Author: Andria Gotsiridze, Cyber Security Consultant, Founder of Cyber Security Studies & Education Center

Tensions between the US and Iran reached new heights after the killing of General Qasem Soleimani. With its response actions, Iran will be attempting to shake US dominance in the region from the perspective of its own people and other Gulf States in a way that avoids a forceful response from the US. In this context, one of the possible directions of developments may be Iranian cyber operations, especially given that, according to the disseminated information, a hacker group connected to Iran was involved in a short-term defacement attack on the US government websites.

In the summer of last year, on the background of an on-going confrontation in the region, the US considered cyber threats coming from Iran to be “highly significant.” The probability of a cyber-attack has grown even further after a US drone strike killed General Qasem Soleimani.

How realistic is a cyber-attack against the US? What cyber infrastructure does Iran have for this and what are its cyber capabilities?

By proper distribution of financial resources, Iran has managed to create powerful cyber capacities and become one of the most serious cyber actors. Its cyber potential is lower than those of Russia and China. However, it is a cyber-actor on the level of North Korea and poses a very real threat to the critical infrastructure of developed states.

Developing an attack capacity cyber potential is one of the goals of Iran’s military modernization. It considers its cyber program to be a medium for collecting intelligence data and taking asymmetric actions against its political rivals.

Multiple-year-long confrontations with Israel and Saudi Arabia facilitated the development of Iran’s cyber potential. In 2010, taking into account the destructive results of a cyber-attack against Iran’s nuclear program using Stuxnet, Iran developed its cyber capacities using technological assistance from Russia and China, from low-tech defacement and internet censorship to high-tech destructive cyber-attacks, complicated cyber espionage schemes and information control mechanisms.

The Stuxnet incident and the money freed up due to the halting of its nuclear program pushed Iran to develop its cyber potential. On the other hand, after the 2009 “Green Revolution” and later the “Arab Spring” developments, Iranian leaders saw a serious threat in the un-controlled internet which caused the efforts of Iran’s security forces to be directed towards internet control and strengthening attack capacity cyber potential.

Given the loosening of sanctions by the previous US Presidential Administration, Iran managed to mobilize financial resources and invest in developing its cyber capabilities. The qualifications of hacker groups and their methods of action became more refined. Iran’s cyber capabilities may be a threat to Georgia insofar as the infrastructure of the states that Iran considers hostile to itself (in this specific case, that of our strategic partner – the US) is placed on our territory. Also, it is entirely realistic for the terrorist organizations supported by Iran to use the Georgian cyber network for propaganda purposes.

As for domestic political goals, the Iranian government tries to control cyberspace in order to strengthen its regime and exert ideological and cultural influence over the population. On the foreign policy arena, Iran considers cyber operations to be the means for collecting information as well as being a cheap and safe response to threats. In order to avoid taking responsibility, such operations are often conducted by organizations supported by Iran.

Western aviation and cosmic technology companies, defense contractors as well as the representatives of energy, national resources and telecommunications sectors often end up as targets for Iranian cyber espionage.

According to the US special forces data, Iranian cyber-actors have been able to disseminate malware in US business networks since at least 2014. Iran actively uses acquired information in military research and developing raw material industries.

In 2012, as a response to an attack on Iran’s oil processing plant, Tehran attacked Saudi Arabia’s Aramco and Qatar’s RasGas. The high-tech malware that was used in the attack and that the experts compare to Stuxnet, disabled thousands of computers. In 2012-2013, Iranian hackers undertook a DDoS attack against US banks and the stock exchange while in 2014 they deleted data from the Las Vegas Sands casino. In 2014, during an escalation taking place in the Gaza Strip, the Israeli defense forces infrastructure was subject to an Iranian DDoS attack. In 2016-2017, Iran performed yet another high-tech attack against Saudi Arabia, causing data to be deleted from tens of targets. This time around, civic aviation, central bank and state structure networks were targeted. Iranian cyber-actors also perform information operations using cyber networks. Such operations are directed to disseminating pro-Iranian political interests by using fake social media accounts. These accounts circulate views among the opposition of Saudi Arabia as well as anti-Western sentiments or opinions supporting Tehran.

Three actors play main roles in Iran’s cyber operations:  Iran’s Islamic Revolutionary Guard Corps (IRGC), Basij and Iran’s Passive Defense Organization (NPDO). IRGC is responsible for the attacks on US, Israeli and Saudi critical infrastructure. Basij is a paramilitary organization which, according to the statements of its leaders, consists of thousands of volunteer cyber-warriors. It manages a wide network of hackers from universities and religious schools.

NPDO’s competence is to defend Iran’s critical infrastructure. In order to ensure coordinated work between cyber actors, Ayatollah Ali Khamenei created the Supreme Council of Cyberspace which consists of high-ranking military and intelligence officials.

Currently, cyber operations are an important part of Iran’s military power. The instruments used during the attacks are mostly modified malware from the criminal market, their destructive potential being lower compared to their Russian analogs; however, they can still do significant harm to the infrastructure of any country.

Iran’s destructive cyber potential represents a real threat to small banks, local level energy companies or oil pipeline control systems. Iran’s cyber capabilities are not yet ready for more high-tech attacks (such as Stuxnet or Russian BlackEnergy).

Iran can conduct cyber operations in several different directions:

Iran has been using DDoS attacks against US banks since 2011; however, such an attack causes only temporary hindrance and today’s critical infrastructure is more-or-less secured from this type of influence.

Deleting data (Wiper Attack) is a widespread direction of Iran’s cyber-attacks. Such an attack can cause great harm and, in theory, even damage computer technologies. The US Department of Homeland Security (DHS) warned the US population about the possibility of such an attack in June 2019 during the escalation caused by the downing of a military drone. According to the assessment of experts, such an attack on US military networks would cause great damage. There is data that in 2013 Iran managed to infiltrate the non-classified internal network of the US Navy.

Cyber espionage is one of the directions of Iran’s cyber-attacks which it utilizes for conducting a terrorist attack. It is used both for determining real-time geolocation, resulting from surveillance through a cell phone company, as well as for studying the everyday life of a potential target and preparing a terrorist act.

In the not very distant past, Wikileaks published Saudi Diplomatic correspondence obtained through an Iran-supported cyber-attack, painting a non-flattering picture of the Saudi Foreign Ministry and containing compromising material. It is possible for Iran to perform such an information operation in order to foster protest among the US population and create unrest.

Last summer, Iranian cyber actors infiltrated Bahrein’s water supply system, confirming that Iran is capable of having long-distance access to industry control systems. Despite the fact that no physical harm was recorded as a result of Iran’s cyber-attack, it is entirely possible to use such attacks for gaining kinetic influence over the adversary’s critical infrastructure, much like Russia does.

Iran, presumably, will avoid cyber-attacks on oil pipelines, cutting electricity or any cyber operations causing kinetic damage or casualties which could turn out to be a red line and cause a forceful, disproportionate response, perhaps even in terms of collective defense. In order to avoid such developments, Iran will attempt to psychologically harm US decision makers for which a less risky and available way is to attack the banking sector, infrastructures of overseas US businesses and state structures, as well as to use cyber espionage and information operations