22 December 2018

How Iran's Cyber Game Plan Reflects Its Asymmetrical War Strategy

By Scott Stewart

In response to sanctions and other measures taken by the United States, Iran will look to retaliate in cyberspace. Iran's strategy on the use of physical force provides a gauge of how it will employ cyberattacks. Iran will pursue asymmetrical operations instead of a full-on cyberwar, using proxies and sending subtle messages about U.S. vulnerabilities. 

As discord between the United States and Iran continue to rise in 2019, Tehran will reach deeper into its bag of deadly tricks to counter pressure from Washington. While the huge imbalance of power will restrain Iran from engaging in direct military conflict with the United States and its allies, it will retaliate with its asymmetrical arsenal. These weapons include cyberattacks, terrorism and support for its regional militant allies, and they pose a threat to companies and organizations in the Middle East and beyond. But what is most notable is how Iran's strategy for handling conflict in cyberspace mirrors its game plan for physical clashes.

The Big Picture

In its 2019 Annual Forecast, Stratfor highlighted the continuing struggle between the United States and Iran. Washington is seeking to ratchet up pressure on Tehran to pressure its government to curb its nuclear weapons program and regional aggression. But sanctions and other measures will not cause the Iranians to capitulate. They will instead prompt Tehran to look for ways to retaliate, in both the physical and cyber realms.

Cyberwarfare and Harassing Skirmishes

Just as Iran is unlikely to challenge the United States in a large-scale military confrontation, it is also unlikely to wage a direct war on it in cyberspace. The United States is simply too strong in both arenas. A comparison of the complexity of the malware tools Stuxnet – tied to the United States and Israel — and Shamoon – linked to Iran — illustrates the difference in capabilities. While the United States is vulnerable to cyberattacks — defense is always more difficult than offense – its overwhelming power could be devastating if unleashed wholesale on Iran.

Despite that reality, both sides will continue preparing for cyberwar. The Iranians, as well as other state cyber adversaries (and some non-state actors), have been conducting surveillance on critical infrastructure in the United States and the West for many years now. And the Americans and their allies have been conducting similar reconnaissance of Iran’s infrastructure. At the Aspen Security Forum in July 2018, U.S. Director of National Intelligence Dan Coats noted that Iran was making preparations to target electrical grids, water plants, and health care and technology companies in the United States, Europe and the Middle East.

But this surveillance doesn't mean that an attack is certain to follow. In much the same way that countries make plans in case of a war, they also prepare for combat in cyberspace by looking for vulnerabilities and possible pathways for attack. Like any war plan, cyberwar plans must be updated to account for changes in operating systems and security measures, because vulnerabilities can disappear. This cyberattack surveillance is reminiscent of how the Iranians and their proxies such as the Hezbollah militant group scrutinize targets and then keep the information handy for "off the shelf" terrorist attacks later.

While a cyberwar remains unlikely, lower-level Iranian attacks against government targets and private companies and organizations are likely to increase. Just this past week, the Italian oil services company Saipem announced that it had been hit in a tailored cyberattack that employed a variant of the Shamoon malware, indicating an Iranian connection. Saipem's largest client is the national oil company of Iran's archrival, Saudi Arabian Oil Co., which is likely why the Italian firm was targeted. 

In addition, the London-based cybersecurity firm Certfa, which specializes in tracking Iranian activity in cyberspace, published a report Dec. 13 documenting the efforts of "Charming Kitten," an Iranian advanced persistent threat (APT) group, to launch a phishing attack against the U.S. financial infrastructure. These APT groups are turning their sights on such targets because of U.S. sanctions and the recent expulsion of Iran from SWIFT, the Brussels-based organization that facilitates global financial transactions. (SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication.)


Sending a Message and a Threat

The Iranians have a history of using detectable physical surveillance of sites that could come under possible terrorist attacks as a way to send a message — most frequently during times of heightened tension with the United States. In such operations, Iran dispatches known members or suspected associates of its Islamic Revolutionary Guard Corps, Ministry of Intelligence and Security, or Hezbollah to conduct not-so-subtle surveillance of U.S. targets abroad or even in the U.S. homeland itself as a way of flexing its terrorism muscle. By being seen photographing or videotaping a dam, U.S. electrical substation or embassy abroad, Iran is letting the United States know that Tehran can make retaliatory terrorist strikes on a host of vulnerable targets if Washington attacks Iran with its superior military power.

This same strategy may also apply to Iranian probes of critical U.S. infrastructure in cyberspace. Those actions are useful for planning off-the-shelf attacks, and if (perhaps, more aptly, when) they are detected, they also serve as a way to demonstrate that the Iranians can conduct cyberattacks against crucial systems if they become desperate and have little left to lose.

Cyber Proxies and Mercenaries

Iran frequently uses militant proxies such as Hezbollah to do its dirty work and to provide Tehran with a degree of plausible deniability. And just as Iran has provided its regional proxies with weapons as well as training in terrorist tradecraft, it will continue to supply them with hacking tools and cyberwarfare training. Such support is reflected in the Hamas and Hezbollah campaigns against Israeli military and other targets, and the assistance from Tehran is likely to increase. Using proxies allows the Iranians to pressure regional and global rivals while masking their involvement.

Besides using proxies, the Iranians — like the Russians and Chinese — can also be expected to employ mercenaries as a way to increase their reach and punch in cyberspace. By hiring criminals to design malware or to launch attacks, Iran can also make it more difficult to trace such attacks back to itself. 

Again, while outright cyberwar with Iran is unlikely, Tehran can be expected to escalate its current lower-level operations. Iran has rapidly improved it cyberwarfare capabilities over the past year and looks to continue that trend in 2019. As it responds to greater U.S. sanctions and other efforts to weaken its government, it will be important not to underestimate those capabilities.

No comments: