Tracking Iran’s cyberterrorism

Updated 01 March 2019

Tracking Iran’s cyberterrorism

  • Tehran is stepping up its malicious online attacks, experts say — and Saudi Arabia is one of its main targets
  • In 2012, some 35,000 computers were affected by a major cyberattack against Saudi Arabia

DUBAI: Iran is one of the biggest threats in cyberspace, according to experts who warn that a global response is needed to repel its rising wave of cyberattacks on government and communications infrastructure worldwide.

The leading state sponsor of terror is extending its malign presence online, with Saudi Arabia among its main targets. Iran’s growing digital prowess is part of its “soft war” strategy to spy on adversaries and spread its rhetoric. 

“Iran is increasingly active and a growing cyber threat, though it isn’t the most sophisticated actor,” Michael Eisenstadt, Kahn fellow and director of the military and security studies program at the Washington Institute for Near East Policy, told Arab News. “But as past Russian hacking efforts in the US have shown, you don’t need to be technologically sophisticated to hack and then leak emails, causing embarrassment to adversaries.”

In recent months, cybersecurity firms and tech companies have exposed attacks linked to faceless enemies in Iran. 

“Cyber holds a certain appeal” for the country, Eisenstadt said. “Because of the difficulty attributing responsibility for cyber-attacks, it provides Tehran with a degree of deniability,” he said. “Perhaps most importantly, it allows Iran to strike its adversaries globally, instantaneously and on a sustained basis, and to achieve strategic effects in ways it can’t in the physical domain.”

Iran’s greatest adversaries are the US, Israel and Saudi Arabia “in that order,” Eisenstadt said. “In March 2018, the US government designated an Iranian entity, the Mabna Institute, and nine individuals associated with the institute, for operating a massive hacking and cyberspying operation that targeted hundreds of universities and companies in dozens of countries to steal proprietary data and academic research, presumably to help Iran’s own research and development efforts, to circumvent sanctions, and to compensate for its economic isolation. These activities had been going on for years.”

Joyce Hakmeh, a research fellow of cyber policy and co-editor at the Journal of Cyber Policy at the International Security Department at Chatham House, said Iran has been linked to several attacks in the Middle East, including in Saudi Arabia. One of the biggest attacks was identified in 2012, when an Iranian hacker group deployed the Shamoon computer virus to cripple thousands of hard drives at Saudi Aramco. “Everyone remembers the big attack against Saudi Arabia in 2012, which affected 35,000 computers. It was called the biggest hack in history at the time,” she said.

Eisenstadt said there were several attempted strikes on Saudi government and private sector entities using the Shamoon 2.0 malware in 2016 and 2017, and on Italy’s Saipem oil services firm (whose biggest customer is Saudi Aramco) in December 2018.

Hakmeh said while “attribution is a challenge” when it comes to cyber activity, a host of groups have been linked to Tehran’s terror online, including Magic Hound, MuddyWater, APT33, APT34, APT39, Cobalt Gypsy, Rocket Kitten and NewsBeef.

Collectively, these have targeted organizations across the Middle East in industries including finance, government, energy, chemicals and telecommunications.

A 2018 report by the Carnegie Endowment for International Peace noted: “While Iran’s offensive cyber operations have required modest resources to develop, they have allowed Tehran to project itself as an emerging cyber power able to cause significant harm to its adversaries.”

The report said: “As judged from the evidence of coordination between security agency actions and observed cyber operations, the campaigns of Iranian threat actors almost certainly have a direct relationship with government entities, specifically the Islamic Revolutionary Guard Corps and the Ministry of Intelligence. Attempts to forecast the future of Iranian cyber operations are constrained by the secrecy on the part of the Iranian state about its activities and an uncertain geopolitical climate.”

Eisenstadt said when it comes to the biggest threats in cyberspace, the most formidable actors are Russia followed by China, North Korea and Iran. “Iran’s activities in the cyber domain generally serve its broader foreign policy objectives. In some cases, the goal might be to advance Iran’s propaganda line. In others, it might be to steal intellectual property and propriety information, in order to circumvent sanctions and benefit its own research and development efforts,” he said.

Hakmeh said countries, especially in the Middle East, need to build resilience against cyberattacks by sharing information, preparing strategies and educating people about good “cyber hygiene,” such as changing passwords. “While Iran for some years has been considered a third-tier threat, the threat is considerable. It’s a country to monitor, to keep on the map,” she added. “It doesn’t have the same capabilities as China, Russia or the US, but it has been able to be very destructive.” 

While Iran spreads fake news to support its rhetoric against Israel, Saudi Arabia and the US, its more serious attacks are geopolitically motivated, said Hakmeh. “Most of the attacks that Iran has been linked to are for espionage reasons to get a competitive advantage — Saudi Arabia’s petrochemical industry, for example, to see what technology it’s using — or to gain insight into Saudi Arabia’s military capacities so Iran can enhance its own,” she said.

Dr. Johannes Ullrich, dean of research at the SANS Institute, a US company that specializes in information security and cybersecurity training, said as Iran’s conflict with its neighbors grows, so has its presence on the dark web.

“Iran is believed to maintain a significant effort to conduct offensive cyber operations against its adversaries,” he added. “It may not be among the most sophisticated, but it’s very aggressive in applying the skills it has.

“One technique that has been employed in the attacks is domain hijacking. For this attack, an administrator’s password is used to alter settings for an organization’s domain. The attack itself is pretty simple, and the hard part is to get the administrator’s password. It isn’t clear how the administrator password was obtained in these cases, but typically phishing attacks are used. Overall these attacks aren’t terribly sophisticated, but the impact can be huge.”

Aside from hacks on government and company infrastructure, Iran has been linked to a global network of fake news websites. ClearSky, a Tel Aviv-based cyber tech security firm, recently issued a report linking Iranian propagandists to fake news sites in 28 countries that spread misinformation about their targets — chiefly in the Middle East and Asia — and advance Tehran’s ideological and geopolitical interests.

In recent months, FireEye, a US  cybersecurity firm, issued a warning about fake news sites and profiles on Facebook and Twitter that it believed were operated
by Tehran as part of its cyber-
influence campaign.  Such campaigns were also exposed by Twitter, which posted 1 million tweets generated by fake accounts. 

Facebook said it had deleted dozens of fake profiles. Just this month, the platform said it removed 783 accounts tied to Iran that appeared to be engaging in a manipulation campaign against people in almost 30 countries.

Still, experts at the Institute for National Security Studies in the US have said Tehran’s efforts have not been foolproof, with a report noting: “Use of Iranian contact data (such as phone numbers and email addresses), copied content and poor writing has led to their public exposure. Until then, however, Iran managed to reach many people … some contents were viewed by millions of views, and some earned responses by hundreds of thousands of surfers.”

Simone Vernacchia, cybersecurity and digital infrastructure advisory lead at PwC Middle East, said that while it is against his company’s policy to attribute cyberattacks to a specific “nation-state actor,” the firm had noted an “increase in disruptive attacks, which may be sponsored by a nation-state.”

Although there has been a big increase in investment in cybersecurity in past months, many Middle Eastern countries’ defense systems remain less advanced than those in the West, he said.

“A stronger collaboration among privately owned critical infrastructure and government defense systems, as well as a strong and periodically tested set of organizational and technical interfaces, would strengthen the ability to respond to crises,” he said.


Iran nuclear talks pause as diplomats confer with capitals

Delegations waiting for the start of a meeting of the JCPOA in Vienna, in December 2021. (AFP/File Photo)
Updated 56 min 19 sec ago

Iran nuclear talks pause as diplomats confer with capitals

  • Russia’s representative at the talks, Mikhail Ulyanov, said the meeting was expected to resume next week

VIENNA: Talks to salvage the tattered 2015 nuclear deal with Iran have paused while diplomats return to capitals for political consultations, European officials said Friday.

