The Invisible U.S.-Iran Cyber War

October 25, 2019

By Andrew Hanna

By 2019, tensions between the United States and Iran increasingly played out in invisible cyberspace. Both governments acknowledged that cyberattacks were central to their strategies. The scope was unknown, but cyberspace has turned into a near-unrestricted war zone. Cyber offered an alternative to kinetic military action that could lead to full-scale war – which both Washington and Tehran sought to avoid. 

Warfield Air National Guard Base

U.S. cyberwarfare specialists training at the Warfield Air National Guard Base in Maryland 

Sustained U.S. cyber activities against Iran are widely traced to a covert campaign code-named Operation Olympic Games. Started in 2006 under the Bush administration, the program targeted Iranian nuclear capabilities. President Obama expanded Olympic Games to include the use of offensive cyber weapons against Iran’s nuclear enrichment facilities. In 2010, the Stuxnet virus, allegedly designed by the United States and Israel, seriously damaged the Natanz uranium enrichment facility.

In June 2019, the Trump administration retaliated against Iran’s downing of a U.S. drone with a cyberattack on a Revolutionary Guard (IRGC) database used to plan attacks on tankers. The United States struck again in September 2019 after Iran allegedly launched drones and cruise missiles on two Saudi oil facilities. Iran, in turn, has ramped up its efforts to penetrate U.S. “soft” targets and email accounts. 

Iranian cyberattacks against the United States date back to 2009, when the so-called “Iranian Cyber Army” defaced Twitter’s homepage in response to the Green Revolution protests over alleged fraud in the reelection of President Mahmoud Ahmadinejad. 

Iranian Cyber Army Twitter Page

Screenshot of the Twitter homepage in December 2009 

 

Iranian cyber activities against the U.S.

Since 2009, Iran’s cyber capabilities have since grown in sophistication and scope. Iran has primarily targeted the private sector rather than U.S. government systems. In September 2012, Iranian hackers directed a Distributed Denial of Service (DDoS) attack against U.S. banks. The campaign, nicknamed Operation Ababil, blocked access to the websites of major financial institutions by overwhelming their servers with web traffic. The attacks cost Western firms millions in lost business, according to a Department of Justice indictment

Tehran appeared to accelerate its cyber operations against the United States government and its regional partners after the election of President Donald Trump. In August 2017, a cyberattack tied to Iran nearly triggered an explosion at a Saudi petrochemical plant. In December 2018, the Department of Justice indicted two Iranian hackers for a ransomware attack that had crippled Atlanta’s city government in March of that year. The attack locked the files of 8,000 municipal employees and took offline local government operations for nearly a week.

These attacks have coincided with increased Iranian online espionage. In May 2018, cybersecurity firm CrowdStrike warned its clients about a “notable” increase in Iranian phishing activity a day after President Trump’s withdrawal from the JCPOA nuclear deal. Before Israel’s election in March 2019, Benny Gantz, leader of the Blue and White party, reportedly had his phone hacked by Iranian intelligence. In October 2019, Microsoft warned that an Iranian-government hacker group had tried to breach e-mail accounts associated with journalists, current and former U.S. government officials and a U.S. presidential campaign.

 

U.S. cyber activities against Iran

 

Fleet Operations Center at U.S. Fleet Cyber Command

U.S. sailors at the Fleet Operations Center at U.S. Fleet Cyber Command 

 

Since 2006, the United States has ramped up its cyber offensive operations against Iranian government computer systems. The most famous cyberattack was the unleashing of the Stuxnet virus on Natanz, which damaged nearly 1,000 centrifuges and infected 30,000 computers. Iran was forced to take tens of thousands of computers offline. Other cyberattacks—including the Flame and Wiper, viruses reportedly part of Operation Olympic Games-- targeted Iran’s oil infrastructure.

The Trump administration accelerated cyber operations in response to Iranian attacks in the Persian Gulf. In June 2019, United States conducted a cyberattack on Iran after it downed a U.S. drone near the Strait of Hormuz. The attack wiped clean an IRGC database used to plan attacks against tankers in the Persian Gulf. Netblocks, a cyber monitoring firm, also reported widespread internet disruption in Iran after the drone attack.

In September 2019, the United States carried out a cyberattack against unspecified Iranian “physical hardware” – equipment used to disseminate propaganda – after Iran’s attacks on two Saudi oil facilities. The unusual U.S. confirmation of its attacks in October suggested the goal was deter Iran without resorting to kinetic strikes.

 

Known Iranian Hacker Groups

Izz ad-Din al-Qassam Cyber Fighters – This group claimed responsibility for the DDoS cyberattacks against U.S. financial institutions in September 2012. The same month, Sen. Joe Lieberman claimed that the group was connected to the IRGC’s elite Qods Force.

APT33 (aka Elfin, Refined Kitten, Holmium) – This group carried out cyber espionage operations against aviation, military, and energy targets in the United States, Saudi Arabia and South Korea. Cybersecurity firm FireEye linked APT33 to the Iranian government.

Phosphorous (aka APT35, Charming Kitten, Ajax Security) – This group attempted to breach the e-mail accounts of the Trump re-election campaign in 2019, as well as accounts of U.S. government officials, journalists, and Iranians living outside Iran. Microsoft linked Phosphorous with the Iranian government.

OilRig – This group focused on private industry targets outside of Iran, most famously hacking Sheldon Adelson’s Las Vegas Sands Corporation in February 2014. The group was, in turn, hacked by Turla, a Russian FSB-associated group. The Russians used the hijacked group to hack targets in the Middle East and the United Kingdom, according to U.S. and British officials in October 2019.

