Agenda
1. Overview of Iran's cyber capabilities: Start by providing an overview of Iran's cyber capabilities, including the history of their cyber operations, their objectives and strategies, and the tactics and techniques they use.
2. Major cyber attacks attributed to Iran: Discuss some of the most significant cyber attacks that have been attributed to Iran, such as the attacks on Saudi Aramco, the US financial sector, and the Sands Casino.
3. Iranian state-sponsored hacking groups: Introduce some of the major Iranian state-sponsored hacking groups, such as APT33, APT34, and APT39, and describe their capabilities and objectives.
4. Cyber espionage: Discuss Iran's cyber espionage capabilities and some of the targets of their espionage activities, such as US government agencies and companies in the Middle East.
5. Cyber terrorism: Describe Iran's potential for cyber terrorism and the types of attacks they could carry out.
6. Cyber warfare: Discuss the possibility of Iran engaging in cyber warfare, including the potential for disrupting critical infrastructure and the potential for a cyber conflict with other nations.
7. International response: Finally, discuss the international response to Iran's cyber activities, including sanctions and diplomatic efforts to address cyber security concerns.
We show it first for few seconds with Iranian music (5-6 seconds)
“In this situation, we should know, before anything, what is happening in cyberspace so that we can use our knowledge, science, and persistence to defeat our enemy in the soft war.” Supreme Leader Ayatollah Khamenei
Hi Everyone, its Yaniv Hoffman, back a new blog and this time on IRAN cyber power.
Overview:
Iran's cyber capabilities have been growing rapidly over the past decade. The Iranian government has made significant investments in cyber technology and infrastructure, and they have been able to develop sophisticated cyber capabilities, including the ability to conduct cyber espionage, cyber sabotage, and cyber warfare.
Yet before diving into to Iran’s cyber capabilities, lets understand better when it all started.
History of their cyber operations:
In 1993, Massoud Saffari (Which I couldn’t find a picture….so if you have it, please let me know) was Head of the High Council of Informatics, and he suggested to create a dedicated data communications network, using the country’s existing telephone infrastructure. Iran’s first commercial Internet Service Provider (ISP) was established soon after, and the non-profit Institute (NRI) an affiliate of the municipal government of Tehran, began offering Internet access in February 1995.
Looking at Iranian telecommunications sector, it has been structured and developed to facilitate government intervention to control online expressions: so the Ministry of Information and Communications Technology (ICT) directly controls the Telecommunication Infrastructure Company (TIC) – which has a “monopoly over the purchase of international Internet gateways in Iran
The Iranian government's interest in cyber operations can be traced back to at least 2005, when Iran established a cyber defence headquarters within its Ministry of Defence.
However, it was in 2009 that Iran is believed to have taken a more active role in cyber operations and moved from defensive to offensive cyber (Not because of Stuxnet as many believe).
In June 2009, Iran's presidential election resulted in protests and civil unrest, with many Iranians using social media platforms to organize and communicate. The Iranian government responded by cracking down on social media and other online platforms, but also began to invest heavily in its own cyber capabilities.
Separately, That same year, a cyber-attack known as "Operation Aurora" was launched against Google and other technology companies, which many believe was carried out by a group of hackers backed by the Chinese government. This event is widely seen as a turning point in the global understanding of the potential impact of cyber-attacks.
Operation Aurora , there are few snapshots of Google that hacked and went down
In response to these events, Iran began to invest heavily in its own cyber capabilities, including the establishment of a number of cyber units within the country's military and intelligence organizations. These cyber units have been linked to various cyber operations, including cyber espionage, cyber-attacks, and disinformation campaigns.
There are also other factors that have contributed to Iran's interest in cyber operations, including a desire to protect its critical infrastructure from cyber threats and to develop capabilities to counter foreign cyber attacks. Additionally, Iran's geopolitical situation and the prevalence of economic sanctions have made cyber operations an attractive option for achieving strategic objectives.
Objectives and strategies:
Now, look at Iran’s objective and strategies – They are primarily related to national security and foreign policy. They seek to acquire sensitive information and intelligence from other nations, disrupt the operations of their enemies, and project their influence on the global stage. Iran has also been accused of using cyber-attacks to suppress dissent and monitor their own citizens.
