Iran's Deadly Ambition (22 page)

DEFENSE, AND OFFENSE

If Stuxnet woke officials in Tehran up to the fact that the West was attempting to compromise its nuclear effort, subsequent attacks on Iranian nuclear facilities and infrastructure convinced them that cyber war had the potential to be—in the words of one top leader of Iran’s Revolutionary Guard Corps—“more dangerous than a physical war.”
¹¹
Their alarm was warranted. To date, at least five distinct foreign-origin cyber worms targeting the Iranian nuclear program have been identified and isolated. These include Stars, a software script targeting execution files; Duqu, a successor to Stuxnet
aimed at gaining remote access to Iran’s nuclear systems; Wiper, another piece of malware, which attacked internal Internet communications within the Islamic Republic; and, most recent, Flame, a cyber espionage virus developed by the United States and Israel and designed to map Iran’s nuclear network.
¹²
Additionally, in July 2012, Iran was attacked by an indigenous cyber worm named Mahdi, suggesting the regime faces an internal cyber threat as well as an external one.

Iran mobilized in response. In July 2011, it formally launched an ambitious $1 billion governmental program to boost national cyber capabilities via the acquisition of new technologies, new investments in cyber defense, and a new cadre of cyber experts.
¹³
In tandem, it formed new, dedicated domestic agencies tasked with administering cyberspace. A cyber police unit had been established by the country’s Ministry of Interior in 2009, in the aftermath of the Green Revolution. This was supplemented by the creation of a dedicated Cyber Defense Command in the Iranian military, as well as a Cyberspace Council within the Basij, the country’s repressive domestic militia.
¹⁴

Simultaneously, the Iranian government mobilized a cyber army of activists. While nominally independent, these patriotic hackers (also known as “hacktivists”) have carried out a series of attacks on sites and entities out of favor with the Iranian regime, including the social-networking site Twitter, the Chinese search engine Baidu, and the websites of Iranian reformist elements.
¹⁵
Perhaps the most notorious hacker collective is Ashiyane
,
a political-criminal group identified by experts as being closely aligned with the IRGC.
¹⁶

The U.S. intelligence community noted these developments when, in his January 2012 testimony before the Senate, Director of National Intelligence James Clapper stressed that Iran’s cyber capabilities “have dramatically increased in
recent years in depth and complexity.”
¹⁷
Iranian officials now claim to possess the fourth-largest cyber force in the world—a broad network of quasi-official elements, as well as regime-aligned hacktivists, that engage in cyber activities broadly consistent with the Islamic Republic’s interests and views.
¹⁸
The Intelligence Unit of the IRGC allegedly oversees the activities of this cyber army.
¹⁹

Iran’s moves weren’t simply defensive, however. Increasingly, the Iranian regime puts its burgeoning cyber capabilities to use against Western and Western-aligned targets. Between September 2012 and January 2013, a group of hackers known as the Izz ad-Din al-Qassam Cyber Fighters carried out multiple distributed denial-of-service (DDoS) attacks against a number of U.S. financial institutions, including Bank of America, JPMorgan Chase, and Citigroup. Due to the sophistication of the attacks, U.S. officials have linked them definitively to the Iranian government.
²⁰

A similar attack attributed to the Iranian regime took place in August 2012, when a virus called Shamoon targeted three-quarters of the computers of Saudi Arabia’s state oil corporation, Saudi Aramco. The malicious software triggered a program that replaced Aramco’s corporate data with a picture of a burning American flag at a predetermined time.
²¹

The Iranian regime has also distributed cyber capabilities to strategic partners. Iran reportedly provided the regime of Syrian dictator Bashar al-Assad, now locked in a protracted war against his own people, with crucial equipment and technical assistance for carrying out Internet surveillance.
²²
This has helped the Assad regime to more effectively target and neutralize elements of the Syrian opposition.

