In the first part of this series, we focused on the role nation-state threat actors play in shaping the current threat landscape with a particular focus on China. In this part, we take a look at Iran’s evolution into a major player in the sphere and how the groups are used to further the Islamic Republic’s political aims.
Iran
A quick perusal of headlines from the mid to late 2000s one would be forgiven for thinking that nation-state activity originating from Iran would only begin in 2007. However, activity can be traced back to the early 2000s, 2002, to be exact with the founding of the Ashiyane Digital Security Team with the mandate to support endeavors that result in Iran’s political, religious, and military dominance in the Middle East. Since 2002, subsequent nation-state groups perpetrated both cyber-espionage and sabotage cyber campaigns in support of Iran’s overarching goal of regional dominance. It is not just rivals of Iran in the Middle East that have been targeted but other perceived adversaries including the US.
Early Instances
Target: Websites associated with important agencies overseen by adversary states.
Motivation: Website defacement to promote Iranian propaganda campaigns.
Outcome: The attack served as the first instance of Iran dipping its toes into cyber espionage and sabotage.
Summary:
In February 2002, the Ashiyane Digital Security Team started a campaign defacing several websites including US government and Israeli websites such as NASA and Mossad, with pro-Iran messaging and statements. The group also started a forum to discuss cybersecurity topics. The forum has been seen by many experts as the catalyst for the Iranian hacking community. Both the web defacement campaign and the development of the forum are nowhere near as sophisticated as some attacks already covered in this series but it was most certainly the genesis of future far more impactful attacks led by sophisticated groups.
Iranian Cyber Army
Target: Any country or organisation believed to be opponents of the current state powers.
Motivation: Conducted cyber attacks on organisations like Twitter and Baidu to silence critics of government policies and government and religious leaders.
Outcome: Successfully conducted attack campaigns against Twitter made the rest of the world take notice. Iran’s nation-state actors had now reached a level of maturity from which more destructive campaigns could be conducted.
Summary:
The Ashiyane Digital Security Team continued to conduct web defacement campaigns but certain individuals within the state infrastructure saw the potential to further the state’s regional and international aims. Come 2009 and another group was seen in action, the Iranian Cyber Army (ICA), seemingly born from the Ashiyane Digital Security Team, with prominent members on the forum being linked to the ICA. In 2010, the commander in chief of the IRGC told a newspaper, “Today we take pride in our (Iranian) Cyber Army founded by us, which is the second strongest Cyber Army in the world.”
Since that statement, the ICA is widely regarded as an arm of the Islamic Revolutionary Guard Corps (IRGC), a branch of Iran’s military. Several attacks were carried out by ICA members who were also linked to the Ashiyane Digital Security Team resulting in the loss of tens of millions of dollars in remediation costs according to the US Treasury Department.
Summarising the evolution and importance of the Ashiyane Digital Security Team and the ICA, John DiMaggio in The Art of Cyberwarfare stated, “While Ashiyane is not the only hacking group associated with the IRGC, it’s the primary organisation that can be traced back to what has grown into the cyberwarfare component of Iran. Other groups have played influential roles, most of which share a common denominator: their association with Ashiyane…Despite the deep roots with the IRGC and online Iranian hacking communities, Ashiyane disappeared around mid-2018 without official explanation. All Ashiyane’s infrastructure went dark, and its forums and websites no longer resolve.” (DiMaggio 2021: 18)
Gmail Breach
Target: Iranian Citizens
Motivation: Conduct surveillance operations on Iranian citizens by compromising Gmail accounts through the abuse of a fraudulent SSL certificate.
Outcome: The incident showed the world how far nation-state threat actors based in Iran had come in a relatively short time frame.
Summary:
Up until this point, Iran’s evolution in the cyber warfare and espionage sphere was carrying out web defacements or, denial-of-service attacks. 2011 marked a turning point in the country’s cyber capabilities. An Iranian citizen with the online moniker Alibo began struggling to access their Gmail account. Upon logging in Alibo would be alerted to a security warning questioning the validity of the certificate used to authenticate to the Gmail website. Like many of us, assuming the validity of a massive tech giant’s request like Google, Alibo accepted the risk and trusted the validity of the certificate.
Several days later Alibo could not access their Gmail account. Only when Alibo used a VPN service that provided an IP address other than his Iranian one could the account be accessed. This restriction appeared to only impact Iranian users and Alibo brought the matter to Google’s attention. Rather than receiving direct communication with Google as to the issue, Alibo received a link to an announcement stating that Google had suffered a man-in-middle attack. Both Google and a New York Times article noted that the attacker had fraudulently obtained access by leveraging a fraudulent SSL certificate issued by DigiNotar, a root certificate authority. Google claimed DigiNotar should not have issued the SSL certificate and which they later revoked.
This was all done to conduct a surveillance operation on Iranian citizens. It should also be further noted that breaching a legitimate company like DigiNotar is no easy task. The attackers would have had to compromise employee accounts and bypass authentication security features. This is generally beyond the skills of an average hacker. That Iranian nation-state threat actors managed to achieve such a high level of proficiency in a relatively short time should inform those as to Iran’s current capabilities for making companies and neighboring governments have a bad day.
Shamoon
Target: Aramco
Motivation: Deployment of wiper malware, Shamoon, to cause massive IT infrastructure damage.
Outcome: The attack signalled another ramping up of cyber warfare capabilities for the Islamic Republic and showed the world a destructive and disruptive use for wiper malware.
Summary:
A year later the cyber threat posed by Iran would take on a whole new aspect of sheer destruction. Welcome the advent of nation-state threat actors deploying wipers to enemy networks. Wipers are a type of malware that targets and deletes all the data on a machine with the intent of leaving the machine inoperable.
The first instance of this type of malware, named Shamoon, was seen in an attack against Saudi Arabian oil giant Aramco. The malware had wiped the data off 30,000 machines in a single day and resulted in the company having to cease all operations both corporate and industrial. This attack signalled the start of highly destructive campaigns conducted by Iranian threat actors against organisations belonging to enemy states.
Joining the Ransomware Trend
Target: US and Israeli Organisations that are typically targeted by Ransomware gangs.
Motivation: To attempt to generate financial returns from still completing geopolitical aims.
Outcome: Subsequent attacks have blurred the lines between financially motivated hackers and state-sponsored hackers typically motivated by geopolitical aims.
Summary:
Seeing both how profitable and disruptive a ransomware attack can be Iranian state-sponsored groups have been seeing deploying ransomware. This trend has seemingly begun in the fourth quarter of 2021 and security researchers were seeing the LockBit ransomware strain being deployed to handle data encryption.
As this is a new trend, saying for certain what the exact motivation and outcome is not wise. However, North Korean state-sponsored groups have likewise been dabbling in ransomware, namely the VHD ransomware variant. This worrying trend has blurred the lines between the previous distinctions of financially motivated hackers and state-sponsored threat groups.
Evolution at BreakNeck Speed
In a little under 20 years, Iran has managed to force its way into cyber warfare conversations. What started as a fairly benign preoccupation promoting the Islamic Republic’s political and religious ideals evolved into truly destructive attacks that left much of the world in shock. Iran will continue its surveillance of players in this cloak and dagger enterprise for some time.