Advertisement

SKIP ADVERTISEMENT

Iran’s Military Response May Be ‘Concluded,’ but Cyberwarfare Threat Grows

Cybersecurity experts are seeing malicious activity from pro-Iranian forces, and warning that Iran has the capacity to do real damage to American computer systems.

A billboard of Maj. Gen. Qassim Suleimani is displayed in Tehran. The Department of Homeland Security is warning that Iran has the resources to wreak havoc on computer systems in the United States.Credit...Arash Khamooshi for The New York Times

WASHINGTON — Iran’s declaration on Wednesday that a missile attack on Iraq had “concluded proportionate measures” against the United States in response to the killing of its most important general may amplify the Trump administration’s attention on computer systems as the next battlefield in its showdown with Tehran.

Cybersecurity experts and government officials are already monitoring an uptick of malicious activity by pro-Iranian hackers and social media users that they believe are harbingers of more serious computer attacks from Tehran, including possible efforts aimed at destroying government databases.

“Iran has the capability and the tendency to launch destructive attacks,” said Christopher C. Krebs, the director of the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security’s computer security arm. “You need to get in the head space that the next breach could be your last.”

A battle cloaked in computer systems is more in keeping with Iran’s history of attacking the United States and its allies by clandestine means or through proxies. And mischief-making has already begun. In recent days, hackers have defaced government websites and pursued divisive disinformation campaigns on social media. Members of Iran’s Miqdad Cyber Base have used official state texting channels to threaten retaliatory strikes on the United States and Israel after the targeted killing of Maj. Gen. Qassim Suleimani.

The cybersecurity firm CrowdStrike warned customers in an alert obtained by The New York Times that it observed hackers supporting Iran’s Islamic Revolutionary Guards Corps deface local websites boosting the cities of Minneapolis and Tulsa, Okla., with images honoring General Suleimani. Over the weekend, hackers claiming to be associated with Iran replaced the home page of the Federal Depository Library Program, a division of the Government Publishing Office, with a doctored image of a bloodied President Trump getting punched in the face.

An adviser to Iran’s president, Hassan Rouhani, in a series of messages on Twitter, posted a link to Mr. Trump’s properties and said: “Our sole problem is Trump. In the event of war, it is he who will bear full responsibility.”

The public should be prepared for worse, Mr. Krebs said in an interview. Iran has the ability to not only access private-sector and government computers in the United States, but to “burn down the system,” he said.

“This is a capable actor that has demonstrated prior capability in the region,” Mr. Krebs said. “They’re known to be pretty aggressive.”

While most of the activity so far has been limited to anti-Trump threats on social media and government websites, cybersecurity experts have said that true retaliatory attacks could still be coming. A member of a chat group supportive of Iran’s Islamic Revolutionary Guards Corps told members to “await a final decision” from Iran’s leadership before launching attacks. The hackers of the federal library site included a message with their defacement that warned it was “only a small part of Iran’s cyberability.”

Image
Members of Iran’s Islamic Revolutionary Guards Corps in 2018 during a military parade in Tehran.Credit...Agence France-Presse — Getty Images

Former and current government officials predicted that Iran’s first method of retaliation would be a physical attack. On Tuesday, Iran fired more than a dozen missiles at two bases housing American troops in Iraq. Mohammad Javad Zarif, Iran’s foreign minister, said after the attack that Iran “concluded proportionate measures in self-defense.”

Mr. Trump responded on Wednesday by announcing new economic sanctions against Iran. Jamil N. Jaffer, the executive director of the National Security Institute at George Mason University’s law school, said the Iranians would not want their next move to provoke a large-scale retaliation from the United States. It could be more difficult for the United States to point to the culprit of an attack on computer systems.

“Conducting terrorists attacks and killing people is binary,” Mr. Jaffer said. “On the other hand, cyberattacks can be ratcheted up and down dynamically. As a result, cyberattacks give the Iranians more room in the event they want to engage in a further response.”

Tehran’s abilities are much more advanced than they were in 2009, when a classified United States intelligence assessment concluded that Iran had the motivation to inflict harm but lacked the skills and resources to do so.

Since then, Iranian hackers used data-destroying malware to target 30,000 computers at Saudi Aramco, the world’s largest oil company, destroying Aramco’s data, replacing it with the image of a burning American flag and upending the market for computer hard drives as a result. Iranian hackers took American banks offline in 2013 by flooding them with traffic in a so-called denial-of-service attack.