“January has been the most intensive period of these talks to date,” British, German and French negotiators said in a joint statement. “Everyone knows we are reaching the final stage, which requires political decisions.”

Russia’s representative at the talks, Mikhail Ulyanov, said the meeting was expected to resume next week.

The United States pulled out of the Vienna accord in 2018 under then-President Donald Trump and reimpose heavy sanctions on Iran. Tehran has responded by increasing the purity and amounts of uranium it enriches and stockpiles, in breach of the accord.

US President Joe Biden has signaled that he wants to rejoin the deal, which is still supported by Russia, the three European powers and China.


Syrian fighters search for Daesh sleeper cells near prison

Updated 28 January 2022

Syrian fighters search for Daesh sleeper cells near prison

  • About a half-dozen Daesh fighters surrendered Friday morning, among scores of militants hiding in a basement in the northern section of the prison
  • Daesh group's Jan. 20 attack on the prison was the biggest military operation by the extremist group since the fall of their self-declared caliphate in 2019

BEIRUT: US-backed Kurdish-led fighters searched Friday near a Syrian prison for Daesh group militants as dozens of armed extremists holed up in a small part of the jail, a Kurdish official said.
About a half-dozen Daesh fighters surrendered Friday morning, among scores of militants hiding in a basement in the northern section of the prison, according to Siamand Ali, a spokesman for the US-backed Syrian Democratic Forces.
He would not confirm or deny a report by the Britain-based Syrian Observatory for Human Rights, an opposition war monitor, that SDF fighters discovered the bodies of 18 of their comrades inside Gweiran prison, also known as Al-Sinaa prison, in northeast Syria on Friday.
Daesh group’s Jan. 20 attack on the prison was the biggest military operation by the extremist group since the fall of their self-declared caliphate in 2019. It came as the militants staged deadly attacks in both Syria and Iraq that stoked fears that Daesh may be staging a comeback.
The weeklong assault on one of the largest detention facilities in Syria has turned the city of Hassakeh into a conflict zone. The Kurdish-led administration declared a curfew and sealed off the city, barring movement in and out.
Thousands of people in Hassakeh were displaced in recent days because of the fighting.
The SDF claimed Wednesday it had regained full control of the prison — a week after scores of militants overran the facility. The attackers allowed some to escape but also took hostages, including child detainees, and clashed with SDF fighters in violence that killed dozens.
The SDF had said that between 60 and 90 militants were hiding out in the northern section of the prison.
Ali said the militants are in the basement of a two-story building and that those who remain inside are refusing to surrender. “Our units are surrounding the building and are trying to convince them to surrender,” he said.
The Observatory said SDF fighters are betting that more time will force Daesh militants to surrender as their food dwindles.
The Hawar News Agency, ANHA, an online Kurdish news service, reported that several automatic rifles, a rocket-propelled grenade and hand grenades were confiscated from the Daesh gunmen who surrendered Friday. It added that SDF fighters are conducting search operations in the prison as well as several Hassakeh neighborhoods in search for Daesh sleeper cells.
The SDF said about 3,000 inmates have surrendered since its operation to retake the prison’s northern wing began three days ago.
At least 300 foreign child detainees are believed to be held in the Gweiran facility. Thousands more, mostly under the age of 12, are held with their mothers in locked camps in other parts of northeastern Syria on suspicion of being families of Daesh members. Most countries have refused to repatriate them, with only 25 out of 60 countries taking back their children, some without their mothers.
The Britain-based Observatory put the death toll from the struggle at over 260, including over 180 militants and more than 73 fighters from the Kurdish-led force. At least seven civilians were killed in the fighting, the Observatory said.
The SDF said preliminary information put the force’s death toll at 35.


