WASHINGTON - The Iranian government is increasing the frequency and sophistication of its hacking attacks targeting the U.S. and its allies, according to a study released on Friday.
The study, “The Growing Cyber Threat From Iran,” was co-authored by the American Enterprise Institute and the Norse Corporation, a cyber-security firm.
It tracked specific cyber-attacks and Iranian efforts to probe for Internet insecurities using an international collection of web-based sensors.
The authors conclude that the risk to the U.S. posed by Iranian hacking is serious, and may only grow under the proposed framework for a nuclear deal with Tehran.
While many of the hacks were launched from websites associated with Iranian universities or government agencies, a surprising number of attacks came from servers located throughout the West, including the U.S., the study’s authors said.
“There’s a very, very extensive Iranian cyber-footprint not only in Iran but also in Western infrastructure that the Iranians are renting or in some cases own,” said report co-author Frederick Kagan, the director of the Critical Threats Project at AEI.
“We detected a very unusual amount of attacks from a server in Ohio, for example, that is hosting the website for one of the Lebanese Hezbollah TV stations which has been sanctioned by the U.S. Treasury,” he said. “It’s also hosting servers for one of the premier Iranian hacking collectives which has been associated with the Iranian Republican Guard.”
U.S. government officials have generally been silent on Iranian hacking, preferring instead to criticize Tehran for its strict control and censorship of the web.
However, in 2013 U.S. officials did accuse Iran of hacking an unclassified U.S. Navy computer system while U.S. ships were in the Persian Gulf, a charge Tehran denied.
Iranian leaders have long been suspicious of the web and viewed it chiefly as a means to wage “soft war” with perceived enemies.
As recently as 2014, Iranian Armed Forces Brigadier General Masoud Jazayeri called the Internet “a weapon”, adding in a news conference “amid the soft war, all the society’s strata, including the youths, university students and professors, should strive to confront the enemies’ threats and thwart their plots.”
“Soft war” is a term used by Supreme Leader Khamenei to wage combat using non-kinetic means such as the Internet.
While the authors said China and Russia remain the primary hacking threats to the U.S., Kagan says Iran in just the last year has significantly increased its capabilities to launch technically complex attacks targeting U.S. government or private corporate interests.
The incidents include the 2014 attack targeting the Sands Casino corporation that stole confidential data and erased hard drives.
Hack attacks from Iran have traditionally employed fairly basic techniques such as denial-of-service attacks, or the defacing of web-pages – hacks that can be annoying but are relatively harmless, experts say.
But Kagan says his study points to a rapid ramping up of sophistication of the attacks.
“What we’re seeing is a very worrisome increase in the capability and the frequency that they’re conducting very sophisticated attacks to penetrate and take control of systems where the objective is definitely not denial of service, and likely not just defacement,” he said.
The study employed an international network made up of millions of “sensors” operated by the Norse Corporation.
Each sensor is designed to look like a legitimate but insecure web address that would prove a tempting target for hackers. The sensors, however, would secretly record exactly what a hacker was doing and looking for, and where the Internet traffic was coming from.
Iran has one of the most heavily monitored and censored Internets in the world strongly suggests many of the attacks coming from Iran have the backing of the government, Kagan said.
“The fact that it’s coming off this highly regulated Internet – off of systems we believe the Iranian regime looks at closely and trusts – leads us to conclude fairly confidently who’s behind these attacks,” he said.
Some of Iran’s skills at time have backfired, analysts say, and led to home grown hacking attacks - most notably from the Stuxnet virus that destroyed some Iranian computers and centrifuges.
One 2013 U.S. National Security Agency report, leaked by Edward Snowden, warned that Iranian engineers may be reverse-engineering highly sophisticated digital viruses like Stuxnet or Flame to learn exactly how they work.
Kagan said reverse-engineering may have played a role in Iran’s increased hacking, but said the primary cyber-threat to the U.S is posed by the Iranian government’s view of the United States as an existential enemy with which it is at war.
The report says that as the U.S. and the West consider easing sanctions against Tehran as a result of negotiations to limit Iran’s nuclear ambitions, Iran’s online capabilities may expand.
"The lifting of sanctions as a result of the recently announced framework for a nuclear deal with Iran will dramatically increase the resources Iran can put toward expanding its cyberattack infrastructure," the report said. "We must anticipate that the Iranian cyberthreat may well begin to grow much more rapidly.
“This isn’t just normal state-to-state relations, or probing of vulnerabilities. The regime defines itself toward us in a very, very hostile way,” Kagan said. “That makes it likely they would want to use the Internet to commit acts of cyber-war on us.”