They also destroyed data on thousands of computers at the casino and resort company Las Vegas Sands Corp., after its chief executive, Sheldon G. Adelson, a Republican megadonor, suggested that the United States bomb Iran.

Video
bars
0:00/4:19
-0:00

transcript

Cyberconflict: Why the Worst Is Yet to Come

Despite the devastation cyberweapons have caused around the world over the last decade, they are still in their infancy. David E. Sanger, a New York Times national security correspondent, explains why the threat is growing.

Cyberconflict right now, at this very moment, is like this airplane. It was the first military airplane that was ever built — back in 1909. But in just a few decades, planes would be capable of destroying entire cities. Right, so when we talk about cyberweapons, we’re still basically in 1909. “That’s why you have to have some humility about what’s going to happen in the world of cyberconflict.” David, here, is a national security correspondent for The Times, and he’s written a book about cyberconflict. It seems like we’re hearing more and more — “One of the worst cyberattacks ever.” — about state-sponsored cyberattacks. “Occasionally, there are going to be breaches like this.” “And this weapon will not be put back into the box.” “We have more to lose than any other nation on earth.” So, we really wanted to find out just how bad things are. And how bad they could get. Should we be afraid? “Yes, you should be afraid, but not for the reason you think — not because somebody is going to come in and turn off all the power between Boston and Washington. You should be worried about the far more subtle uses of cyber.” For example, not an overt attack on U.S. troops, but instead, maybe hacking into military health records and switching around people’s blood types. It still causes havoc. “Think terrorism —” “About a third of the building has been blown away.” “— instead of full-scale war.” “Why do you call it the perfect weapon?” “Because it’s deniable. If you can’t figure out right away where the attack’s coming from, you can’t really retaliate.” Plus, you can fine-tune the strength of cyberattacks. You can make them just strong enough to do real damage, but not so strong that they trigger a military response. “It’s cheap compared to, say, nuclear weapons. You just need some twenty-somethings who are good at programming, a little bit of stolen code and maybe some Red Bull just to keep them awake during the night.” That’s why cyberweapons have only just begun to spread. “And cyber is the perfect weapon for a country that’s broke.” “And we can confirm that North Korea engaged in this attack.” Take that time North Korea hacked into Sony — “Because of a satirical movie starring Seth Rogen and James Flacco.” What if they didn’t have cyberweapons? “Maybe they would have landed some commandos at Long Beach, called an Uber, stuck some dynamite underneath the Sony computer center and run like hell.” So really, North Korea’s only option was to use cyberweapons. But it wouldn’t be so easy for the U.S. to hit North Korea’s cybernetworks. “They have fewer IP addresses — Internet Protocol addresses — in North Korea, than you have on any given block of New York City.” Still, we wanted to know who’s the best at cyberconflict. “Russia, China, Iran, they use it regularly to advance their political agendas. The Russians to disrupt, the Chinese frequently to steal information, the Iranians to show that they can reach the United States.” “How good or bad is the U.S. at this stuff?” “Among the very best at cyberoffense. The problem is that while we’re good at offense, we’re the most vulnerable in the defensive world because we’ve got so many networks that form such a big target. The United States has 6,200 cybersoldiers.” “Are these people sitting in military fatigues behind a computer?” “They are sitting in military fatigues behind a computer. But the Russian hackers, or the Chinese hackers, may not be in uniform. They may be in blue jeans. They are probably sitting at the beach somewhere — someplace that’s got a really good internet connection.” All this cyberconflict really kicked off in 2008. Right, that’s when the U.S. and Israel attacked Iranian nuclear facilities. “It was the most sophisticated use of cyber by one state against another, and it opened up the Pandora’s box.” And remember — it’s still only the beginning. “We haven’t seen a full-blown war, and we don’t know what one looks like.” “What’s the most challenging part about covering this beat?” “The hardest part about covering the state use of cyber, is the enormous secrecy that the U.S. government wraps around it. But we’ve hit the point where the secrecy has actually begun to impede our ability to deter attacks. Because others don’t understand what we can do to them, and what we’re willing to do to them. In other words, we’re not setting any red lines out there.”

