On September 25, the State Department's Iran Action Group released a report detailing Iran’s support of terrorism, missile program, illicit financial activities, threat to maritime security, threat to cybersecurity, human rights abuses, and exploitation of the environment. “Today, the United States is publishing a full record of the Islamic Republic’s hostile behavior abroad and its repression at home beyond the continued threat of the nuclear program,” wrote Secretary of State Pompeo in the report’s introduction. “It is important for the world to understand the scope of the regime’s recklessness and malfeasance.” The following is the section on cybersecurity.
Chapter Five: Iran’s Threat to Cybersecurity
Introduction
The Islamic Republic is a leading threat actor in cyberspace, using cyberespionage, propaganda, and attacks to influence events, shape foreign perceptions, and counter perceived threats. Iranian cyber activity undermines international norms and security interests and regularly threatens access to open, interoperable, reliable, and secure Internet communications. Similar to the regime’s support for proxies, the Islamic Republic prioritizes plausible deniability for its malicious cyber activities, making attribution difficult in many cases. However, there is mounting evidence that the regime has continued its malign activity in cyberspace.
FOREIGN OPERATIONS
The Islamic Republic has developed its cyber capabilities with the intent to surveil and sabotage its adversaries, undermining international norms and threatening international stability. Over the past decade, public reporting indicates that the Iranian regime has conducted cyber operations targeting governments as well as commercial and civil society entities in the U.S., Israel, Saudi Arabia, and Qatar, among others. The Islamic Revolutionary Guards Corps (IRGC) is frequently the main force behind these attacks, though they often enlist the assistance of hackers outside of government.
The Iranian regime typically focuses on “soft” targets, such as vulnerable commercial entities, critical infrastructure, and non-governmental organizations. In the Middle East, Iranian cyber operations have focused heavily on Saudi Arabia and other states in the Gulf. In a 2012 attack that was widely attributed to the Iranian regime, tens of thousands of computers were compromised and deemed inoperable at Saudi Aramco and Qatar’s RasGas, resulting in hundreds of millions of dollars in damages. An updated version of that attack was again carried out between 2016 and 2017, resulting in the destruction of databases affecting the Saudi government and elements of its private sector, including the General Authority for Civil Aviation and the Central Bank.
Outside the Middle East, the Iranian regime has targeted the U.S. and other western countries through cyber espionage and sabotage. Between late 2011 and mid-2013, IRGC-linked entities conducted a coordinated distributed denial-of-service (DDoS) campaign against the U.S. financial sector, threatening the international global financial system. The DDoS campaign disabled bank websites, prevented customers from accessing their accounts online, and collectively cost the victims tens of millions of dollars in remediation costs as the banks worked to neutralize and mitigate the attacks. In 2013, one of the Iranian hackers involved in the DDoS campaign also conducted an intrusion into the industrial control system of a U.S. dam just north of New York City. Despite the Iranian regime’s efforts to obscure its role in these incidents, the U.S. government designated and indicted several Iranian nationals for their roles in the attacks, giving greater transparency to the full scope of the Islamic Republic’s malicious cyber activity.
The Islamic Republic’s malign cybercrimes are not limited to commercial entities or critical infrastructure. The IRGC-linked Mabna Institute in Iran conducted massive coordinated cyber intrusions into computer systems of approximately 144 U.S.-based universities and at least 176 universities located in 21 other countries, stealing more than 31 terabytes of documents and data. In March 2018, the U.S. government designated the Mabna Institute and both designated and criminally indicted the Iranian individuals involved. The U.S. Treasury’s Under Secretary for Terrorism and Financial Intelligence, Sigal Mandelker, said in announcing U.S. sanctions on these entities, “Iran is engaged in an ongoing campaign of malicious cyber activity against the United States and our allies. The IRGC outsourced cyber intrusions to the Mabna Institute, a hacker network that infiltrated hundreds of universities to steal sensitive data.”
DOMESTIC TARGETS
Within its borders, the Iranian regime develops and uses cyber capabilities to silence and weaken its critics, whether ordinary Iranians, members of the civil society or elected government officials.
IRGC-affiliated entities have also targeted the Islamic Republic’s own diplomatic corps, with reports indicating that even Iran’s Foreign Minister Javad Zarif may have unknowingly been a part of an IRGC-linked cyber surveillance scheme targeting a prominent Iranian. Beyond elected officials, cyber campaigns including espionage, defacement and credential theft have targeted Iran’s reformist clerics and moderate political leaders and activists.
The Iranian regime utilizes its cyber capabilities to deny Iranians unrestricted access to the Internet, including by blocking access to social media sites and applications. It funds a massive online censorship apparatus and restricts access to satellite services. An irony not lost on the Iranian people is that while the regime cracks down on social media platforms like Twitter, regime officials like Supreme Leader Ali Khamenei and Foreign Minister Zarif, as well as journalists sympathetic to the regime regularly use the platforms to spread the regime’s propaganda to the outside world. In August 2018, Facebook, Twitter, and other U.S. companies reported the removal of more than 1,000 pages, groups, and accounts they assessed were engaged in spreading disinformation on behalf of the regime. The scope of the campaign was wide. On Facebook alone, it included over 600 pages and targeted users in the U.S., UK, Middle East and Latin America.
In the last year, the U.S. Department of Treasury designated several individuals and entities in connection with serious human rights abuses and censorship in Iran. This includes Abolhassan Firouzabadi, the Secretary of Iran’s Supreme Council of Cyberspace. Firouzabadi has played a leading role in the regime’s ongoing efforts to block access to social media sites and applications such as Telegram. The Supreme Council of Cyberspace is itself a designated entity for its role in overseeing the censorship of speech and the media in Iran.
Click here for the full report.