Picture1by Dana Schwarz
INSS – Cyber Warfare Program


INSS Cyber LogoIran has put a great deal of effort into constructing a domestic and external cyber strategy. Domestically, the Iranian regime tries to control cyberspace in order to suppress dissent and insulate Iranian citizens from western influence. Externally, the regime has been building up its cyber defenses in the last few years largely as a response to the damage inflicted by the U.S.-Israeli designed Stuxnet virus on Iran’s nuclear infrastructure. Furthermore, the advantages of cyber-warfare including plausible deniability, outsourcing, and the capacity to strike enemies with superior military and technological capabilities is very appealing to Iran and it is now widely believed that the most recent cyber attacks against two top Gulf energy companies and several major U.S. financial institutions were perpetrated by groups linked to the Iranian regime. These recent cyber attacks illustrate a calculated shift towards offensive cyber tactics which the regime views as an effective method of retaliation and a tool to increase cyber and strategic deterrence.

Iran’s Domestic CyberWar

Iran has sought to control and censor cyberspace to suppress domestic dissent, spy on regime opponents, and reduce Iranian citizens’ exposure to western culture through the internet. Previous cyber attacks include a denial-of-service attack against Twitter, posting threatening messages on opposition websites, jamming the satellite feeds of BBC Persia, and stealing information from the Dutch web security firm DigiNotar. Most of these cyber attacks were carried out by the Iranian Cyber Army, a group of highly skilled computer and information technology experts that has been linked to the Iranian Revolutionary Guard or IRGC. Twitter was probably targeted because of its special role in assisting Iranian dissidents in organizing the 2009 demonstrations and informing the rest of the world about the protests and their violent suppression. The attack on BBC Persia was an attempt to prevent Western news critical of the regime from influencing the Iranian public, and the information stolen from DigiNotar was used to create a fraudulent Google certificate that was used to spy on private communications between Iranian citizens. There have also been several widespread disruptions in internet service in Iran in which major email sites like Gmail and Yahoo were blocked, and other times in which all international sites were blocked.

Additionally, Many of Iran’s cyber-related government agencies were established to suppress domestic dissent. For example, the Committee to Identify Unauthorized Sites is responsible for identifying and blocking websites that have not been approved by the regime. The Cyber Police Force’s main function is to spy on the cyber activities of regime opponents, and the non-military units of the Basij Paramilitary force are responsible for spreading pro-regime propaganda in social networks and blogs. Iran is even developing a National Internet consisting only of regime-approved sites that would effectively separate Iranian cyberspace from the rest of the world and prevent Iranian citizens from being exposed to Western culture and ideas.

Iran’s Post-Stuxnet Cyber Defenses

Following the discovery of the Stuxnet worm and the damage that it caused to Iran’s nuclear infrastructure, Iran began to invest heavily in cyber defense. In 2011, the Iranian regime established the Cyber Command in order to protect Iranian infrastructure against cyber attacks as well as the Computer Emergency Response Team Coordination Center (MAHER) to coordinate the country’s response to cyber threats and facilitate communication. Furthermore, in March 2012, the Ayatollah Khamenei established the High Council of Cyberspace to determine high-level policies regarding cyberspace. All other Iranian organizations or groups involved in cyber operations must implement the policies of the High Council. Iran has also established a cyber-defense program at Imam Hossein University in Tehran; set up research centers to produce domestic anti-malwares and analyze foreign malwares that were designed to sabotage Iran’s important infrastructures; and carried out several cyber defense drills to identify the Achilles’ heels in the regime’s operating systems. Iran has rapidly expanded and improved its cyber capabilities as part of a strategy to both better defend itself against cyber attacks and to deter adversaries from launching future attacks.

Iran on the Offensive: Cyberattacks as a Form of Retaliation

However recent events show that Iran is taking the offensive in the cyber war. In August and September of this year there was a spate of cyberattacks against two major Gulf energy companies and several major U.S. financial companies. In August, Saudi Aramco, the Saudi government-owned oil company was struck by a virus called Shamoon which destroyed data on 30,000 or three quarters of Aramco’s computers. The Shamoon virus replaced crucial system files at Aramco with the image of a burning US flag. A group called the “Cutting Sword of Justice” claimed responsibility for the attack. The attack on Saudi Aramco was followed by a similar cyber attack against a Qatari natural gas company called RasGas that is a leading global provider of liquefied natural gas. The attack shut down the RasGas website and internal email servers.

