“A Brown Water Navy”
Through a series of attacks over the last three years, Iran has revealed a limited offensive cyber capability but a willingness to use it to meet its geopolitical goals.
In testimony calling out Iran for attacks on Sands Casinos, Director of National Intelligence James Clapper put Iranian cyber capability in the same category as North Korea, noting that these countries had “lesser technical capabilities.” China and Russia, on the other hand, have “very sophisticated programs.”
The wiper virus attack against Sands along with similar attacks against Saudi Aramco and RasGas, and distributed denial of service (DDoS) attacks against U.S. financial institutions, used open-source and widely available hacking tools.
The attacks on the Sands Casinos began with a brute-force attack to guess login credentials at a far-flung outpost of the Sands gaming empire. When security personnel noticed the attack and added additional layers of security, they found a vulnerable web-server, gained access to it, and then used an open source tool to gather credentials. They then used these credentials to access Sands main corporate network, where they planted the wiper that wreaked havoc across the corporate network.
That wiper virus, written in Visual Basic and 150 lines of code in all, showed similarities to the Shamoon virus that took out 30 thousand computers at Saudi Aramco. But it also showed similarities to the malware used against Sony Pictures and in an attack against South Korea. While these similarities might point to a single source – maybe an “Axis of Evil” joint cyber lab – most experts judge that the similarities are due to the lack of sophistication – nothing more than copy and paste exercises carried out by different groups with a similar (and basic) skill set.
Technical sophistication, however, is only one measure of Iran’s cyber program. While Iran possesses the cyber equivalent of a “brown water” navy – it can’t compete on the high seas, but it’s small and limited capabilities can pack a punch – in cyberspace, where geography isn’t a limiting factor, Iran can deliver whatever capability it has to a target anywhere on the globe.
Iran has used its limited capabilities as a tool for what the intelligence community has labeled “asymmetric but proportional retaliation” in response to the activities of foreign adversaries.
Most analysts believe the attacks attributed to Iran are not being carried out by elements of the Iranian government but by affiliated hacking groups that operate at the behest of the Iranian government. Yet, the hackers seem to operate under a sophisticated understanding of where U.S. redlines may be. The Shamoon virus was used to target U.S. allies in the Persian Gulf (thought by many to be a response to alleged U.S. involvement in Stuxnet). When targeting the U.S. financial sector, Iranian actors didn’t deploy their worst weapon. Instead, they launched a series of DDoS attacks that amounted to a nuisance, albeit a costly one, rather than attempting to disrupt operations of any U.S. banks.
For all their sophistication, the DDoS attacks were clearly meant to make the U.S. government take notice without provoking a response. In retaliating against the CEO of Sands Casinos, Sheldon Adelson, for his comments calling for a nuclear demonstration against Iran, the Iranian actors seem to have intuited that his casinos didn’t represent the kind of critical infrastructure target that might cause the U.S. to escalate.
While Iran will likely not gain the ability to use cyber attacks to alter U.S. strategy or deter action in the Middle East, it’s proven adept at using its limited capabilities to signal displeasure and threaten further action.
Read the Original Article at The Cipher Brief