A hacking battle between Iran and its enemies raises fears of a broader cyber war


TEHERAN, Iran – In early December, Iran’s top university stalled for four days. Web conferencing software for COVID restricted classes did not work. Faculty and students were unable to access their records.

It was the latest round of low-level but escalating cyber-hostilities between Iran and its adversaries, particularly Israel, who exchanged ti-for-tat hacks in a long-running shadow campaign of mutual destabilization. But the blow on the University of Tehran and other incidents like this represent, according to experts, a shift from regular attacks on military and nuclear sites to full-fledged cyber warfare against civil infrastructure.

“That’s an important difference in cyber conflict – it affects civilians in general and the private sector,” said John Hultquist, vice president of intelligence analysis at US cybersecurity firm Mandiant.

“It’s not about military goals. … The government is often not the audience in many of these incidents. “

The expansion of the cyber battlefield in the Middle East comes as Iran better defends its controversial nuclear program, said Maysam Behravesh, a research fellow at the Dutch Clingersael Institute who worked as an intelligence analyst and foreign affairs advisor for the Iranian intelligence and security ministry from 2008 until 2010.

“Given that Iran’s nuclear facilities have spread across the country and the attack on the program has become much more complicated, Israel has taken a new approach – launching massive cyberattacks on sensitive civilian targets like dams, gas stations and power plants in order to nationwide riots aimed at overthrowing the regime or preoccupying those in power with everyday, endless unrest, ”said Behravesh.

In addition to the attack on the University of Tehran earlier this month, Iran’s second largest airline, Mahan Airlines, was hacked and its website made inaccessible in November. A large-scale hack in October paralyzed the pumps at 4,300 gas stations across the country.

In August, a hacking group called Edalat-e Ali (Ali’s Justice) released security footage from an Iranian prison showing guards beating prisoners. A hack broke out in July that crippled the railroad system; another group, Tapandegan, attacked airports in large cities and towns. And that’s just a partial list of state-recognized incidents that Tehran has largely attributed to Israel, without always providing evidence to support the allegation.

After the gas station attack, the new hardliner president Ebrahim Raisi called for “serious readiness in the area of ​​cyber war”. State media reported.

Meanwhile, Iran has hit back with its own attacks, claim Israeli and US officials and experts.

This month, Checkpoint, a cybersecurity firm in Tel Aviv, said a number of Israeli companies had been targeted by an Iran-related hacking group called Charming Kitten. Also earlier this month, the Symantec threat hunter team announced that a group “whose targeting and tactics were in line with Iran-sponsored actors” had launched a month-long attack campaign against telecommunications operators, IT service companies and a utility company in Israel. Jordan, Kuwait, Saudi Arabia, the United Arab Emirates and Pakistan, among others.

In November, authorities in the US, UK and Australia warned that Iran-sponsored attackers had exploited a software vulnerability to carry out ransomware attacks. Earlier this year, Facebook announced that the Iran-affiliated group Tortoiseshell had created fake online personas to contact U.S. soldiers and employees of American and European defense companies to send malware and extract information from their targets.

Also in November, “doxxte” Fars News, an agency administered by the vaunted Corps of the Islamic Revolutionary Guards of Iran, an Iran-focused Israeli cybersecurity specialist, which means that they can provide the specialist’s name, phone number, home address, and other details published. This came after an attack by a group called Black Shadow, who released a huge amount of private data from the Israeli LGBTQ website Atraf.

The attacks have sparked a parallel race to close security loopholes. On Saturday, the Israeli military announced that its Joint Cyber ​​Defense Division had joined the U.S. Cyber ​​Command for exercises last week, the sixth such joint exercise this year. Earlier this month, Israel conducted Collective Strength, a simulation of large-scale cyberattacks on financial markets involving tax officials from the United States, Israel, the United Arab Emirates and the United Kingdom, among others.

Iran’s relative international isolation offers few opportunities for such partnerships. The US-led sanctions have also made the country particularly vulnerable to attack, forcing Iranians to rely on pirated, cracked or older versions of software without being able to update them against new security threats.

The attack on the University of Tehran, for example, crippled an older version of Adobe Connect, a web conferencing software suite. Lecturers and students switched to Big Blue Button for a few days, a free web conferencing system whose code is open source – available to anyone who wants to change it to fix vulnerabilities.

Sanctions also mean that Iran does not have the resources to fend off attacks at the national level, especially when faced with much more advanced adversaries capable of so-called zero days, errors in the code of a program – which are even owned by the software manufacturer are unknown – find can be used to break into a system.

“You have to have a massive, scalable organization that can operate on all of these potential goals down to the network level,” said Hultquist. “It’s already an uphill battle, and if you lack the resources, the adversary will easily gain access.”

At the same time, the Iranian state apparatus and private companies are less reliant on technology and advanced systems to operate devices, and the effects of an attack are less than in countries like the United States, where such systems play a greater role.

This has led Iran to focus on the offensive side of cyberwarfare. Instead of tailor-made malware like Stuxnet, the sophisticated computer worm developed by the US and Israel that devastated Iran’s nuclear systems in 2010, Iranian hackers have used publicly available malware as well as cracked versions of legitimate remote management and security assessments tools like Cobalt Strike, a tool to Threat emulation.

And there is no shortage of cyber warriors. The Revolutionary Guards regularly recruit recruits for data mining, network penetration, and hacking from educational institutions such as Imam Hossein University, where scholars join the guard after passing ideological interviews and thorough scrutiny after graduation. Those accepted are not allowed to work in the private sector or abroad, but receive higher salaries to compensate.

If the carrot doesn’t work, the stick comes out: According to several Iranian computer engineers who spoke on condition of anonymity, Iranian security services are forcing private hackers to work for the state in order to avoid prison sentences.

Despite the escalation of hostilities, attacks so far have lagged behind a real war, Hultquist said.

“It is analogous to terrorism in that it is about creating a perception of danger or uncertainty based on limited and infrequent actions,” he said.

But Behravesh, the former Iranian intelligence analyst, believes the intensification of attacks is the prelude to a larger conflict, especially given the sluggish prospects for a revival of Iran’s nuclear deal with the West and other world powers.

“This change in the Israelis’ pattern of hitting civilian targets is pre-strike, which means they give it one last chance before resorting to a full-scale military operation against Iranian nuclear facilities, he said.

“I would say time is running out and the world and the Middle East could be at a point where there is no going back.”


(The Los Angeles Times special correspondent, Khazani, reported from Tehran and the author Bulos from Amman.)


© 2021 Los Angeles Times. Visit latimes.com. Distributed by Tribune Content Agency, LLC.


About Author

Comments are closed.