Threat Inteliigence / OSINT / NETSEC / NATSEC

Contract cyber - Iran and its way of conducting cyber operations

When we think of cyber operations conducted on behalf of or under the direction of the government, we usually think of intelligence agencies and military units. NSA, GRU, MSS or PLA are examples of this type of professional government organizations employing officers to implement state policy by cyber means. However, there is a country that is equally active in this space, which conducts perhaps even more aggressive operations than China or the USA, but uses a completely different organizational scheme. We are talking about Iran and how it uses combinations of independent groups, private organizations and elements of intelligence agencies. Iran is a much less wealthy country than other countries known for spectacular operations, such as the United States or Russia. However, it should come as no surprise that the state is so interested in building cyber capabilities. After all, Iran itself was the target of one of the most spectacular CNAs. This is of course case of Stuxnet by the US and Israel to attack uranium enrichment facilities to slow down the nuclear weapons development program. The use of a mixed organizational structure and bottom-up initiatives meant that in terms of the pace or scale of actions, it is often mentioned in one sequence with the previously indicated countries and, as it is said, "punches above its weight". So let's take a look at what distinguishes the Iranian way of conducting operations and what kind of activity it presents.

Due to the need to confront much better resourced countries, Iran emphasizes asymmetric means of fighting. We can recall examples of involvement in conflicts by supporting third parties acting in the interest of Iran - such as providing assistance to Kurdish militias during the Iran-Iraq war, support for Hezbollah or Palestinian militias in the Gaza Strip. Similarly, cyber operations, capabilities will not rely as much on an integrated apparatus of government agencies as in the US, China or Russia. Of course, these countries also benefit from the help of the private sector, in particular in terms of training and tool development. In the case of Iran, NGOs operate more autonomously, often on their own, conducting operations in line with the state's political line.

Iran uses a multi-level structure consisting of government agencies, subcontractors affiliated with research institutions, network security companies and Internet forums. According to the Recorded Future report, this division was the result of the need to quickly create cyber capabilities, for which market mechanisms were used. People unofficially linked to the government in Tehran and the Islamic Revolutionary Guard Corps (IRCG) were supposed to assign tasks to subcontractors, but payment was only made when the set goals were met. Subcontractors competed for prizes and good relations with principals. This translated into more orders and made the best teams stay on the market. In the selection of collaborators, Iran was guided by faithfulness to the ideology of the state (which was sometimes more important than the abilities of a given group) and the division of responsibilities. Subcontractors were given tasks related to only one part of the operation, such as creating tools or infrastructure, which meant that the work of several groups was usually necessary to complete the task. Slightly as in the case of China, many people who later decided to work with intelligence started with activity on internet forums bringing together a community of people interested in security. In the case of Iran, the leading forum of this kind was Ashinaye led by Ashiyane Digital Security Team, company working for IRCG. The community associated with the forum dealt with the exchange of information in the field of IT security and the defacement of competing forums. Soon, however, the defacements also began to have an ideological character, and the actions attracted the attention of the authorities, who used the activity of young Iranians for propaganda purposes. The Ashiyane Digital Security Team itself was responsible for the vulnerability analysis, but at the same time it was involved in ideologically motivated attacks on the websites of organizations not supporting the regime in Tehran. The attacks included both institutions in the West and in the Middle East. Regarding the ideological commitment of the company itself and the participants of the forum, Ashiyane's president, Behrooz Kamalian, claimed that the forum was independent of the company, but at the same time openly admitted that activities are always in line with the goals of the Iranian government, and the company cooperates with the Iranian military. The forum ceased operations in 2018, allegedly due to its involvement in gambling activities.

The network-based approach has its pros and cons, but from Iran's perspective, it primarily provides access to a larger pool of personnel and resources to enable frequent operations and a more flexible pace of action. Also when it comes to the advancement of methods and means, independent entities seem to be sufficient to carry out offensive actions that produce visible and media results. As an example, we can recall the "Ababil" operation led by the "Izz adDin al-Qassam Cyber Fighters" group. Using simple DDoS attacks, they disrupted the work of websites used by financial institutions to serve customers. More light was shed on these events published in March 2016 indictment against seven Iranians involved in cyber operations against entities in the United States. In it, the American prosecutor's office indicated two Iranian companies: ITSecTeam and Mersad, which were supposed to be sponsored by the IRCG. According to the document, the DDoS attacks cost the institutions tens of millions of dollars, but more interestingly, one of the defendants was also said to have accessed the SCADA systems of the Bowdan Dam in New York. The mission, however, was interrupted by scheduled service work, in which the controllers were disconnected from the network. The case shows how the use of private entities as an instrument of expanding the scale of operations translates into both destructive and intelligence operations.