In September, the hacking group targeted the U.S. financial sector, this time under the name “Qassam Cyber Fighters.” The hacking group attacked the websites of large financial institutions including Bank of America Corp, J.P. Morgan, Chase, U.S. Bancorp, PNC Financial Services Corp., Wells Fargo & Co, Capital One, Sun Trust Banks Inc., and Regions Financial Corp. The denial-of-service attacks slowed the website performance of some of these institutions and temporarily disabled the websites of others.

The hacker group responsible for these attacks is believed to consist of fewer than 100 Iranian cyber specialists at universities and network security companies in Iran. However they are now believed to be acting on behalf of the Iranian government. Cyber experts and security officials have stated that the amount of resources and technical expertise needed to conduct these attacks was too large and too sophisticated to be solely the work of a group of fewer than 100 independent Iranian hackers. The scale of the cyberattacks indicate that there must have been some involvement from a state.

The attack on Aramco is believed to be a form of Iranian retribution for Saudi Arabia’s support for sanctions against Iran and assistance to anti-Assad rebels in Syria. Saudi Arabia has vocally encouraged the sanctions against Iran, and even privately advocated for harsher measures against its Shiite rival. To offset the global decline in oil, the Saudi regime has been increasing its oil output and selling to customers who can no longer buy Iranian oil due to sanctions.

The attacks on U.S. financial institutions appear to be Iranian retribution against the U.S. for imposing tough sanctions against Iranian oil and financial sectors as well as retaliation for Stuxnet and other U.S. and Israeli-designed viruses that have damaged or spied on Iran’s nuclear program. The Iranian regime seems to view cyber attacks as a less risky and more indirect method of retaliation against the U.S. and its allies for the Stuxnet virus and for the biting sanctions that have degraded Iran’s economy. Additionally, the Iranian regime wants the U.S. to know it can disrupt the U.S. economy and hopes that this may deter the U.S. from launching more cyber attacks or taking military action against Iran’s nuclear facilities.

The Advantages of Cyberspace

Cyberspace as a battlefield has distinct advantages for inferior powers like Iran because cyberspace can help level the playing field. Cyberwarfare serves as an asymmetric weapon that allows inferior groups and states such as Iran to inflict damage against technologically and militarily superior enemies. Furthermore, if Iran has sufficient cyber expertise, it may be able to use cyberwar to wreak more damage against superior enemies than it would be able to accomplish using conventional military means.

Cyberspace is also conducive to outsourcing. If the Iranian regime does not yet have the cyber expertise to launch a damaging attack, it could hire cyber criminals or experts to design a virus or carry out a cyber attack on its behalf. In fact, Iran’s Revolutionary Guard has openly tried to recruit hackers to serve the Iranian regime’s interests. Thus, in order to present a significant cyber threat, Iran doesn’t necessarily need the most advanced capabilities, “just intent and cash” to purchase the skills of hackers and cyber mercenaries to do its bidding. This outsourcing could help the Iranian regime expand its cyber potential and overcome the imbalance between its inferior cyber capabilities and those of the U.S. and Israel.

Cyberspace is also advantageous for Iran because it facilitates anonymity. The source of a cyber attack can be hidden, making attribution difficult. “Cyberspace is a domain made for plausible deniability.” It is sometimes difficult to know whether a state or an unaffiliated group of people is responsible for an attack. Furthermore, Iran could develop or purchase a cyber weapon and transfer it to a proxy like Hezbollah which would conduct the actual cyber attack. Iran’s national security strategy centers on the use of terrorist proxies to carry out its violent agenda. The use of proxies allows Iran to preserve deniability and minimize the risk of direct retaliation. Given Iran’s tendency to delegate the execution of terrorist attacks to its proxies, “there is little, if any, reason to think that Iran would hesitate to engage proxies to conduct cyber strikes against perceived adversaries.” The use of proxies and the obscure nature of cyberspace are attractive to the Iran because they can help blur the regime’s role in a cyber attack.