Tactics and techniques:
Iran's cyber operations typically involve a combination of tactics and techniques, including phishing, malware, denial-of-service attacks, and social engineering. They have been known to use advanced persistent threats (APTs) to gain access to target networks and conduct espionage.
In some cases, Iran has also used wiper malware (Like used against Ukraine) to destroy data and disrupt the operations of their targets.
One notable characteristic of Iran's cyber operations is that they often rely on "cyber proxies" – which are groups of hackers or contractors that are not directly affiliated with the Iranian government, but who carry out cyber attacks on behalf of Iran. This allows the Iranian government to maintain plausible deniability and avoid direct attribution for their cyber activities.
Few key examples of Iran’s capabilities in cyber in recent years are:
Major cyber attacks attributed to Iran
1. Saudi Aramco Attack (2012): In 2012, a major cyber-attack targeted the Saudi Arabian oil company, which is the largest oil producer in the world. The attack involved the use of malware known as Shamoon, which wiped data from thousands of computers, causing significant disruption to Aramco's operations. The attack was widely attributed to Iran, although the Iranian government denied involvement.
2. US Financial Sector Attacks (2012-2013): Between 2012 and 2013, a group of Iranian hackers launched a series of attacks on US financial institutions, including JP Morgan Chase, Bank of America, and Wells Fargo. The attacks involved DDoS (distributed denial-of-service) techniques, which overwhelmed the banks' computer systems with traffic, causing them to crash or become inaccessible. The attacks were believed to be retaliation for economic sanctions imposed on Iran.
3. Sands Casino Attack (2014): In 2014, the Sands Casino in Las Vegas was hit by a major cyber attack that resulted in the theft of customer data and the destruction of some of the casino's computer systems. The attack was attributed to Iranian hackers, who were believed to have been motivated by comments made by the casino's owner, Sheldon Adelson, regarding his support for Israel.
4. WannaCry Ransomware Attack (2017): The WannaCry ransomware attack was a global cyber attack that affected more than 200,000 computers in 150 countries. The attack involved the use of malware that encrypted users' files and demanded payment in exchange for the decryption key. While the attack was not specifically targeted at any one country or organization, it is believed that the initial infection vector was a vulnerability in Microsoft Windows that had been discovered by the NSA and subsequently leaked by a group of hackers known as the Shadow Brokers. Some analysts have suggested that the WannaCry attack may have been carried out by Iran, although this has not been definitively proven.
Microsoft, Threat Intelligence team just released a report on 2nd of May about IRAN’s cyber influence and linked 24 unique cyber-enabled influence operations to the Iranian government in 2022—including 17 since mid- June—compared to seven in 2021 – More about it in the report and I will leave the link in the description of this video.
So we talked about IRAN’s history and capabilities & Techniques, so its good time to review its cyber structure and nation states groups.
Major Iranian state-sponsored hacking groups:
Iran cyber arm structure is built between 2 main agencies.
The Ministry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC). These are two of the most prominent intelligence and security organizations in Iran. While both organizations have a mandate to protect Iran's national security interests, they operate independently of each other and have different areas of focus.
The MOIS is primarily responsible for domestic intelligence and is tasked with identifying and neutralizing threats to Iran's internal security. The organization has been linked to various covert operations both inside and outside Iran, including the creation and support of cyber groups involved in cyber espionage and attacks.
On the other hand, the IRGC is a military organization tasked with defending Iran's national security interests, both domestically and internationally. The IRGC has been known to operate various cyber units, including the Cyber Defence Command, which is responsible for protecting Iran's critical infrastructure from cyber threats.
While the MOIS and IRGC operate independently of each other, it is possible that there is some overlap in their activities. For example, both organizations have been linked to cyber operations, and there have been reports of coordination between the two organizations in some instances. However, the exact nature of their relationship and level of cooperation is not publicly known, and it is difficult to say with certainty how closely they work together.
There are 10-11 publicly tracked threat actors groups that are commonly associated with Iran
Groups like
· APT33: APT33, also known as Elfin, is a group believed to be sponsored by the Iranian government. They have been active since at least 2013 and have targeted a variety of industries, including aviation, energy, and telecommunications. APT33's capabilities include spear-phishing, malware deployment, and credential theft. Their primary objective is to gather intelligence on their targets, although they have also been linked to destructive attacks.