But it is the United States that was, and remains, Iran’s ultimate target. In late July 2011,
Kayhan
, a hard-line newspaper affiliated with Iran’s Revolutionary Guards, issued a thinly veiled warning to that effect when it wrote in an editorial
that America, which once saw cyber warfare as its “exclusive capability,” had severely underestimated the resilience of the Islamic Republic. The paper went on to suggest that the United States should worry about “an unknown player somewhere in the world” attacking “a section of its critical infrastructure.”
²³

This is not idle bluster; security professionals have taken note of Iranian efforts to probe segments of the United States’ critical infrastructure, most notably the country’s electrical sector.
²⁴
Along those lines, cyber security experts have warned that, should a standoff over Iran’s nuclear program precipitate a military conflict, Iran “might try to retaliate by attacking U.S. infrastructure such as the power grid, trains, airlines, refineries.”
²⁵

This warning has proven prescient. In May 2013, U.S. officials discovered Iranian-backed hackers had conducted cyber attacks against various American energy companies. Specifically, the attacks infiltrated the control system software used by these firms, granting the hackers control over oil and gas pipelines. Although Iran has denied any involvement in the intrusions, U.S. intelligence sources are convinced that they were carried out with the backing of the Iranian government.
²⁶

The scope of Iran’s offensive was outlined in detail in December 2014 by California-based cyber security firm Cylance.
²⁷
“Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States,” the group’s eighty-six-page study said. Targets of Iranian cyber attack identified by Cylance include oil and gas firms in Kuwait, Turkey, Qatar, and France; aviation hubs in
South Korea and Pakistan; energy and utility companies in the United States and Canada; and government agencies in the United States, United Arab Emirates, and Qatar.

Moreover, the study warns, this may represent merely the tip of the iceberg. Iran’s cyber capabilities, after all, are evolving rapidly, and the activities identified to date might be just a fraction of the Islamic Republic’s total online presence. “As Iran’s cyber warfare capabilities continue to morph . . . the probability of an attack that could impact the physical world at a national or global level is rapidly increasing,” the study concludes.

For the moment, however, Iran’s cyber war against the West has receded from the headlines. Experts and observers note that cyber attacks on Western targets by the Iranian regime have decreased in frequency since the start of nuclear negotiations with the P5+1 powers in November 2013.
²⁸
The reprieve is understandable, insofar as Iran is currently obtaining significant benefits from its diplomatic engagement with the United States and its allies. But it is also potentially fleeting; in the event of a breakdown of the current talks, the world could see a further escalation of the crisis, potentially including the use of force against Iran by one or more nations. Should that happen, cyber war with Iran might become a distinct possibility.

Iran, at least, certainly believes it could. In February 2014, Supreme Leader Ayatollah Ali Khamenei issued a special message to the country’s university students, in which he urged them specifically to prepare for cyber war with the West. “You are the cyber-war agents,” Khamenei’s message said, “get yourselves ready for such war wholeheartedly.” The target of such a conflict, if or when it does take place, is abundantly clear: according to Khamenei, it is “the Dominance Power,” a common Iranian euphemism for the United States.
²⁹

In the meantime, Iran’s cyber capabilities are steadily expanding
in both scope and sophistication. In October 2013, Iranian government-linked hackers penetrated unclassified computers belonging to the U.S. Navy, gaining access to its unclassified network and, potentially, to e-mail and secure communications that it hosted.
³⁰
Subsequently, in May 2014, the cyber-intelligence firm iSIGHT Partners uncovered a complex Iranian phishing scheme dubbed Newscaster that was designed to compromise political individuals of interest through the use of social media.
³¹
The same month, an Iranian hacking group known as Ajax Security Team was identified as targeting U.S. defense firms in a detailed cyber-espionage campaign that utilized malicious software to gain access to target computers.
³²
A recent Israeli assessment of these activities concluded that “Iran has cultivated long term cyber-related strategic objectives in recent years and . . . is becoming one of the most active players in the international cyber warfare arena.”
³³

But Iran’s cyber activities are not simply directed abroad. As important, if not more so, is the domestic campaign now being waged in cyberspace by the Islamic Republic. It represents a concerted, systematic effort to insulate its captive population from the Internet—and the world.