Video player loading
Despite the devastation cyberweapons have caused around the world over the last decade, they are still in their infancy. David E. Sanger, a New York Times national security correspondent, explains why the threat is growing.CreditCredit...Illustration by Aaron Byrd

Mr. Krebs hosted a call last Friday with more than 1,700 members of the private sector and state and local governments, encouraging them to back up their data on storage sites not connected to the internet and to alert security personnel to be on the lookout for signs of breaches in their computer systems. While hackers have conducted attacks for ransom, Mr. Krebs warned that future attacks could simply be to cause mayhem.

Mr. Krebs’s agency serves mainly to advise private companies and local governments of risks before attacks are launched. While the United States government can assist in the event of a breach, private computer security firms and the companies themselves are expected to be able to handle the initial response and rebuild their networks.

Iranian hackers backed off from such destructive attacks in the lead-up to the signing of the Iran nuclear deal in 2015 and afterward. But Iranian hacking units never ceased; they moved to quieter espionage campaigns, with increasing sophistication.

After Mr. Trump backed out of the Iran nuclear deal in 2018, private security experts and American officials braced for a renewed campaign of Iranian computer warfare. At the time, Gen. Keith B. Alexander, the former director of the National Security Agency, told The Times, “With the nuclear deal ripped up, our nation and our allies should be prepared for what we’ve seen in the past.”

Last year, the Department of Homeland Security grew alarmed by a series of successful hackings on the internet’s underlying computer coding, called the Domain Name System. Private researchers at FireEye and other security firms found a connection between the hackers and Iran.

The hackers stole thousands of credentials from telecommunications companies, government agencies and internet infrastructure companies in the United States, Europe and Middle East. Months later, as private researchers noticed an uptick in Iranian hackings, the Department of Homeland Security’s cybersecurity division issued a statement warning that Iran was looking to do more than “just steal money and data.”

The division released a new advisory on Monday night, warning that “Iran and its proxies and sympathizers” have the ability to conduct disruptive computer attacks, espionage and drone attacks. Customs and Border Protection, another arm of the Department of Homeland Security that employs agents at ports throughout the country, has instructed officers to enhance security.

Over the past year, Iranian hackers have been quietly probing American infrastructure and government networks, according to private researchers and the United States Cyber Command, the Defense Department agency responsible for carrying out attacks on computer systems.

Iranian hackers may use their access to destroy databases, or they may choose to try to gain access to the electricity grid that powers Silicon Valley “as a way of saying, ‘You may want to retaliate, but there will be consequences,’” said Suzanne Spaulding, a former under secretary for cybersecurity and critical infrastructure at the Department of Homeland Security. “‘We’re sitting here with a gun to your head.’”

In the past, Iran has used Hezbollah and Hamas for cyberactions, said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, which gives Iran a degree of deniability should it retaliate with cyberattacks.

It has also had some misfires. In 2016, the Justice Department indicted several Iranian hackers for penetrating the controls of the Bowman Avenue dam in Westchester County, N.Y.

American officials had panicked that the incursion had been at the towering Arthur R. Bowman Dam in Oregon, where a breach could have been catastrophic. Instead, Iranian hackers hit a 20-foot-high structure, where a sudden water release could have flooded the ground floors of some houses, but not much more.

“They didn’t have situational awareness to realize they wouldn’t have any impact at all,” Ms. Spaulding said.

Zolan Kanno-Youngs reported from Washington, and Nicole Perlroth from San Francisco. David E. Sanger contributed reporting from New York.

A correction was made on 
Jan. 8, 2020

An earlier version of this article referred incorrectly to the legislative agency overseeing the Federal Depository Library Program, which experienced harassment at the hands of hackers associated with Iran. It is the Government Publishing Office, not the Government Printing Office, a former name for the agency. An earlier version also misstated the location of the Arthur R. Bowman Dam. It is located in Oregon, not Washington State. An earlier version also referred incorrectly to the organization at which James Lewis works. It is the Center for Strategic and International Studies, not the Center for Strategic Studies.

How we handle corrections

Zolan Kanno-Youngs is the homeland security correspondent, based in Washington. He covers immigration, border issues, cyber security, transnational crime and other national security threats. More about Zolan Kanno-Youngs

Nicole Perlroth is a reporter covering cybersecurity and espionage. Before joining The Times in 2011, she reported on Silicon Valley at Forbes Magazine. More about Nicole Perlroth

A version of this article appears in print on  , Section A, Page 10 of the New York edition with the headline: Computers Are Expected To Be Next Battle Front. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT