In the wake of the biggest protests Iran has seen since the 2009 Green Movement, Iranian hackers have moved back into the spotlight. A report published by the Carnegie Endowment for International Peace in early January 2018 details how Iran has been building and deploying its capabilities. In the past decade, Iran has become one of the most aggressive states to wield offensive cyber capabilities, both at home and abroad. Part of Tehran’s strategy has been to use hackers detached from the state as proxies.
How Tehran managed to acquire these capabilities in such a short period of time and how it uses them is important for understanding what the future might hold for both Iran and the more than 30 countries known to be pursuing offensive cyber capabilities.
To understand how Iran uses cyber proxies, it’s important to understand how Tehran thinks about cyber security in the first place.
When Iranian officials are worried about “cyber war,” they will be thinking of Stuxnet, the malware targeting the country’s nuclear facility in Natanz, or the “Internet in a suitcase” – a tool designed to provide net access, circumventing government censorship.
Unlike the position held by the United States and most other Western countries, Tehran’s view of information security is more expansive, focusing not just internally on dissidents, but externally as part of regional rivalries and geopolitical conflicts. This world view also spills into how proxies are leveraged.
Unprecedented insight into a state-sponsored Iranian cyber operation was provided when the U.S. government decided to unseal a 2016 indictment of several Iranian hackers. The seven men, aged 23 to 37, are accused of trying to bring down the systems of some of the world’s largest financial institutions in 2012 with massive distributed denial of service (DDoS) attacks.
What is remarkable about this episode is that the hacker pseudonyms used by Sadegh Ahmadzadegan, Omid Ghaffarinia and Nader Seidi mentioned in the indictment all appear on a hacker forum where the three publicly boasted about their web defacements until March 2012, only a few months before they joined ranks with the others to launch the DDoS attacks. Once they joined, the DDoS attacks escalated, “transforming the equivalent of a few yapping Chihuahuas into fire-packing Godzillas.” In other words, their collaboration with the other three Iranians mentioned in the indictment – who maintained ties with the Islamic Revolutionary Guard Corps (IRGC) according to the indictment – was crucial to amplifying the effect of this operation. Importantly, in addition to Tehran’s proxies targeting systems abroad such as the DDoS attack against financial institutions in the United States, regime-friendly hackers are also targeting dissidents within Iran.
Tehran’s use of hackers as proxies is not that different from how the Iranian government has leveraged non-state actors in the past to further its political objectives. When thousands of students amassed in front of the U.S. embassy in 1979 its ringleaders initially acted independently but their actions were subsequently endorsed and supported by the Iranian leadership. Tehran has been nurturing these relationships through the Basij, Iran’s volunteer paramilitary group, and the IRGC ever since. It should come then as no surprise that the regime is now replicating this model with regards to its offensive cyber capabilities.
Similar to Iran, other governments around the world are using non-state actors to build and to project power through cyberspace. James Clapper, the former U.S. director of National Intelligence, warned a year ago that more than 30 countries are now developing offensive cyber capabilities. However, how governments structure those relationships and their level of control varies widely and depends on how they conceptualize cyber threats.
For example, there have long been rumors that Russian intelligence services work with cyber criminals and provide them with a safe haven as long as they do not target victims in Russia. Another indictment by the U.S. government, unsealed in early 2017, substantiated these rumors and provided a more detailed account of how these relationships work. According to the indictment, the Federal Security Service of the Russian Federation – popularly known as FSB – worked with a known cybercriminal to hack Yahoo. This cybercriminal is one of the FBI’s Cyber Most Wanted and managed to escape to Russia instead of being extradited to the United States. The hack became one of the largest data breaches in history. The two FSB officials allowed the cybercriminal to make money on the side through various scams in parallel to supporting the FSB.
The Iranian example not only illustrates the growing web of proxy relationships that are emerging between states and hackers but highlights how different approaches inform the use of cyber capabilities. The significant progress Iran has made within the last decade alone hints at what to expect of the increasing number of countries pursuing offensive cyber capabilities. The low cost required for the development and use of hacking tools, the available pool of nonstate actors that can be leveraged for this purpose, and the prevalence of vulnerabilities waiting to be exploited suggest that cyber incidents will continue to make headlines.