Robert Muggah is a co-founder and the principal of the SecDev Group.
Michael Fujimoto is a senior cyber analyst at the SecDev Group and Zeropoint Security.
While the two countries seem to have narrowly averted a catastrophic war, tensions between the United States and Iran are higher than at any point since the 1970s. The assassination of General Qassem Soleimani and the retaliatory missile strikes on Iraqi bases housing U.S. military personnel are a reminder that a hot war between the two enemies and their proxies cannot be discounted. Although U.S. President Donald Trump and Iran President Hassan Rouhani have avoided further military confrontation in the short term, an expansion of cyberwarfare in the Middle East – and around the world – is likely.
The future of warfare is digital. Iranian and U.S. cyber warriors have been trading punches for years, routinely infiltrating and disrupting energy companies, telecommunications firms and a wide array of critical infrastructure. Such attacks are often meted out in partnership with so-called “advanced actor groups,” as well as criminals and hackers. Though it’s hard to know exactly who is behind them, the usual suspects include China, Israel, North Korea, Russia and, of course, the U.S. and Iran.
Advanced-actor groups have a fearsome digital arsenal to draw on. They typically start with reconnaissance, followed by (spear)phishing and watering-hole attacks to gain access to a victim’s systems. Once in, they burrow into the target’s infrastructure to purloin intellectual property, wipe disks clean or sabotage software. The most sophisticated of them use what’s called “zero-day” exploits – previously undiscovered and unpatched software vulnerabilities – that are virtually impossible to defend against.
Military experts are warning of an uptick in Iranian cyberattacks. The groups making them most nervous have fancy pseudonyms such as APT33 (or Cobalt Trinity, Elfin Team or Refined Kitten), APT34 (or Helix Kitten, Oil Rig or Cobalt Gypsy), Chrysene, Greenbug, Hexane and MuddyWater, among others. APT33 was first detected in 2013 after it unleashed destructive malware against energy suppliers in Saudi Arabia, South Korea and the U.S. APT34 was discovered the following year.
The most infamous Iranian-backed virus to date is called Shamoon. It disables computers by overwriting their master boot records, essentially making them impossible to start. It was first uncovered in 2012 – but only after knocking out more than 30,000 hard drives managed by Saudi Aramco and RasGas Co. Shamoon surfaced again in 2016, 2017 and most recently in 2018 during an attack on the Italian oil and gas firm Saipem, infecting computer systems from Paris to Dubai.
Some Iranian advanced-actor groups are ramping up their cyber operations. Over the past two years, Chrysene and Hexane launched a salvo of attacks against energy companies in Iraq, Israel, Kuwait, Pakistan and the U.K. In recent weeks, hackers connected to Iran’s Revolutionary Guards also lashed out at U.S. cities including Tulsa and Minneapolis as well as the Federal Library Program’s website.
One reason Iran has such powerful offensive cyber capabilities is because it has learned from experience. Iran was the victim of the world’s first major act of cyberwar in 2010 – the U.S.- and Israel-orchestrated Stuxnet attacks on Iranian nuclear facilities. Since then, Iran’s Miqdad Cyber Base and Revolutionary Guards have bolstered their capabilities by targeting energy companies, financial institutions, power grids and even small dams.
According to industry sources, Iran has ongoing operations in at least 2,200 public and private facilities regulating everything from electricity to water. Iranians have been probing and stealing credentials from foreign government agencies and private companies for years. It is likely they are also stockpiling zero-day vulnerabilities for future use. If the U.S. escalates hostilities, it won’t take much for Iran to retaliate against Western interests to devastating effect.
The U.S. has vastly superior cyber capabilities, but it also has weak spots. Researchers turned up more than 26,000 exposed industrial control systems in 2019. In the past week, U.S. officials have reached out to thousands of local governments to remind them to back up their data and patch vulnerabilities. The economic impacts of a strike on North American power installations could cost billions if not trillions of dollars. Iran is likely to exploit soft targets, running data-wiping, denial-of-service and ransomware attacks against government servers and private companies.
The risks of destructive cyberwar are escalating. One reason for this is the patent lack of global regulation. Another is the failure of the West to respond to Russia’s cyberattacks against Ukraine. As a result, countries are locked in an arms race in cyberspace. Although governments, companies and citizens are improving their digital hygiene – especially after the damaging outbreak of WannaCry and NotPetya a few years ago – they are still exposed. The truth is that current defences are nowhere near adequate to defend against the coming storms.
Keep your Opinions sharp and informed. Get the Opinion newsletter. Sign up today.