The world has seen a steady increase in tensions between the US and one of its oldest adversaries, Iran. Most recently we have seen on June 13th commercial vessels attacked in the Strait of Hormuz (https://www.apnews.com/d67714ab8ac344a3b3af19cca1c20192), a vital shipping lane for oil from the Middle East to the rest of the world economy. These attacks are believed to have been the work of the Islamic Revolutionary Guard Corps (IRGC). Additionally, on June 20th, we have seen a US RQ-4A Global Hawk unmanned drone shot down by Iranian forces (https://www.cnn.com/2019/06/20/middleeast/iran-drone-claim-hnk-intl/index.html). The US says that the drone was over international waters and that the destruction of the drone was unwarranted, while the Iranian government claims that it was over their airspace and was an unwarranted incursion into their territory. The US promised retaliation for the strike. On June 21st, an airstrike was launched by the US against Iran that was abruptly halted 10 minutes prior to the strike by President Trump. The President’s reasoning for canceling the strike was based on an estimate of ~150 casualties as a result of the airstrike which he believed to not be proportionate to the downing of the unmanned Global Hawk drone (https://www.usatoday.com/story/news/world/2019/06/21/trump-canceled-iran-attack-thursday-after-us-drone-attack/1521384001/). And this is where this entire situation becomes interesting from a cyber security and critical infrastructure perspective.
On June 22nd it came out that the President approved the use of cyber strikes against the Iranian networks instead of the canceled kinetic airstrike (https://www.cnet.com/news/us-hits-iran-with-crippling-cyberattack-says-a-report/). This cyber attack by the US Cyber Command had one primary target. The attack crippled the computer network that Iran and the IRGC use to control missile launches across the country including the kind of missile launch that likely shot down the Global Hawk drone, thus preventing future attacks by the IRGC against US operated aerial assets and other aerial assets in the area to protect the energy supply lines in the Strait of Hormuz which supplies one fifth of the world’s oil supply. It is important to note that this cyber attack resulted in zero casualties and disabled their entire missile control across the country instead of just the three targets of the canceled June 21st kinetic attack.
From a technical perspective this was likely an operation that had been in the works for months by US cyber forces in order to make it an available option for the President. I can speak from professional experience that you don’t disable a network, especially a nation sized military network, overnight. It takes a great deal of reconnaissance, planning, and prepositioning of cyber assets to pull this off with even small soft targets such as corporate office networks.
Now we have the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS-CISA) recommending to industry officials to increase their vigilance and cyber security measures to protect against cyber attacks from the Iranian government and the IRGC (https://www.zdnet.com/article/dhs-cisa-warns-of-iranian-hackers-habit-of-deploying-data-wiping-malware/). The most common question that I have gotten in the last 24 hours since this announcement from DHS-CISA is “why”. The bottom line answer to that is because Iran has been doing cyber attacks against the US and others for years. They simply have not gotten the same kind of coverage in the general news as cyber attacks from other “cyber superpowers” such as Russia and China. Here are some of the most significant examples of cyber attacks from Iran over the past several years:
- Bowman Avenue Dam in New York, 2016: Iranian hackers successfully gained access to the computerized control system of the Bowman Avenue Dam and sent a signal to open a sluice gate to release a flood of water into the nearby community. The only thing that prevented this was that the motor that controlled the sluice gate was disconnected for maintenance when the signal was sent. https://time.com/4270728/iran-cyber-attack-dam-fbi/
- Iran hacks Saudi Aramco Networks with Shamoon Virus, 2012: Saudi Arabian state backed oil company, Saudi Aramco, was infected with the Shamoon computer virus (believed to be deployed by Iran) exfiltrated and wiped data of a large portion (around 30,000) of servers and PCs within the company’s global network. From the point of discovery of the virus to the point of restoration of company operations was ten days. https://www.theregister.co.uk/2012/08/29/saudi_aramco_malware_attack_analysis/
- Iran Launches DDoS Attack Against 46 US Financial Institutions, 2011: “Bank of America, Capital One, JPMorgan Chase and PNC Banks as well as the New York Stock Exchange and Nasdaq – leaving hundreds of thousands of customers unable to access their bank accounts, resulting in tens of millions of dollars being spent by victimized organizations to mitigate and neutralize the attacks.” https://www.bankinfosecurity.com/7-iranians-indicted-for-ddos-attacks-against-us-banks-a-8989
These are just some of the large attacks that have gone on in the last several years that the Iranian government has attempted. If you notice, each of these attacks are against civilian targets that are part of critical infrastructure. This is why the notice from DHS-CISA, who’s primary job is to work with those in the critical infrastructure sectors to help protect the country against attack from any and all sources from terrorist attack to state actors such as what we see in these examples. CISA has already identified an increase in cyber attacks originating from Iran coinciding with the increase in tension between the US and Iran.
So what does this mean going forward? While past is not necessarily prologue in the world of security and warfare, it can be reasonably assumed that Iran may ramp up their cyber attacks even more from where they are currently and will likely target civilian targets where cyber security is not as uniform and as well organized as federal government and military networks within the US. With exception to the financial industry and the healthcare industry, there are little to no legal regulations or requirements for cyber security thus making the private sector a soft target for hackers. Small, medium, and large companies could be affected including those in the critical infrastructure sectors such as the power grid, water supply for communities, transportation, and many others. Imagine the impact on communities after natural disasters such as Hurricane Harvey in 2016 in which the water supply and power supply was cut off for communities due to damage. Except in the case of a cyber attack the damage could potentially be more widespread than what we saw on the Texas coast.
Protection against a cyber attack such as this will take much more than firewalls and antivirus software. It will require preparation and planning on the part of everyone within the information technology sector throughout all of the critical infrastructure sectors. Training of personnel, effective cyber security policies that are enforced, incident response planning are essential elements in a cyber security plan for any organization of any size from small businesses to large corporation to local and state government agencies.
Charles Teel is an experienced Cyber and Information Security Professional and founder of SR2 Solutions with a demonstrated history of working in the the business world including in a variety of sectors. Skilled in Secure Software Development, Team Building, Leadership, and Management Consulting. Graduated from Lamar University MBA Program. Currently an Executive Masters Student at the Bush School of Government and Public Service at Texas A&M University with a concentration in Homeland Security and Critical Infrastructure Protection.