Iranian Dark Coders Team – This hacking collective primarily focused on cyber-vandalism. It defaced American and Israeli websites with pro-Hezbollah and pro-Iran propaganda in 2012. The group has not been tied to the Iranian government and may consist of freelancers or criminal elements.

 

Timeline of U.S.-Iran Cyberattacks

December 18, 2009 – Twitter’s homepage was hacked and defaced by a group claiming to be the “Iranian Cyber Army” in response to the Green Revolution protests.

July 2010 – The Stuxnet virus was identified by a Belorussian computer security company. Subsequent technical analysis showed the malware was likely created to target Iranian industrial facilities.

September 25, 2010 – Iran’s Atomic Energy Organization said it was fighting malware that targeted its nuclear facilities. An Iranian official said 30,000 computers had been infected by Stuxnet.

April 25, 2011 – Iran’s cyber defense agency discovered a virus nicknamed “Stars” that was designed to infiltrate and damage its nuclear facilities.

April 23, 2012 – Cyberattacks forced Iran to take several oil terminals offline. The virus, nicknamed “Wiper,” spread through the Iranian Oil Ministry and National Iranian oil Company.

May 9, 2012 – Iran acknowledged that a virus dubbed “Flame” had infected government  computers and was capable of stealing data.

June 19, 2012 – Western officials told The Washington Post that U.S. and Israel had deployed the Flame virus to collect intelligence on Iranian computer networks in order to prepare for a cyberwarfare campaign.

July 2012 – Iranian hackers targeted Israeli government officials with a cyber espionage tool nicknamed Madi. The malware logged keystrokes, recorded audio, and stole documents.

August 2012 – The Shamoon virus erased three-quarters of all corporate computers owned by Saudi Aramco and replaced the data with an image of a burning American flag. U.S. officials blamed Iran for the cyberattack.

September 11, 2012 – A group called the Izz ad-Din al-Qassam Cyber Fighters directed a DDoS attack against U.S. banking infrastructure in a cyber campaign named Operation Ababil.

October 12, 2012 – U.S. official blamed Iranian hackers with ties to the government for attacks against U.S. banks and Saudi oil facilities.

January 8, 2013 – U.S. officials blamed Iran for the Operation Ababil banking cyberattacks.

September 27, 2013 – Iranian hackers compromised unclassified U.S. Navy computers in the midst of talks over Iran’s nuclear program.

February 2014 – Iranian hackers targeted Sheldon Adelson’s Las Vegas Sands Corp. The attack shut down communications systems and wiped hard drives clean.

November 2015 – IRGC hackers targeted State Department and other Obama administration officials.

March 24, 2016 – The Department of Justice indicted seven Iranian hackers for cyberattacks against U.S. banks and a New York dam. It claimed the hackers worked on behalf of the Iranian government and the IRGC.

November 11, 2016 – The Shamoon virus resurfaced in Saudi Arabia, according to Symantec.

January 2017 – An updated Shamoon virus targeted Saudi government computer systems at petrochemical plants.

August 2017 – A failed cyberattack attempted to trigger an explosion at a Saudi petrochemical company.

March 22, 2018 – A ransomware attack known as SamSam crippled Atlanta’s city government.

May 9, 2018 – Cybersecurity firm CrowdStrike warned about a “notable” increase in Iranian cyberactivity within 24 hours of the Trump administration’s withdrawal from the JCPOA.

July 20, 2018 – U.S. senior officials warned Iran had prepared for extensive cyberattacks against the United States and European infrastructure.

October 28, 2018 – The head of Iran’s civil defense agency claimed it had neutralized a “new generation of Stuxnet” attempting to enter the country’s communications infrastructure. Iranian officials blamed Israel for the attack.

December 5, 2018 – The Department of Justice indicted two Iranian nationals for the SamSam ransomware attack against the city of Atlanta.

January 2019 – Cybersecurity firm FireEye detailed a two-year campaign by Iran to steal login credentials and business details in the Middle East, Europe and North America.

March 6, 2019 – Microsoft said Iranian cyberattacks had targeted over 200 companies in the past two years.

April 2019 – A hack against Iranian data centers left a U.S. flag on Iranian computer screens along with a message not to interfere with American elections.

June 17, 2019 – Tehran claimed it dismantled a CIA-run cyber espionage network in Iran.

June 20, 2019 – The United States conducted a cyberattack after Iran’s attacks against oil tankers in the Strait of Hormuz and downing of a U.S. drone. U.S. officials later told The New York Times that the attacks wiped clean an IRGC database used to plan the tanker attacks.

June 22, 2019 – The Department of Homeland Security said Iran had increased its “malicious cyber activity” against U.S. government agencies and private industry.

June 26, 2019 – Netblocks reported widespread internet disruption in Iran.

July 17, 2019 – Microsoft said nearly 10,000 customers were targeted by state-sponsored cyberattacks from Iran, Russia, and North Korea

September 2019 – The United States conducted a cyberattack against Iran in retaliation for a drone and missile attack against Saudi oil facilities. U.S. officials told Reuters the operation targeted physical hardware related to Iran’s ability to disseminate propaganda.

October 4, 2019 – Microsoft said that Iranian hacker group Phosphorous tried to breach accounts associated with U.S. presidential campaigns. The hackers failed to breach accounts connected with President Trump’s re-election campaign as well as the accounts of journalists and U.S. officials.

October 22, 2019 – Court documented revealed that the FBI tracked Iranian hackers who had breached American satellite technology companies.

 

Andrew Hanna, a research assistant at the U.S. Institute of Peace, assembled this report. 

Photo Credit: Air Force photo by J.M. Eddins Jr. via Department of Defense
Photo Credit: This Web Site Has Been Hacked By Iranian Cyber Army via Flickr (CC BY 2.0)
Photo Credit: U.S. Navy photo by Samuel Souvannason via Department of the Navy