Additionally, cyber attacks can act as force multipliers to a conventional attack. An asymmetric cyber attack involving attacks against U.S. or Israeli infrastructure could also serve as part of an Iranian retaliation for a military strike on its nuclear facilities. The Iranian regime no doubt hopes that this threat will serve as another layer of deterrence against any U.S. or Israeli military action against Iran.

Conclusion: Preparing for an Attack on Critical Infrastructure

The latest cyber attacks illustrate that Iran has developed significant cyber prowess and poses a serious cyber threat. In fact, Defense Secretary Panetta stated that the attacks on Aramco are “probably the most destructive attack that the private sector has seen to date.” Iran’s cyber capabilities have progressed significantly. Prior to the DigiNotar and Saudi Aramco cyber attacks, Iran’s cyberwar activities consisted solely of crude denial-of-service attacks, however the more recent Saudi Aramco attack indicates a far more sophisticated ability to destroy large amounts of data.

Iran has become more brash and aggressive in its foreign policy. Previously, the Iranian regime refrained from attacking the U.S. and its interests abroad. However, last year’s failed conspiracy to assassinate the Saudi and Israeli ambassadors to the U.S. illustrate that Iran is not as hesitant to carry out an attack on U.S. soil. General James Clapper, Director of National Intelligence, stated that “Iranian officials-probably including Supreme Leader Ali Khameini- have changed their calculus and are now willing to conduct an attack in the United States.”

Panetta stated that the cyberattacks against the oil, gas, and financial companies “mark a significant escalation of the cyber threat and they have renewed concerns about still more destructive scenarios that could unfold.” Mr. Panetta described the most daunting potential attack as one in which cyber-attacks against critical infrastructure were executed one-at-a-time, and concurrently with a physical attack. Former White House counterterrorism official Richard Clarke has warned that in the event of a military strike against Iran’s nuclear facilities, Iran may retaliate using cyberwarfare, by “attacking U.S infrastructure such as the power grid, trains, airlines, refineries.” Kayhan, a hardline newspaper affiliated with the IRGC published an editorial boasting that cyberwar is no longer the exclusive domain of the U.S. and threatening the U.S. with a possible attack on “a section of its critical infrastructure.”

Although Iran’s capacity to launch a significant attack against U.S. critical infrastructure is still unknown, U.S. defense officials seem to be taking this possibility seriously and Defense Secretary Panetta recently advocated for new standards to protect “critical private-sector infrastructure like power plants, water treatment facilities and gas pipelines- where a computer breach could cause significant casualties or economic damage.” Several laws that aim to increase cyber-security, particularly with regards to critical infrastructure, are currently being discussed in Washington. Furthermore, Panetta hinted at extensive U.S. offensive capabilities and a willingness to engage in preemptive attacks, stating that “We won’t succeed in preventing a cyber attack through improved defenses alone… If we detect an imminent threat of attack” we have the “capability to conduct effective operations to counter threats to our national interests in cyberspace.”

Iran is currently engaged in two cyber wars: one of them seeks to prevent western ideas from influencing Iranian citizens by censoring what they can access on the internet, while the other focuses on fighting foreign cyber attacks, deterring future attacks, and exacting revenge against the U.S. and U.S.-allied Gulf states. Iran’s recent cyber attacks illustrate that the cyber war is no longer going in just one direction. Moreover, the cyber war has the potential to heat up. As Iran draws closer to creating a nuclear weapon, U.S. and Israeli leaders and home front officials should do more to protect critical infrastructure since Iranian retaliation against the bombing of their nuclear facilities may take the form of far more serious cyber-attacks against western banking systems and critical infrastructure. The advantages of cyberwarfare including plausible deniability, potential for outsourcing, and its asymmetrical nature make it a tempting field of action for Iran. However the extent of Iran’s offensive capabilities are still unclear and it remains to be seen whether some kind of cyber deterrence will be established between Iran and its adversaries.

The writer, Dana Schwartz,  is an Intern in the Cyber Warfare Program at the Institute for National Security Studies (INSS).

The Program is led by Dr. Gabi Siboni .

The program is supported by the Philadelphia-based Joseph and Jeanette Neubauer Foundation.