· APT34: APT34, also known as OilRig, is another Iranian state-sponsored hacking group that has been active since at least 2014. They have primarily targeted organizations in the Middle East, including government agencies, financial institutions, and energy companies. APT34's capabilities include spear-phishing, credential theft, and malware deployment. Their primary objective is to gather intelligence on their targets, although they have also been linked to disruptive attacks.
· APT39: APT39 is a group believed to be sponsored by the Iranian government that has been active since at least 2014. They have primarily targeted organizations in the Middle East, including telecommunications and technology companies. APT39's capabilities include spear-phishing, malware deployment, and credential theft. Their primary objective is to gather intelligence on their targets, although they have also been linked to disruptive attacks.
There are other notable groups include Like cotton sandstorm which Microsoft tracked their operation as seen in the following snapshot that use different methods and operate via diff personas in different timelines
And even more like APT35 (Charming Kitten), APT10 (Silent Librarian), and APT41 (Barium) that are associated with Iran but I will not speak about them here, maybe in future video.
Cyber Espionage
Iran is known to have robust cyber espionage capabilities, and they have targeted a wide range of organizations and individuals over the years. Here's some additional information on their cyber espionage activities:
· US Government Agencies: Iran has been known to target US government agencies in their cyber espionage operations. In 2013, it was discovered that Iranian hackers had gained access to the Navy Marine Corps Intranet, which provides secure communication for the US Navy and Marine Corps.
https://www.theverge.com/2014/2/18/5421636/us-navy-hack-by-iran-lasted-for-four-months-say-officials
Additionally, in 2019, it was reported that Iranian hackers had targeted the US Treasury Department and several other government agencies as part of a cyber espionage campaign.
· Companies in the Middle East: Iran has also targeted companies in the Middle East as part of their cyber espionage activities. In 2012, the Shamoon malware was used to target Saudi Aramco, which is the largest oil producer in the world. The attack resulted in the destruction of thousands of computers and caused significant disruption to Aramco's operations. Additionally, in 2015, it was discovered that Iranian hackers had targeted a number of companies in the Middle East, including telecommunications providers and energy companies.
· Dissidents and Activists: Iran has also targeted dissidents and activists in their cyber espionage operations. In 2019, it was reported that Iranian hackers had targeted email accounts belonging to journalists and activists who were critical of the Iranian government. Additionally, in 2020, it was reported that Iranian hackers had targeted the email accounts of several US government officials who were involved in negotiating the Iran nuclear deal.
Overall, Iran's cyber espionage capabilities are well-developed and pose a significant threat to organizations and individuals around the world. They are known to use a variety of techniques, including spear-phishing, malware deployment, and credential theft, to gain access to their targets' systems and data.
Iran Cyber warfare –
Iran has been increasingly active in the realm of cyber warfare in recent years, both in terms of developing its own capabilities and using them to carry out attacks against other countries. Here are some additional details on Iran's cyber warfare activities:
1. Disrupting Critical Infrastructure: Iran has been linked to a number of attacks that were designed to disrupt critical infrastructure, such as power grids, water treatment plants, and transportation systems. For example, in 2019, Iranian hackers targeted a small dam in New York state in an attempt to gain control of the system. While the attack was ultimately unsuccessful, it demonstrated Iran's interest in targeting critical infrastructure in the United States.
2. Conflict with Israel: Iran is engaged in an ongoing cyber conflict with Israel, which has included a number of high-profile attacks. For example, in 2010, the Stuxnet worm, which was widely believed to have been developed jointly by the United States and Israel, was used to sabotage Iran's nuclear program. In response, Iran has targeted Israeli companies and government agencies with a range of cyber attacks, including distributed denial-of-service (DDoS) attacks, website defacements, and data theft.
Few examples:
In early April 2023, an Iran-linked group was most likely behind a cyberattack that disabled the water controllers of at least ten Israeli farms, replacing the image on programmable logic controllers (PLCs) with the message “Down with Israel.” The image was identical to one used in a probable Iranian cyberattack against Israel Post in January 2022, days after an Iranian state broadcast was disrupted with the message “Down with Khamenei.”