6 dead, 30 missing after migrant boat sinks off Tunisia

Updated 28 January 2022

6 dead, 30 missing after migrant boat sinks off Tunisia

TUNIS: At least six Africans trying to migrate to Europe died and an estimated 30 were missing in the Mediterranean Sea after their boat sank off the coast of Tunisia on Thursday, according to Tunisia’s Defense Ministry.
Tunisian naval and coast guard forces retrieved the bodies, rescued 34 survivors and are searching for the people listed as missing, the ministry said in a statement. The survivors told rescuers that the boat had 70 people on it and they were headed for Italy, the ministry said.
The boat had left from neighboring Libya and sank about 40 kilometers (24 miles) off the Tunisian town of Zarzis, near the Libyan border, it said.
The survivors included people from Egypt, Sudan and Ivory Coast, according to Mongi Slim, head of the Tunisian Red Crescent.
It’s the latest of several migrant boat sinkings in the region. The central Mediterranean route, which runs from North Africa to southern Italy, is the busiest and deadliest migration route to Europe. People travel from Libya and Tunisia in crowded boats and at the mercy of the smugglers they pay to get them across the sea.
About 60,000 people arrived in Italy by sea last year, and some 1,200 died or disappeared on the journey, according to the United Nations refugee agency.
The Tunisian Defense Ministry said authorities thwarted eight boat migration trips in the last 48 hours off the coast of the city of Sfax, and 130 people from Tunisia and sub-Saharan Africa were detained.

Rockets hit Baghdad airport compound

Updated 28 January 2022

Rockets hit Baghdad airport compound

  • US air base, known as Camp Victory, is located around the perimeter of Baghdad’s civilian airport

BAGHDAD: At least three rockets landed in the Baghdad International Airport compound and near an adjacent US air base, damaging one disused civilian aeroplane, Iraqi police sources said.
The police sources did not report any other damage or any injuries. The damaged aircraft was an out of use Iraqi Airways plane, they said.
The US air base, known as Camp Victory, is located around the perimeter of Baghdad’s civilian airport.
Rocket attacks which US and some Iraqi officials blame on Iran-aligned Shiite militia groups who oppose the US military presence in the region have regularly hit the complex in recent years.


Coalition says target in Saada airstrike was a Houthi special security camp

Updated 28 January 2022

Coalition says target in Saada airstrike was a Houthi special security camp

  • Coalition spokesman slams Houthis for peddling misleading information
  • Joint Forces Command ready to present facts to UN Humanitarian and Red Cross teams

RIYADH: The Coalition to Restore Legitimacy in Yemen on Friday denied targeting a prison in Saada and accused the Houthi militia of trying to mislead the public.

Houthi officials on Thursday claimed that coalition air strikes last week killed around 90 people and wounded more than 200 at Saada prison.

In a statement carried by the Saudi Press Agency, Coalition spokesman Brig. Gen. Turki Al-Malki said the targeted location was a Houthi special security camp, which is a "legitimate military target". 

Al-Maliki cited a report of the Joint Incidents Assessment Team (JIAT) dated January 27, 2022, after investigating the Houthis' claim.

The statement said there are four locations identified as prisons in the Joint Forces Command’s No Strike List (NSL) in Saada, all of which are being used by the "terrorist Houthi militia" in launching "cross-border attacks to target civilians and civilian objects."

The closest prison is located 1.8 kilometers away from the site targeted in a coalition air strike.

"What was announced and disseminated by the terrorist Houthi militia in its media outlets is a blatant attempt to mislead the public opinion regarding the true nature of the location in an attempt to garner sympathy from UN organizations and INGOs," Al-Maliki said in the statement.

He assured that the Joint Forces Command "applies the highest targeting standards."

The Coalition said it is prepared to shed light on the issue with representatives of the UN Office for the Coordination of Humanitarian Affairs (OCHA) and Red Cross.

"The terrorist Houthi militia bears the full responsibility in case it uses civilians as human shields in its military locations," Al-Maliki said.

Fighting has escalated in recent weeks, with more air strikes on what the coalition says are Houthi military targets.

The Iran-aligned Houthi movement has stepped up missile and drone attacks on the United Arab Emirates and cross-border launches on neighbouring Saudi Arabia.

The coalition had previously accused the Houthis of using civilian centers as a shield against legitimate strikes.

Related