Extant scholarship on Iranian offensive cyber operations emphasizes how Iran uses these operations to gain strategic advantages over its adversaries. However, the degree to which Iran might employ these same tools and tactics to respond to cyberattacks on its own infrastructure remains under-examined by scholars.
Knowledge of Iran’s development of offensive cyber warfare capabilities has grown during the past decade. Some researchers have pointed out that Iran’s burgeoning interest in cyber warfare is congruent with the nation’s general preference for using ambiguity, such as foreign proxy groups, to achieve its policy goals. And a clear track record of Iranian cyberattacks to advance the nation’s interests highlights the rising significance of offensive cyber capabilities for Iranian foreign and domestic policy.
Iran has limited ability to use its own conventional military assets to project power abroad. One way that Iran gets around this comparative weakness is by sponsoring and partnering with proxy groups and allied governments in the Middle East. In addition, Tehran has begun to exert power in cyberspace against the United States, its allies, and domestic groups from within Iran itself. It is important to underline here that the examples the authors share below do not represent all of Iran’s cyberattacks, either directly or through proxies, during the past 10 years. Rather, these are among the most prominent examples of Iran-linked cyberattacks reported in the public domain.
One of Iran’s first publicly attributed uses of cyber warfare during the past decade took place in a series of DDoS attacks against the U.S. financial sector from 2011–13, called Operation Ababil, which the U.S. National Security Agency interpreted as a response to Western efforts to stymie the Iranian nuclear program. Campaigns linked to the Izz ad-Din al-Qassam Cyber Fighters (QCF), a proxy group connected to the IRGC, attacked American financial institutions. The origins of the DDoS attacks were by their nature ambiguous, since DDoS attacks use large networks of computers called “botnets” to attack targets, making attribution difficult. It is estimated that 50 U.S. banks, including Bank of America, were the victims of these attacks. Operation Ababil shows Iran’s willingness to leverage cyberspace to attack critical infrastructure. Given the constraints Iran faces, Tehran has much to gain and little to lose from attacks like those it leveled in Operation Ababil.
Other prominent examples of Iranian cyberattacks that appear offensive, rather than defensive, include data theft and destruction against a Las Vegas casino in 2014, as well as a private Iranian company that accessed the control systems for a dam in Rye, New York, in 2013.37 While neither of these attacks caused significant damage, they illustrate that Iran can engage targets in different geographic areas and disparate economic sectors.
Shamoon, a computer virus traced to Iran that destroyed thousands of computers at Saudi-Aramco in 2012, offers an additional example of Tehran’s capabilities and intentions with respect to cyber warfare. Saudi-Aramco is the national petroleum company of Saudi Arabia. In addition to being petroleum exporting nations, Riyadh and Tehran are strategic rivals in the Middle East, vying for influence and power. The attack resulted only in disrupted business operations, with no loss of oil production or an accidental spillage. However, the signal it sent—that Iran could strike one of its rival’s most essential organizations to damage infrastructure—was unmistakable.
Despite the severe effects of Operation Ababil and the Shamoon virus, scholarship also clarifies that Iranian cyber capabilities have evolved. For example, one researcher highlights that the Stuxnet virus, which attacked programmable logic controllers used in the Iranian nuclear program in 2010, was initially identified by non-Iranian digital forensic experts. This suggests, in Max Smeets’s estimation, that the Stuxnet virus was calculated not only to inflict damage on the Iranian nuclear program but to embarrass Iran. By creating a computer virus that Iranian government officials were not the first to identify publicly, the United States and Israel humiliated the Iranian regime, which was shown to be unable to protect its own clandestine nuclear program and seemingly to lack the ability to analyze malware quickly. Of course, launching offensive cyberattacks (i.e., Operation Ababil) and digital forensic analyses (i.e., deconstructing Stuxnet) are different functions requiring disparate sets of skills and knowledge. However, the overall impression is that Iran’s cyber prowess has grown both more sophisticated and persistent over time.