IRAN VERSUS THE WORLD WIDE WEB

In his March 2012 message to the Iranian people marking the Persian New Year, President Obama alluded to the Iranian regime’s mounting domestic cyber offensive when he noted that an “electronic curtain has fallen around Iran.”
³⁴
“The Iranian people are denied the basic freedom to access the information that they want,” the president said, because of “a barrier that stops the free flow of information and ideas into the country, and denies the rest of the world the benefit of interacting with the Iranian people, who have so much to offer.”
³⁵

President Obama’s description was apt. In a very real sense, the Iranian regime is erecting a digital barrier aimed at isolating its population from the World Wide Web, quelling domestic dissent, and curtailing the ability of its opponents to organize.

These efforts can be traced back to the summer of 2009, when the fraudulent reelection of Mahmoud Ahmadinejad to the Iranian presidency catalyzed a sustained groundswell of domestic opposition that became the Green Movement. From the start, Iran’s various opposition elements relied extensively on the Internet and social-networking tools to organize their efforts, communicate their messages to the outside world, and rally public opinion to their side. The Iranian regime, in turn, utilized information and communication technologies extensively in its suppression of the protests. And ever since, it has invested heavily in capabilities aimed at controlling the Internet and restricting the ability of its citizens to access the World Wide Web.
³⁶

The Arab Spring has only reinforced this focus. Whatever their public pronouncements, officials in Tehran understand that the antiregime sentiment prevalent in the region represents a mortal threat to their corrupt, unrepresentative rule. As a result, the Iranian regime has quickened its long-running campaign against Western influence within the Islamic Republic, with cyberspace as a primary target. They have done so in a number of ways.

A Second Internet.
Far and away the most ambitious effort by the Iranian regime to control cyberspace is its attempt to create a national intranet, a substitute for the global Internet. Originally slated to go online in August 2012, this “halal internet,” or “second internet,” represents a more sophisticated alternative to filtering systems, such as China’s Great Firewall. While those simply deny users access to proscribed sites, Iran’s web
will reroute them to regime-approved search results, websites, and online content. By doing so, it will effectively sever Iran’s connection to the World Wide Web and give Iranian authorities the power to create an Islamic Republic–compliant online reality for their citizens.

For the moment, Iran’s halal internet remains something of a work in progress. As of October 2012, some 10,000 computers—in both private and government use—were found to be connected to this second internet.
³⁷
Today, that figure is believed to be considerably higher, although still far from comprehensive. Nevertheless, the project is unmistakably moving forward. Experts now project that Iran’s national intranet could come online by 2016.
³⁸
And even before it does, its impact is already being felt. For example, in December 2012, regime authorities launched Mehr, a homegrown alternative to YouTube that features government-approved video content designed specifically for domestic audiences.
³⁹
And in July 2013, the Iranian government activated an indigenous e-mail service intended to serve as a substitute for Gmail, Hotmail, and Yahoo. This new feature isn’t simply a benign e-mail client, however; it requires citizens to provide their names, national ID number, address, and other vital information, facilitating regime efforts to carry out surveillance on its citizenry and monitor their online behavior.
⁴⁰

Content Filtering.
Simultaneously, Iran has launched a heavy-handed campaign aimed at filtering out and denying access to “immoral” content on the Internet. An August 2013 study conducted by the University of Michigan described this censorship as both extensive and ambitious, extending to large amounts of content related to both pornography and politics, as well as art, society, and current events.
⁴¹
Indeed, nearly half of the world’s top-500, most-visited websites are blocked in Iran.
⁴²
And that number may soon grow: Iran’s Supreme
Council of Cyberspace has recommended that all websites should be registered with the country’s Ministry of Culture and Islamic Guidance, although such a step has not yet been taken.
⁴³