There are some surprising aspects to the recent U.S. cyberattack on an Iranian database, but the fact that it occurred is not one of them. The attack, at least on the surface, was straightforward. U.S. intelligence somehow got a foothold on a network that is associated with Iran’s Revolutionary Guard. The group associated with this network was, according to an article in the New York Times, responsible for the seizure of oil tankers in the Persian Gulf. The article further states that the initial attack occurred on the same day that Iran shot down an American drone; June 20th. Apparently, the attack destroyed or thwarted access to data that would help this group stage future attacks on tankers. That’s about it.
For most readers, that would be the end of the story, but much remains unstated here. First of all, it’s unlikely that the attack on this agency began on June 20th. Most likely, U.S. intelligence had already penetrated this network and was simply hiding and lying in wait for the correct moment to initiate the attack. The malware may have been there for months or even years. But, when the correct time came, it could be instantly deployed at literally the touch of a button.
This begs the question: Where else in Iran’s military, political, economic, and social infrastructure has the U.S. already penetrated? The answer: Probably most of it. There are numerous cyberattacks lying in wait, but few will ever be deployed. Why? Because Iran has similar potential attacks hiding within U.S. infrastructure. U.S. intelligence routinely finds some of these, but infrastructure networks are far too vast to find them all. In other words, all attacks by any country are calculated in accordance with the attacker’s ability to withstand a proportionate attack.
To show its confidence in this respect and its belief in its cyberattack advantage, the U.S. actually, and quite surprisingly, admitted to being behind the attack. The first admission dates from June 23rd, though few details were given at the time. According to a Pentagon spokesman quoted by the Times, “As a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence or planning.” But, apparently, in this new release, they’ve overridden this policy.
Such an admission to a cyberattack goes against all norms of cyberattack behavior. One of the key aspects of these attacks is the uncertainty of attribution. You may be 90% sure that the U.S. was behind a cyberattack on your country, but there is a 10% chance you may be wrong. Do you really want to take the chance of an overwhelming response to any counterattack you may make? Nation-state attackers work very hard on obfuscating the origins of any attack. They do this by entering foreign language remarks in the code or running the attacks through other adversarial nations. They may also try to emulate the cyber behavior of well-known attack groups. Yet, here we have the U.S. openly accepting responsibility for the attack as well as giving some details. Why would they do that?
The initial admission could have served as a shot across the bow. “Look what we can do, so don’t try anything like this again.” But why release more details? The official version is that they wanted “to quell doubts within the Trump administration about whether the benefits of the operation outweighed the cost.” That seems like an insipid excuse. If the argument was within the Trump administration, how will making this public solve anything? No, it seems more likely that they wanted to let Iran know what they specifically targeted with their attack. Along these lines, they seemed to want to clarify, and possibly emphasize, that they did not target missile launching facilities, but more on that later.
Another reason for this disclosure could be because those in control of the malware probably believed that Iran was close to recovering its downed network. Most good malware has a kill switch. If it looks like the victim is getting close to discovering the breach, a kill switch is activated that removes any trace of the malware from the compromised network. It, therefore, becomes difficult to say who was behind the attack. I can’t believe this malware didn’t have a kill switch. It’s more likely that the U.S. wanted the Iranians to know they were behind the attack.
But, according to the New York Times, the Iranians have yet to fully recover from this attack. In addition, the attack seems to have brought down some communication networks. This could have been unexpected collateral damage. In other words, it may have been more devastating than U.S. intelligence predicted it would be. That’s a bit dangerous because it could lead to a disproportionate response from Iran. In this case, it is better to admit to being only behind the initial attack which only targeted databases.
However, in its the June 23rd article, the Times claimed that Iranian rocket and missile launch systems were targeted. This information apparently came from a source within the Pentagon. In this article, The Times remarked that, “determining the effectiveness of a cyberattack on the missile launch system is particularly difficult. Its effectiveness could be judged only if Iran tried to fire a missile and the launch failed.” This seemed as if it was preparing us to watch for the next Iranian missile launch and see if the cyberattack on the launch site was effective.
Iran tried to launch a rocket on August 29th. The rocket exploded due to what the Iranians referred to as “technical issues.” They placed no blame on the U.S. which had, two days before, released information saying that they were not attempting to stage a cyberattack against Iran’s missile and rocket launching system. This all seemed rather suspicious and appeared as if the U.S. may have known of the upcoming launch and the potential for its failure. It seemed as if they were distancing themselves from the failed launch. This despite the widely known fact that U.S. intelligence had been targeting Iranian rocket and missile launches since the George W. Bush administration.
On August 30th, one day after the failed launch, President Trump tweeted a photograph of the exploded site which seemed to have been taken by a remarkably well-timed drone or other aircraft passage. It seemed as if U.S. intelligence had been monitoring this launch all along. An also suspiciously well-timed commercial satellite photo showed the site just after the explosion. And, although Iran never blamed the failure on the U.S., President Trump emphasized that “the United States of America was not involved in the catastrophic accident during final launch preparations for the Safir SLV Launch at Semnan Launch Site One in Iran.” This alone seemed to hint that maybe the U.S. really was behind the failed launch. If I were a betting man, this is the position I would take.
There is, apparently, some concern in U.S. cybersecurity circles that Iran, once they get their networks back, will back engineer these cyberattacks and fix any pre-existing vulnerabilities. They could also learn how to compose a similar attack architecture that they could employ against their adversaries. Something like this happened after Iran was hit by the infamous Stuxnet Worm in 2010. Two years later Iran attacked Saudi Aramco with the sophisticated Shamoon Virus. According to a top secret NSA report released by Edward Snowden, these two events were related.
The recent U.S. announcement taking credit for the attack on the Iranian intelligence group’s database coupled with the suspicious circumstances surrounding the failed Iranian rocket launch is as close to declaring cyberwar that the U.S. has ever come. A true declaration of cyberwar would be admitting to implanting malware that brought down this and two previous launches. Iran might be just saving face by not wanting to give the U.S. credit for bypassing their cybersecurity defenses. They will most certainly launch a cyber counterattack. If Iran takes credit for such a cyber attack or if the U.S. admits to actively working to bring down Iran’s rocket launching capabilities, we can assume that cyberwarfare has been declared. No doubt that many in the U.S. cybersecurity community are now preparing for this eventuality.