Prior to the most recent attack on Israel’s water system, Microsoft Threat Intelligence detected an Iranian actor conducting reconnaissance of an Israeli water company in mid-2022 and scanning the web interfaces of Israel-based industrial control systems in December 2022. We do not know if that actor was involved in this latest attack.
In June, Moses Staff amplified a cyberattack that set off emergency rocket sirens in Israel using software that adjusts Audio over Internet Protocol (AoIP) networks.45 We assess an Iran-affiliated actor was also responsible for the cyberattack on the alarmsystem, but we do not have indications linking the group with Moses Staff.
3. Developing Advanced Capabilities: Iran has invested significant resources in developing its own cyber capabilities, with the goal of being able to carry out sophisticated attacks against its enemies. In recent years, Iranian hacking groups have become increasingly sophisticated, using advanced tactics such as supply chain attacks and exploiting zero-day vulnerabilities.
Overall, Iran's cyber warfare capabilities pose a significant threat to its adversaries, particularly in the Middle East. While Iran has not yet engaged in a full-scale cyber war, the increasing sophistication of its capabilities and its willingness to use them for both espionage and disruptive purposes is a cause for concern.
International response
The international response to Iran's cyber activities has included a range of sanctions and diplomatic efforts aimed at addressing cybersecurity concerns. Here are some additional details on the international response to Iran's cyber activities:
· Sanctions: The United States has imposed a number of sanctions on Iran in response to its cyber activities. In 2019, the US Treasury Department imposed sanctions on several Iranian individuals and organizations for their involvement in a series of cyber attacks, including the 2018 ransomware attack on Atlanta, Georgia. In addition, the US has designated a number of Iranian hacking groups, including APT33 and APT34, as threats to national security, and has worked with other countries to restrict their ability to operate.
– You can show trump sign on it from 0:12
· Diplomatic Efforts: Several countries have engaged in diplomatic efforts aimed at addressing cybersecurity concerns related to Iran. For example, in 2018, the European Union established a sanctions regime targeting cyber attacks, which included measures aimed at preventing the export of technology that could be used for cyber attacks to Iran. In addition, the US has engaged in diplomatic efforts aimed at convincing other countries to restrict their engagement with Iranian entities involved in cyber activities.
· Public Condemnation: Many countries have publicly condemned Iran's cyber activities, both in terms of its state-sponsored hacking groups and its attempts to disrupt critical infrastructure. For example, in 2020, the US Department of Justice indicted two Iranian hackers for their involvement in a series of cyber attacks against US companies, and publicly attributed the attacks to the Iranian government. Similarly, a number of European countries have publicly condemned Iran's state-sponsored hacking groups and called for increased efforts to address cybersecurity threats.
Overall, the international response to Iran's cyber activities has been mixed. While there have been some efforts to address cybersecurity concerns related to Iran, including the imposition of sanctions and diplomatic efforts, it is unclear whether these efforts will be sufficient to prevent Iran from continuing to engage in cyber attacks in the future. As Iran's cyber capabilities continue to develop, it is likely that the international community will need to work together to address the growing threat of Iranian cyber activities.
Looking Forward
Iranian cyberattacks and influence operations are likely to remain focused on retaliating against foreign cyberattacks and perceived
incitement of protests inside Iran.
Israel, followed by the United States, is likely at highest risk for future such operations, particularly in the near term given Iran’s rapprochement with Saudi Arabia and diplomatic blitz of other Arab Gulf nations in March.
Israeli and US organizations have consistently been the most common targets of Iranian cyber operations in the past year, with a further increase in Israeli targeting in the past six months, judging from Microsoft data.
In October, Supreme Leader Khamenei and Iran’s intelligence agencies blamed Israel and the United States for inciting protests in Iran, while other key regime figures have blamed Israel and the United States for major cyberattacks against Iran.
Iran is likely to continue leveraging its newfound penchant for cyber-enabled IO to keep pace with external pressure, in part to overcome shortcomings in its cyber threat capabilities relative to the attacks it has faced. At the same time, Iranian cyber actors are likely seeking greater cyberattack capabilities to achieve the regime’s desire for proportional.
retaliation. In fact, there remain occasional outliers that demonstrate efforts along these lines.