Pages

14 January 2020

Should the U.S. Expect an Iranian Cyberattack?

By Sue Halpern

Aday after Donald Trump authorized a drone strike that killed Qassem Suleimani, the leader of Iran’s élite Quds Force, the Department of Homeland Security issued a bulletin from its National Terrorism Advisory System. “Iran maintains a robust cyber program and can execute cyber attacks against the United States,” the alert said. “Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.” Another bullet point noted that “an attack in the homeland may come with little or no warning.” Shortly after, hackers claiming to be affiliated with Iran took over the Web site of the Federal Depository Library Program, an American government agency that distributes government publications, and inserted a picture of Trump being punched in the face, with blood dripping from his mouth. “Martyrdom,” the accompanying message read, was Suleimani’s “reward for years of implacable efforts. With his departure and with God’s power, his work and path will not cease and severe revenge awaits those criminals who have tainted their filthy hands with his blood and the blood of the other martyrs of last night’s incident.” The hackers signed off with an additional threat: “This is only [a] small part of Iran’s cyber ability! We’re always ready.” It was a sophomoric attack on an obscure federal agency, but those last two sentences are unassailable.

In 2010, the United States and Israel covertly inserted malware into the automated control system at Iran’s Natanz nuclear facility, causing nearly a thousand centrifuges to self-destruct. The centrifuges were necessary to enrich uranium for nuclear weapons, and the Stuxnet attack, as it came to be known, was credited with slowing down Iran’s nuclear program and driving the Iranians to the negotiating table. Though neither Israel nor the United States has claimed credit for the attack, the ensuing nuclear deal, signed in 2015, was seen as a triumph for the Obama Administration. (Trump unilaterally walked away from the deal in 2018.) But an unintended consequence of Stuxnet—along with the inadvertent release of the virus into the “wild,” where it continues to be used by nation-state and rogue hackers—was that it inspired the Iranian government to accelerate the development of its own cyber army within the Islamic Revolutionary Guard Corps. The government also recruited thousands of volunteer “patriotic” hackers—among them, criminal gangs and ideologically aligned terrorist groups such as Hezbollah—who work independently, but with the regime’s implicit blessing. (In its most recent bulletin, the D.H.S. noted that “Homegrown Violent Extremists could capitalize on the heightened tensions to launch individual attacks.”) As Ed Parsons and George Michael, who research cyber threats in the private sector, have pointed out, “The Iranian regime has demonstrated greater appetite towards destructive or disruptive cyber-attacks in peacetime than any other nation.”


Cyber weapons also level the battlefield. P. W. Singer, a senior fellow and strategist at New America, told me that, though a nation can’t create an air force in a matter of years, it can gain a great deal of cyber capability in that time. Cyber weapons do not have to be cutting edge to lacerate a community, a company, or a country, either. In 2011, for example, Iranian hackers breached the Dutch certificate authority, DigiNotar, and issued fake security certificates that allowed them to spy on the encrypted communications of tens of thousands of Iranian citizens. Around the same time, Iranian hackers launched a relentless denial-of-service attack on some forty-six American companies, including A. T. & T. and JPMorgan Chase, which continually knocked them offline for a hundred and seventy-six days. Though using a blunt instrument, the attackers still managed to pierce the defenses of some of the biggest businesses in the United States, inflict millions of dollars of damage, and, at times, prevent banking customers from accessing their accounts. A member of the same group also breached the control system of a dam not far from New York City.

Water systems, electrical grids, and other infrastructure are especially vulnerable to cyberattacks, not only because they are high-value targets, essential to sustaining life as we know it, but because they are largely unguarded. In October, a cybersecurity researcher in the Netherlands identified twenty-six thousand industrial control systems across the United States whose undefended presence on the Internet makes them easy targets for malicious actors. What would such an attack look like? In the winter of 2015, Russian hackers briefly shut down the electrical grid in western Ukraine, and the lights went out on up to two hundred and twenty-five thousand residents. Over the next six hours, the trains stopped running, cash machines and gas pumps did not work, credit cards were worthless, and communications with the wider world were essentially cut off. “It is hard to set a limit on the potential damage hacking industrial control systems can lead to,” the cybersecurity researcher Ofer Maor told The Independent, in 2018. “Imagining an attack that causes a blackout is simple, but imagine a case where a vulnerability in a power plant’s control system can be used to bypass load limitations, driving the power plant to work overtime, leading to an explosion, or reversing a sewer pump to overflow sewers across an entire city.”

A study by researchers at the University of Cambridge Centre for Risk Studies and Lloyd’s of London that was released in 2015 found that, if hackers disabled sections of the power supply to fifteen states and the District of Columbia, significant numbers of people would die as health and safety systems failed. They estimated the economic cost to be as much as a trillion dollars. In 2018, U.S. officials acknowledged that Iran had been probing the American power grid and other critical infrastructure for the past few years, potentially laying the groundwork for a cyberattack. James Lewis, the Technology Policy Program director of the Center for Strategic and International Studies, told me that cyber weapons enable Iranians to “do things in the domestic United States that they can’t do with their other weapons, like cruise missiles, because they can reach out and touch.” (At the same time, he questioned whether a cyberattack “is violent enough to be justified as an attack.”)

Even if there were a cyberattack, we might not know its provenance. Not long ago, Russian hackers were observed impersonating Iranian hackers; they disguised their hack of the 2018 Olympics to look like it had come from North Korea. Three years ago, the cybersecurity firm Dragos identified a group of hackers it dubbed Xenotime, which it considered to be “the world’s most dangerous cyber threat.” The group was thought to be Iranian. It was later traced to Moscow. “In cybersecurity, attribution is a big deal—who has hit you and how do you know,” Singer said. If the Iranians do launch a cyberattack on the United States, he said, they may want to toss plausible deniability aside, take credit for it, and let the world know they were the perpetrators. But, he cautioned, “Iran may want to be loud and proud of an attack, but in turn you could have some nefarious third party that wants to look like Iran being loud and proud.” There were many reasons to be concerned about a potential cyberattack before last Friday, Singer told me. There are even more now.

No comments:

Post a Comment