The maneuvering between high-profile and simple attacks and long-term intelligence activities is also characteristic of Iran's cyber activity. Examples of destructive operations are many, starting with the attacks on Sheldon Adelson's casinos, via the Shamoon wiper attacking Saudi Aramco systems, until the attacks on Albania. Iran's activities have often taken the form of simple retaliatory attacks. The manner in which they were conducted did not indicate advanced capabilities, but was sufficient to achieve the goals of both costing the victims and highlighting Iran's capabilities in the mass consciousness. The history of the Shamoon malware shows the effectiveness of using simple tools. In addition to the aforementioned attacks against Saudi Aramco, it was also used in 2016 and 2018. In 2016 Disttrack malware was observed being an evolution of the first version of Shamoon, and in 2018 third version again attacked companies in the oil and gas sector. Malware has evolved to some extent, but even the first version of it managed to attack the critical infrastructure of a hostile state. On the other hand, recently observed intelligence operations show quite a different kind of activity. In July 2021 Proofpoint has published a report describing a long-term campaign in which the attackers impersonated researchers from the School of Oriental and African Studies (SOAS) at the University of London. The attackers not only conducted long correspondence, gaining the victim's trust, but also used the seized SOAS radio website to post a phishing form used to take over passwords and logins. Same last September Mandiant described the APT42 group, whose attackers also ran social engineering campaigns posing as journalists or researchers, using the built relationship to convince the victim to run a PDF file redirecting to a phishing site.

Another noteworthy example was the case of Monica Witt, accused together with, among others, Bezhad Mesri. Witt was a U.S. Air Force soldier who defected to Iran in 2013 and began providing confidential information about U.S. military operations, as well as preparing targeting packages. Mesri, in turn, dealt with intrusions as part of the campaignstracked as Charming Kitten and was responsible, among others, for hacking into HBO. It is not fully known what relations he had with the Iranian government, with John Hultquist pointing out that he is a subcontractor rather than a moonlighting officer carrying out orders for the IRGC. Reading the indictment leads to a similar conclusion, in which we can read that Mesri registered a company in Iran working for the IRCG. The document does not explicitly indicate what Witt's connection to the cyber operations was, but we can, to some extent, infer that from the content of the allegations. Witt was accused of that she searched Facebook for people working for the US government and prepared information packages on potential targets. The description of the cyber operation shows that the attackers started contacting the victims on Facebook, sending friend requests to the targets. It is therefore very likely that the targets were people with FB accounts selected by Witt. This story shows how the outsourcing of cyber operations is intertwined with classic intelligence activities. According to information disclosed by the New York Times, Witt was recruited by Marzieh Hashemi, an Iranian journalist of American descent. Hashemi is listed as "Individual A" in the indictment, and the description says "he behaves in a manner that suggests he works for Iranian intelligence services." So if we assume that Hashemi worked for a government agency, we see that Iran is willing to combine the work of intelligence agencies and private subcontractors, including transferring information obtained by the classic intelligence apparatus to private subcontractors.

Iran is certainly one of the most active, most high-profile and most interesting players in terms of cyber capabilities. It is particularly noteworthy that limited organizational resources translate into a very wide spectrum of types of operations. Unlike China or the US, which are known primarily for their advanced intelligence activities, Iran with less capabilities must be guided by a utilitarian calculation of what can be achieved with less advanced methods. Although many operations were clearly retaliatory in nature and used simple tools, it is impossible not to notice the development. Long-term intelligence activities, including building relationships with victims and using seized infrastructure, show how Iran is positioning its capabilities for a wide range of activities.

One thought on “Kontraktowe cyber – Iran i jego sposób prowadzenia cyber operacji

Leave a Reply

Your email address will not be published. Required fields are marked *