• Black Twitter Icon
  • Black Facebook Icon
  • Black Instagram Icon
  • Black LinkedIn Icon

Copyright © 2019 The American Israel Public Affairs Committee

The Iranian Cyber Threat

The U.S. Cyber Command was established in 2009 under the direction of the National Security Agency at Ft. Meade, Maryland. (Getty Images)

As early as 2006, Iran began waging war in the cyber realm against America and its allies. Both specialized Iranian government bodies and contracted professional hackers began actively seeking to penetrate America’s computers and computer networks in order to cause damage and disruption. These efforts threaten America’s physical security as well as its economy and infrastructure.

The United States is taking a range of actions to counter this emerging threat. Most recently, on Nov. 21, 2017, the U.S. Department of Justice announced charges against an Iranian national, Behzad Mesri, for hacking and then attempting to extort American cable and satellite television network HBO. According to the indictment, Mesri (known online as Skote Vahshat) worked for the Iranian military to "conduct computer attacks" on military targets in Israel and other enemies of Iran.

In explaining the charges, Acting Manhattan U.S. Attorney Joon H. Kim said: “Behzad Mesri, an Iranian national who had previously hacked computer systems for the Iranian military, allegedly infiltrated HBO’s systems, stole proprietary data, including scripts and plot summaries for unaired episodes of Game of Thrones, and then sought to extort HBO of $6 million in Bitcoins.”

This article outlines the development of Iran’s cyber corps and cyber-offensive strategy, Iranian hacking attempts, America’s legal and military response, and the way forward.

Development of Iran’s Cyber Corps

Iran’s Islamic Revolutionary Guards Corps (IRGC) is largely responsible for the program’s development. Its earliest efforts are believed to have begun in 2006 with the development of the “Iran Cyber Army”—a cadre of civilian hackers tasked with targeting networks hosted by Iran’s enemies. In 2010, the Basij, Iran’s IRGC-run paramilitary volunteer militia, launched a “cyber warrior” division with 1,500 hackers. Also that year, the Iranian military established formal cyber-offensive squadrons as well as a Cyber Defense Command tasked with preventing cyberattacks on critical Iranian infrastructure.

The Iranian regime began seriously investing in its cyber program in response to the domestic 2009 Green Revolution and a series of foreign cyberattacks from 2010-2012. At a February 2012 student conference in Iran, then-deputy head of Iran's National Security Council, Ali Baqeri, called on students "to play a key role in the cyber area" and bragged that "a document recently published by the U.S. intelligence apparatus said that Iranian intelligence operations against the U.S. have increased in recent years, and so have [Iran's] cyber capabilities.” In March 2012, several Iranian universities established cyber-defense schools as part of a program launched by the Passive Defense Organization—a regime entity that, as part of its responsibilities, manages Iran’s civilian cyber system.

Also in March 2012, Iranian Supreme Leader Ayatollah Ali Khamenei ordered the formation of the Supreme Council of Cyberspace to consolidate cyber decision-making in a single body that answers to him. Through the creation of an extensive offensive cyber apparatus, the Iranian government has supplemented its destabilizing regional military actions with the capability to disrupt valuable computer systems across the world.

By 2016, the regime stated that it spent $1 billion annually on its cyber programs. In addition to its domestic efforts, Iran has also intensified its recruitment of foreign hackers to help carry out attacks. And this overall investment has yielded results: The 2017 Worldwide Threat Assessment of the U.S. Intelligence Community, published by the Director of National Intelligence, lists Iran among the top cyber threats to the United States.

Iran’s Cyber-Offensive Strategy

Iranian cyber operatives use select methods to impede the function of important computer networks hosted by the United States and its allies. The most commonly employed cyberattack is a distributed denial-of-service attack (DDOS), which floods a computer system with information requests until the targeted server crashes. Iranian hackers are also increasingly using false social media profiles and malware-infused email attachments to extract the personal information of their victims.

Iran’s cyber-offensive divisions are currently developing strategies to disable the most secure networks used by the U.S. military, which host the deployment of missiles, command-and-control centers and unmanned vessels.

Iranian Hacking Campaigns

Iranian hackers constantly seek to infiltrate, disable or destroy American computer systems. While most such attacks fail, some achieve success and public mention.

Between September 2012 and January 2013, Iranian hackers launched an extensive campaign of attacks on American computer networks controlling finance, infrastructure and military operations. The primary targets were the U.S. stock exchange, 46 major banks, the Bowman Dam in northern New York and the U.S. Navy intranet. The attack on the Navy system was so severe that its repair required millions of dollars and multiple months.

In November 2015, four months after the announcement of the Iran nuclear deal, Iranian hackers stole data from U.S. State Department employees via fake Facebook profiles that mined personal information. In 2016, Iranian hackers attacked the Israeli power grid and Saudi Arabia’s Aviation Authority. A report released by the United Kingdom's National Cyber Security Centre concluded that Iranian hackers were responsible for a cyberattack in June 2017 that leaked emails from members of its parliament.

America’s Response

The United States has developed a robust strategy to address the growing cyber threat posed by Iran and other bad actors. In March 2016, the U.S. government issued indictments and sanctions against seven hackers that took part in the cyber offensive on America between 2012 and 2013. In September 2017, the Treasury Department sanctioned 11 entities and individuals implicated in malicious Iranian behavior.

Two of the sanctioned entities, ITSecTeam and Mersad Co., worked directly with the IRGC to conduct cyberattacks against American networks. U.S. Treasury Secretary Steve Mnuchin said then that the Treasury "will continue to take strong actions to counter Iran’s provocations, including support for the IRGC…and cyberattacks meant to destabilize the U.S. financial system.”

In 2009, the U.S. Cyber Command was established under the direction of the National Security Agency at Ft. Meade, Maryland. The command focuses on securing the Defense Department’s information network, supporting combatant commanders, and strengthening America’s ability to withstand and respond to cyberattacks, such as those from Iran. In August 2017, the Trump administration announced that Cyber Command would be elevated to the status of a Unified Combatant Command focused on cyberspace operations.

The Department of Homeland Security is also working with industry and critical infrastructure providers to protect against attacks and build resiliency.

Moving Forward

Despite the many efforts underway, a January 2018 report from the Carnegie Endowment recommended even more increased information sharing between the U.S. government and allies, as well as the private sector.

A range of new cybersecurity initiatives involving both government and civilian cybersecurity specialists can serve to substantially reduce Iranian opportunities to sabotage American networks. Pending legislation, such as the United States-Israel Cybersecurity Cooperation Enhancement Act that passed the House in January 2017, would create a cybersecurity grant program for joint research and development ventures that would deepen cooperation on issues of security related to commercial, governmental and military computer networks.

The administration should also continue to add Iranian cyber attackers to the Specially Designated Nationals List, increase indictments against Iranian hackers targeting Americans, and seek extradition of these hackers to the United States for trial when possible. As the cyberwarfare threat from Iran continues to evolve and increase, so too must America’s efforts to protect itself and its allies.

Tags: Near-East-Report Near East Report