Clash of the internet: The rise of Iran's cyber warfare against US and the Gulf

The last decade has seen a rise in cyber warfare tactics, especially with countries like Iran, which is no lightweight when it comes to malware and espionage.
5 min read
21 February, 2020
Iran's capabilities have improved [Getty]
Four years ago, as the US faced off against Russia on the cybersphere – where hacking and leaking classified material about enemy states was the gun and bullet in a new frontier of war – Iran, too was stretching its capabilities. And now, in 2020, it appears it has upped the ante.

The killing of Iranian general Qasem Soleimani, in airstrikes ordered by US President Donald Trump in early January, prompted experts to warn that Iran could retaliate, not only with military attacks but also with cyber-attacks.

The world saw the result of Iran flexing its military muscles after it directed targeted attacks on Iraqi bases housing US forces. Trump however attempted to downplay the attack by announcing that soldiers were unharmed, before the Pentagon later released a more accurate statement confirming that 50 had suffered head injuries.

On January 5, Iran appears to have launched a cyber-attack in response to Soleimani's death, when a group claiming to be hackers from Iran breached the website of a small US government agency.

The website of the Federal Depository Library Program was replaced with a page titled "Iranian Hackers!" with images of Iran's Supreme Leader Ayatollah Ali Khamenei and the Iranian flag.

"Martyrdom was [Soleimani's] reward for years of implacable efforts," read a graphic showing US President Donald Trump being punched by a fist coming from Iran.

"With his departure and with God's power, his work and path will not cease and severe revenge awaits those criminals who have tainted their filthy hands with his blood and blood of the other martyrs," it continued.

A third caption echoed experts' fears: "This is only a small part of Iran's cyber ability!" it read.

This had the modus operandi of Iran written all over it, one need only to look to the year 2016: A shocking cyber-attack on critical Saudi Arabian computer infrastructure, which experts had at the time blamed on Iranian state-sponsored hackers, heralded the entrance of Iran into the maelstrom of malware, cyber-espionage, information operations and destructive and disruptive cyber-attacks.

The virus used at the time was Shamoon, which had been around for a while, though its use by Iran affiliates signalled that the country had levelled up its cyber-warfare capabilities.

The New Arab spoke to FireEye, a US-based cyber-security firm whose expertise includes international espionage.

"Since 2010, Iranian offensive cyber capabilities have matured significantly," said Jens Monrad, Head of Intelligence for the organisation.

"When Iran was hit with 'Stuxnet' in the summer of 2010, Iran appeared to ramp up efforts to grow their offensive and defensive capabilities, making them a much more sophisticated adversary than before."

Stuxnet was a virus Israel had used to target Iran.

"The increased maturity, as well as the motivation, makes Iranian cyber campaigns a significant threat, especially to those nations who might be in direct conflict with Iran."
The increased maturity, as well as the motivation, makes Iranian cyber campaigns a significant threat, especially to those nations who might be in direct conflict with Iran
Infiltration and espionage

One of the principle ways the Iranian government has utilised its capabilities online is by exploiting Virtual Private Network (VPN) bugs to infiltrate and plant backdoors in companies across the world.

According to a new report published earlier this week by a cyber-security firm called ClearSky, Iranian hackers spent last year targeting companies "from the IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors".

Crucially, such attacks confirm that Iran's cyber capabilities have grown far more sophisticated than previously thought – perhaps more so than their Russian, Chinese and North Korean counterparts.

Read also: Iranian 'Traitors', Saudi 'Spies': Is Denmark the latest frontier of Tehran and Riyadh's Cold War?

The purpose of these attacks are twofold; first to give intimate access to the online political and business platforms Iran considers enemy states, like the United States and Israel – the latter of whom had engaged in a cyber-attack of its own on Tehran earlier this year.

Second, such plants allow the Iranian government to access enemy information when it chooses.

"VPNs play an essential role in providing employees and especially third parties remote access to the network," Noam Shany, a product manager at CyberArk told The New Arab.

"Their main functions are to create a data tunnel between the third party and the corporate network – and to protect it.

Both Trump and Israel's Netanyahu fall into the
category of 'enemy' in Iran's eyes [Getty]
"The latter is mainly achieved through encryption. Critical security breaches in VPN equipment from leading vendors is, therefore, something that organisations must understand and take action on.

"In the last 12 months especially, flaws in how VPNs operate has led to many organisations examining other ways to provide remote vendors access to the most sensitive parts of the corporate network."

Malware and intrusion

In December, Iranian state-sponsored hackers launched new destructive malware capable of wiping data from computers running the Windows operating system, security researchers from IBM discovered.

The hackers had used the new strain of malware called ZeroCleare to target energy companies operating in the Middle East, according to the researchers.

In a 28-page report, IBM's X-Force researchers liken the malware to Shamoon – a dangerous strain of malware that emerged in 2012 as hackers targeted Saudi state oil firm Aramco.

FireEye's expert, Jens Monrad believes such attacks by Iran are on the rise.

"The motivation appears to be linked to Iranian geopolitical ambitions and economic development needs," he said.

"Furthermore, competition with regional rivals Saudi Arabia and Israel, domestic control concerns, and surveillance of foreign-based nationals drive most state-sponsored cyber threat activity.
Competition with regional rivals Saudi Arabia and Israel, domestic control concerns, and surveillance of foreign-based nationals drive most state-sponsored cyber threat activity
"Political and economic isolation creates significant challenges for the government, both domestically and internationally. Defiance of Western interests, reinforcement of Islamic revolutionary ideals, and active state censorship appear to shape Iranian state-sponsored cyber operations."

He went on to add: "In January we did observe a new Iranian-nexus wiper, that may have been deployed against Middle Eastern government targets.

"The activity followed what we observed as Iranian threat actors conducting widespread scanning activity for VPN vulnerabilities. It is consistent with Iranian disruptive and digitally destructive attacks against private sector entities in the energy sectors of the US and the Cooperation Council for the Arab States of the Gulf (GCC)."


Follow us on FacebookTwitter and Instagram to stay connected