat see:

• OODA Research Report: The Iranian Threat