As high-level international talks in Vienna over Iran's nuclear program edged closer to a deal last fall, something curious happened – massive cyber-attacks that had hammered Wall Street bank websites repeatedly for about a year slowed to a near stop.
While banking industry officials were relieved, others wondered why those Iran-linked "distributed denial of service" attacks that had so regularly flooded bank websites with bogus Internet traffic were shut off like a faucet. One likely reason, say US experts on cyber-conflict: to reduce friction, at least temporarily, at the Vienna nuclear talks.
Yet, even as the "distributed denial of service" attacks abated for apparently diplomatic reasons, overall Iranian cyber-spying on US military and energy corporation networks has surged, these experts say.
Iran was fingered last fall, for instance, for infiltrating the US Navy Marine Corps Intranet. It then took the Navy nearly four months to root out the Iranian hackers infesting its largest unclassified computer network, the Wall Street Journal reported in February.
This litany of Iranian activity is evidence, say experts, that after years as a cyber also-ran, Iran is morphing swiftly into a major threat in the rapidly evolving era of cyber-conflict.
That shift is causing a growing recognition – from the halls of the US intelligence community to the cyber-security firms protecting corporate America – that Iran has vaulted into the ranks of the world's top-10 offensive cyber-powers.
"Iran represents a qualitatively different cyber-actor," says Ilan Berman, vice president of the American Foreign Policy Council, a Washington think tank. "They're not stealing our intellectual property en masse like China, or using cyber-space as a black market like the Russians do. But what Iran does use cyber for, including elevating its retaliatory capabilities abroad, makes it a serious threat."
Intent to do damage
While Iran is still not a true "cyber-superpower" on a par with the US, China, and Russia, it is the intensity, variety, and destructiveness of Iran-linked cyber-incursions over the past five years that led to its reappraisal.
"Until recently, the US intelligence community thought about America's serious cyber-adversaries mainly as a duopoly – Russia and China," says a cyber-expert who asked not to be named in order to preserve ties with federal agencies. "The Vienna process is causing Iran to rein in its cyber-activities, at least temporarily. Iran's capabilities may be rudimentary in many ways, yet what it lacks in sophistication it more than makes up for in intent" to do damage.
Iran was suspected, for instance, to have been the hand behind a computer virus that wrecked 30,000 Saudi Aramco computers in 2012. A similar attack hit RasGas, a Qatari energy company, that same year.
Even though these attacks were considered relatively crude, Iran's capabilities are believed to be growing rapidly, thanks to ample funding from its government – $1 billion in 2011 with continuing large annual expenditures – and easy access to Russian, Chinese and black market cyber-tools and expertise, experts say.
The Aramco incident, while not remotely as sophisticated as the landmark Stuxnet attack on Iran's nuclear fuel refining facilities in 2009, was "second only to Stuxnet as a disruptive cyber-attack and showed the progress of Iranian capabilities," according to a recent study by James Lewis, a cyber-conflict expert with the Center for Strategic and International Studies in Washington.
"They've put in place the structures, strategy – and have acquired software tools from the black market," Dr. Lewis says in an interview. "They have groups whose job it is to hack. They've worked through the organization, the training, and strategic issues that let them use cyber-tools against their opponents."
Another prong of Iran's cyber-development is directed inward.
One of Iran's most sophisticated hacks in 2011 infiltrated a Dutch company in order to steal digital certificates. Those certificates, used for secure online communications, were later reported to have been used by Iranian authorities to hack e-mail and communications of its own citizens.
"We've seen persistent activity by the Iranians, not only in cyber-espionage, but in attacking dissidents at home, infiltrating government and military targets, energy companies and the financial sector," says Dmitri Alperovitch, cofounder and chief technical officer of the cyber-security firm CrowdStrike. "Most of that activity has continued pretty much unabated."
Response to Stuxnet
For their part, Iranians say it took the US-linked Stuxnet attack to spur Tehran in 2009 to press for advanced cyber-war capability, Hossein Moussavian, a research scholar at Princeton and a former diplomat who served on Iran's nuclear negotiations team, said in an appearance a year ago at Fordham Law School.
"The US, or Israel, or the Europeans, or all of them together, started war against Iran," he told the audience. "Iran decided to have … to establish a cyber-army, and today, after four or five years, Iran has one of the most powerful cyber-armies in the world."
Indeed, not unlike China, Iran appears to be developing its offensive cyber-capabilities as part of an asymmetric tool that can reach around the globe to counterbalance its relatively weak conventional forces, says Mr. Berman, of the American Foreign Policy Council. Notably, it seems more than willing to engage in damaging cyber-attacks wherever those might help achieve its goals on the world stage, he says.
That includes an uptick in Iran's cyber-espionage sophistication – including the infiltration of the US Navy's intranet network.
"It was a real eye-opener in terms of the capabilities of Iran to get into a Defense Department system and stay in there for months," a former US official told the Journal regarding the Navy intranet spying campaign. "That's worrisome."
A major part of Iran's new capabilities are geared toward signaling the US, letting it know whether it is unhappy – or possibly smiling.
In that vein, massive Iran-linked "distributed denial of service" attacks had hit flooded bank websites with bogus Internet traffic about every three months since the fall of 2012. But as high-level international talks over Iran's nuclear program edging closer to a deal late last fall, the huge bombardment stopped.
Iran and six world powers – the US, Britain, France, Russia, China, and Germany – reported agreement in January on a timetable for negotiating a comprehensive pact that would end the stalemate over Iran's nuclear program.
DDoS attacks were 'a harbinger'
Of course DDoS attacks, like those against the big US banks, are not typically considered sophisticated attacks – more like protests that gum up the works than damaging attacks, experts note. Yet some say these were far bigger and more sophisticated than generally assumed.
"This operation took down some of the most admirable companies on Wall Street that had deployed some of the most sophisticated defensive technology – and the attackers were able to take down almost all of that," says Carl Herberger, vice president of security solutions at Radware, an Israeli security firm that has investigated the denial of service attacks. "That's a harbinger."
Indeed, Wall Street's respite from DDoS attacks could prove short-lived. If tensions resume or talks fail, cyber-attacks of all types directed at the US should be expected, several experts say.
"If the nuclear talks fail, we should expect retaliation from Iran in a variety of ways including cyber-attacks, both against the US, but also Saudi Arabia and others," CrowdStrike's Mr. Alperovitch says.
"It's that willingness to display belligerence in the cyber realm that sets Iran apart," says Jen Weedon, a manager in the threat intelligence division at the cyber-security firm Mandiant.
There's another reason for the US and others to be wary of Iran as a growing cyber-threat. Iran is believed to be learning from the cyber-attacks against its own operations – and is actively reverse engineering them, some experts say.
Signs of this emerged in May 2012 when an Iranian cyber-engineer, Morteza Rezaei, an automation expert at NEDA Industrial Goup in Tehran, published his analysis of defending against Stuxnet in Control Global, a US online publication.
"It shows they're very competent, they're knowledgeable, and they have access to all of the latest solutions," says Joe Weiss, an industrial control systems security expert who publishes Control Global. "It shows that that they're capable of doing to us what they think we did to them."
Hayat Alvi, an associate professor of national security affairs at the US Naval War College concurs.
"When the Stuxnet virus hit their nuclear facilities it was a huge shock," she says. "But clearly they've sent their tech savvy personnel to examine it and see what they can learn from it. I wouldn't be too surprised if we see something potent like that from them in the not too distant future."