Therefore, it is natural that Iran will increasingly opt to use cyberattacks in offensive (i.e., attacking first) and defensive (i.e., responding to an attack) contexts. Michael Eisenstadt even speculates that one reason Iran’s preference for defensive cyberattacks will grow is that there is limited potential for spillover from the cyber to the physical domain. Moreover, unlike the laws of armed conflict governing the use of kinetic weapons, there remains a good deal of ambiguity about what acts in cyberspace may constitute acts of war. Consequently, Iran can signal through cyberattacks that are more nuanced than through the use of kinetic weapons.
Some scholars express skepticism about how Iran poses a genuine threat to Western and U.S. interests. For example, Paul R. Pillar, a retired Central Intelligence Agency officer, frames Iran as a useful villain for U.S. policy makers. Constance Duncombe sounds a similar note, maintaining that much of the hostility in the U.S.–Iran relationship can be traced to mutual misunderstandings borne from misrepresentations.
Moreover, the idea of Iranian “retaliation” may have become outmoded. Analyses from FireEye, a prominent cybersecurity firm, suggest that Iran’s use of cyber responses fits into a broader spectrum of persistent activity, including online disinformation and espionage campaigns. A group of scholars affiliated with the Belfer Center for Science and International Affairs at Harvard University recently argued that the “tit-for-tat” understanding of Iranian cyber actions overlooks the evolution that has taken place in Iranian cyber capabilities. They maintain that while in the past, Iran’s use of cyberattacks may have been in direct response to specific events, today Iran is persistent in its use of cyber capabilities. In addition, they argue that U.S. analyses of Iranian intentions suffer from “mirror imaging”—that is, the projection of American decision-making calculus onto Iranian actors, a concern that we share about the present study.
This article is agnostic with respect to the seriousness of the threat that Iran poses. Tehran’s track record of cyberattacks to date suggests that it can strike a variety of targets, yet its ability to inflict damage remains limited. The authors also believe that it is possible for Iranian cyber responses to fit within a more expansive, ongoing backdrop of Iranian cyber activity. The focus of this article is neither to assess the gravity of the Iranian threat, nor to contextualize Iran’s use of cyberattacks as one tool in its arsenal of online activities. Rather, the objective is to show that Iran’s use of cyberattacks for retaliation is a natural outcome of the internal and external factors affecting Tehran today.
This excerpt was republished under a Creative Commons license to point warfighters and national security professionals to reputable and relevant war studies literature. Read the original article here.
Dr. Austen Givens is associate professor of cybersecurity at Utica University and coauthor of Homeland Security: An Introduction, published in 2021 by Oxford University Press. He received a PhD in public policy from King’s College London. Nikki S. Sanders is a vice president within the financial services industry and holds an MBA with a specialization in cyber policy and an undergraduate degree in business information systems. She is a writer on emerging technologies robotics/AI/ML/cryptocurrency with an emphasis on cyberspace policy and regulation. Corye J. Douglas is a writer, researcher, and risk management professional whose research has been recognized in various media outlets. He holds graduate degrees in protective management from John Jay College of Criminal Justice and cyber policy and risk analysis from Utica University.
More than 86 million Americans use the social media app TikTok to create, share, and view short videos, featuring everything from cute animals and influencer advice to comedy and dance performances.
Concerned experts point out that TikTok’s parent company, the Beijing-based ByteDance, has been accused of working with the Chinese government to censor content and could also collect sensitive data on users.
The recent leak of Pentagon documents included the suggestion that China is developing sophisticated cyber attacks for the purpose of disrupting military communication satellites. While this is unconfirmed, it is certainly possible, as many sovereign nations and private companies have considered how to protect from signal interference.
The Wisconsin shipyard that builds the U.S. Navy’s Freedom-class Littoral Combat Ship and the Constellation-class guided-missile frigate suffered a ransomware attack last week that delayed production across the shipyard, USNI News has learned.
Fincantieri Marinette Marine experienced the attack in the early morning hours of April 12, when large chunks of data on the shipyard’s network servers were rendered unusable by an unknown professional group, two sources familiar with a Navy summary of the attack told USNI News on Thursday.