US and Gulf partners must be ready for Iranian cyberattacks
A cyberattack was launched against Gulf computer networks late last month. The nature of the attack indicated that it was a long time in the making — the attackers had apparently gained access to the targeted networks months earlier and lain dormant until Dec. 29, when the malware was launched, in the form of a “wiper” that erased data on the systems it was able to penetrate.
Cybersecurity experts believe this attack came from Iran, as it was almost identical to cyberattacks Tehran had launched in the past. After the escalation in US-Iran tensions following attacks by pro-Iran militias on US forces in Iraq and the killing of Maj. Gen. Qassem Soleimani on Jan. 3, many expect that Iran might further escalate its cyberwarfare against the US and its Gulf partners.
The recent attack was the latest in a long string of cyberattacks launched by Iran against networks in the Gulf Cooperation Council (GCC) and elsewhere. It should persuade the US and its GCC partners to accelerate their cybersecurity cooperation. The first GCC-US summit in May 2015 identified cybersecurity as a major area of cooperation. A GCC-US Cybersecurity Working Group was set up to augment bilateral cybersecurity cooperation between the US and individual member states. The collective effort is particularly useful for training and the sharing of cybersecurity knowledge and best practices, as well as discussing common cyber threats emanating from Iran in particular.
In August 2012, a large-scale cyberattack was launched by a group believed to be working for Iran, using the Shamoon virus, which targeted Saudi Aramco and other GCC oil and gas companies. The attack infected tens of thousands of workstations and caused disruptions in their work that lasted for days. Experts at the time described that attack as the biggest hack in computer history. Shamoon was later used in other cyberattacks in November 2016 and January 2017.
The cyberattack on Dec. 29 had a limited impact compared to the 2012 attack, in part because Gulf cybersecurity agencies have acquired important experience in dealing with Iran-sponsored attacks. The new method of attack, called “Dustman,” contains multiple malicious files, including a wiper, which destroys data. It is believed to be a variant of malware that had been used in data-wiping attacks against industrial organizations in the Gulf last year. IBM, which uncovered that attack, attributed it to APT34, a hacking group associated with the Iranian government.
CrowdStrike, a US-based cybersecurity company, reported that the new malware was “consistent with Iranian capability and operations going back to 2012,” in a reference to the attack on Saudi Aramco. “It’s the latest variant in a line of wiping tools that’s meant to cause data disruption and destruction.” It compared Iran’s cyberattacks to Russian hackers’ attacks on Ukrainian targets.
It is a mistake to link the recent cyberattack to the current US-Iran standoff or to the Trump administration’s maximum pressure policy because such cyberattacks are nothing new. While the 2012 cyberattack attack against Aramco and other oil companies was the largest, it was not the first or only attack; but part of an essential component of Iran’s military arsenal. When a country, such as Iran, is not capable of launching successful conventional attacks — such as by planes, tanks or warships — against its adversaries, it resorts to unconventional or asymmetric warfare tactics. Iran has excelled at using terrorism, sectarian-based militias and cyberattacks to advance its political ambitions. Immediately following the 1979 revolution, it started its destabilizing activities against its neighbors and harassment of US forces with the aim of driving them out of the region.
Tehran’s asymmetric arsenal has now grown to include cyberwarfare as an important component. We should not expect Iran’s cyberattacks to be limited to the Gulf region. After the Dec. 29 cyberattack and especially following the killing of Soleimani, US systems went on to high alert to thwart Iranian-sponsored cyberattacks against the US. They recalled a 2013 incident when hackers working for the Iranian government were able to gain access to the computer controls of a small dam north of New York City, while also launching cyberattacks against dozens of large US financial institutions, blocking customers from accessing their accounts online.
Earlier this month, US Homeland Security warned American companies to consider and assess the possible impact Iranian cyberattacks could have on their business. Cyberattacks from hackers sympathetic to Tehran have increased in the wake of Soleimani’s death, but these can inflict only limited damage. What is more alarming is the cyberwarfare undertaken by the Iranian government, which could try to take control of or damage critical infrastructure. It could also be used to disable military defenses.
When a country, such as Iran, is not capable of launching successful conventional attacks, it resorts to asymmetric warfare tactics.
Abdel Aziz Aluwaisheg
The nature of cyberwarfare occasionally makes it difficult to definitively attribute a particular attack to a specific government, as the perpetrators could use false flags or employ distant hacker groups with no direct link to them. Certain cyberattacks can be construed as acts of war and, as such, governed by the Geneva Conventions, which bar the targeting of civilian infrastructure or causing massive civilian collateral damage. However, international law jurisprudence in this new area is evolving to deal with the difficulty of assigning state responsibility in such attacks, especially given the secrecy involved in assessing damage or providing evidence. The Geneva Conventions on the rules of war and their additional protocols were written long before cyberattacks were ever contemplated, and new additional rules need to be worked out to shield civilian targets from such attacks and set the criteria for calibrating a response. The response could be in the form of cyberwarfare or by employing conventional weapons.
Iran’s escalation of cyberwarfare, as evidenced by the attack on Dec. 29, requires the US and its regional partners to re-energize their cybersecurity cooperation and raise it to the level necessary to meet the challenges emanating from Tehran. The GCC-US Strategic Partnership and the new Middle East Strategic Alliance both provide suitable frameworks for such cooperation to address all the important issues related to cybersecurity.
- Abdel Aziz Aluwaisheg is the Gulf Cooperation Council’s assistant secretary-general for political affairs and negotiation, and a columnist for Arab News. The views expressed in this piece are personal and do not necessarily represent those of the GCC. Twitter: @abuhamad1