We Talked to Experts About Iran's Cyberwar Capabilities

When Iran’s Supreme Leader Ayatollah Ali Khamenei warns “harsh retaliation is waiting” for the U.S. after the assassination of its most powerful general, you can expect a mixed bag of vengeance.

For decades General Qassem Soleimani, leader of the elite Quds Force and a commander in the Iranian military branch of the Islamic Revolutionary Guard Corps (IRGC), revolutionized the covert warfare strategies of Iran by orchestrating proxy conflicts across the Middle East. During his time as the top military and intelligence figure in Iran, the country also oversaw a major increase in its cyber capabilities.

While no one knows what comes next, Iran is likely capable of bombings, missile strikes, and mobilizing its military proxies across the region. And recent history shows that its hackers are also increasingly capable of cyber attacks.

It’s widely believed that the American-Israeli Stuxnet operation that covertly knocked out Iran’s nuclear program in 2009 was a serious wake-up call for Tehran to invest in its hacker force. Since then, the country has slowly shown through its own investments that it is a middling-yet-formidable cyber power with the tools to do real damage.

Like any nation state with decent hackers, Iran uses its varying cyber capabilities for everything from critical infrastructure hacking and stealing intellectual property to classic espionage.

Robert Lee, a former NSA analyst and founder of critical infrastructure intelligence company Dragos, said that while Iran isn’t the most powerful cyber power, it shouldn’t be underestimated.

“Iran has been steadily growing their cyber capabilities over the years and while they may not be as capable as some they have shown a desire and willingness to be aggressive and disruptive,” he told Motherboard.

In what’s believed to be one of Iran’s first major cyber attacks, in 2012 its hackers knocked out more than 30,000 computers of what is now the most valuable business in the world, the Saudi state oil company Saudi Aramco, preventing it from exporting its crude in one of the costliest hacks ever at the time.

The Saudi Aramco operation used data-wiping malware known as "Shamoon" that targeted the administrative computers of the company, not the industrial control systems used in oil production machinery; the latter would have been a more elaborate and sophisticated attack. But a recent Wired report shows Iranian hackers are increasingly focusing their attacks on critical infrastructure and the physical systems controlling things like oil refineries and electric utilities.

Stateside, an operation from 2011 to 2013 by alleged Iranian hackers caused millions in lost profits after they targeted American banks with repeated distributed-denial-of-service attacks, then hacked into a tiny dam in upstate New York (but weren’t able to compromise it), garnering a slew of indictments in 2016 against IRGC operatives based in Iran.

Then, in the summer of 2018 physical explosions were nearly caused at a petrochemical plant in Saudi Arabia, which was originally thought to be an Iranian hacking operation against its regional enemy, but was later attributed to Russia with possible Iranian input. And in October, alleged Russian government hackers were accused of hijacking Iranian hacking groups to cloak their identities from being detected. Given that hacking operations are already difficult to attribute and ongoing fears of Russian hacking in the US—some founded, others not—Russia's potential use of Iranian hacking infrastructure is alarming to Priscilla Moriuchi, Director of Strategic Threat Development at the private intelligence firm Recorded Future.

“The recent documented instances of Russian state-sponsored groups hijacking and utilizing Iranian infrastructure for cyber operations will also likely cause increased uncertainty and possibly confusion for victims,” she said to Motherboard in a statement. (Recorded Future was once funded by the CIA, so as with everything hacking-related, take finger-pointing with a grain of salt.) “It is less clear today that operations utilizing known and tracked Iranian cyber infrastructure are actually being run and directed by the Iranian government.”

Lee thinks critical infrastructure companies should be vigilant considering the United States's massive escalation in killing Soleimani.

“Companies should be proactively looking for the tradecraft exhibited by such groups before and be in a heightened sense of security but not overly alarmed,” he said. “No one knows what will happen next and it’s important to be prepared but not freaking out. If companies haven’t made investments to date their best bet is starting with an incident response plan and thinking through future efforts.”

On the espionage side, Iranian hackers have been linked to stealing the intellectual property and data of universities within the U.S. and its allies, which led to the Department of Justice indicting nine Iranian hackers linked to the IRGC in 2018. Shortly after that, President Trump pulled out of the Iran Nuclear Deal, causing a slew of activity emanating from Iranian hackers targeting everyone from American nuclear workers to politicians linked to negotiations between both countries as Tehran scrambled to learn more about the dissolution of the treaty.

Stephanie Carvin, assistant professor of international affairs at Carleton University and a former analyst for Canada’s spy agency, said Iran has been “alarmingly ambitious in developing its malicious cyber capabilities.”

“Closer to home we have seen that Iran has infiltrated Western critical infrastructure, including banks, dams, and universities,” she said. "A major worry for western governments is that these could be potential targets in any retaliatory operation.”