iWar
Page 22
The Iranians also searched online for information on U.S. facilities in Iraq and Afghanistan—which could be passed to the Taliban for use in attacks—along with information on vehicles, vessels, and individual leaders. The hackers used the Web Downloader open-source software program to gather vast amounts of data from multiple sources. Other Iranian institutions linked to the cyber spying were identified as the Amirkabir University of Technology (AUT) and Malek-Ashtar University of Technology (MUT) in Tehran, which focused on stealing data on unmanned aerial vehicles (UAVs) and autonomous underwater vehicles.
“Information and countermeasures derived from the collection and analysis of this type of information have been incorporated into AUT and MUT research programs and capabilities,” the cable said, noting the AUT has had close ties to the IRGC since 1998. Researchers at MUT were linked to the Iranian Defense Ministry and projects related to UAVs and small aircraft.
Iranian data miners at Isfahan University of Technology (IUT) were also spotted gathering sensitive technology and information from U.S. computer networks. “Although the majority of the information sought through Iranian OSINT collection efforts pertains to military capabilities and technological development, other USG departments and agencies could also become (or continue to be) targets of foreign actors’ extensive online research,” the cable said. “Users must remain alert to and minimize the potential threats associated with the misuse of personal and professional information posted to online resources,” the cable said.
From relatively passive cyber spying, Iran would escalate its cyberattacks to large-scale operations on Internet access points to disrupt the functioning of websites, a tactic known as distributed denial-of-service attacks, or DDoS. The attacks work by using hijacked servers that are linked together electronically and operated as remote robot cyberattackers programmed to launch multiple attempts to gain access to public Internet portals of banks or financial institutions. The massive flood of automated log-in requests is designed to overwhelm the computer operating systems and force the servers to shut down, thus denying their use for online banking and other remote financial activities.
The NSA took a leading role in warning about the danger posed by Iran’s growing use of cyberattacks and cyber espionage. A top-secret memorandum dated April, 12, 2013, that was disclosed by renegade NSA contractor Edward Snowden revealed a set of talking points used by NSA director general Keith Alexander on Iranian cyber capabilities. “NSA has seen Iran further extending its influence across the Middle East over the last year,” the memo says. “Iran continues to conduct distributed denial-of-service (DDOS) attacks against numerous U.S. financial institutions, and is currently in the third phase of a series of such attacks that began in August 2012.”
NSA signals intelligence uncovered evidence showing that the attacks were carried out in retaliation for Western cyber activities against Iran’s nuclear facilities, and that senior officials of the Iranian government were aware of the attacks—an indication NSA had succeeded in getting inside Iranian communications and was able to read or listen to the communications of senior officials. “NSA expects Iran will continue this series of attacks, which it views as successful, while striving for increased effectiveness by adapting its tactics and techniques to circumvent victim [computer network] mitigation attempts,” the memo said.
The memo also provided the first official confirmation that the August 2012 cyberattack against the Saudi Arabian national oil company, Saudi Aramco, was linked to Iran’s information warfare program. “Iran’s destructive cyber attack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary, Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012. [Iran] has demonstrated a clear ability to learn from the capabilities and actions of others,” the agency stated.
Iran’s Shia Muslim rulers are rivals of Saudi Arabia’s Sunni rulers. NSA also concluded from its intelligence analyst that Iran did not appear to be planning similar cyberattacks against U.S. oil companies’ networks. But the agency warned that “we cannot rule out the possibility of such an attack, especially in the face of increased international pressure on the regime.”
At the time of the memo, the United States intelligence community had completed a major assessment, called a National Intelligence Estimate, on global cyber threats. The estimate was based on highly classified intelligence outlining foreign cyberattack and cyber espionage threats. Officials familiar with the top-secret NIE, a consensus of all spy agencies, described it as highlighting the growing danger of cyberattacks and espionage from the main adversary states, including China, Russia, North Korea, and Iran.
Iranian bank cyberattacks and the destructive cyber strike against the Saudis were followed by a major cyberattack in the United States, perhaps Iran’s boldest and most politically motivated. The attack was carried out against the Sands Corporation in Las Vegas in February 2014. However, in a bid to avoid upsetting its secret diplomatic effort to conclude the nuclear deal with Tehran, the Obama administration kept the attack secret. The Iranian connection to the cyberattack was not made public until nineteen months later, on September 10, 2015, during testimony before Congress by Clapper, the DNI. Clapper had never mentioned the Iranian Sands attack in his public testimony before the House Permanent Select Committee on Intelligence and none of the House members present asked a single question about it. But tucked away in his formal statement submitted in advance of the testimony was a short paragraph that was the first official mention that in addition to the 2012–13 financial institution cyberattacks, Iran had been linked to “the February 2014 cyber attack on the Las Vegas Sands casino company.” No details were provided.
“Iran very likely views its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence,” Clapper stated.
Details of the Sands incident had been first revealed in a detailed investigative report by the news agency Bloomberg Business more than a year earlier but never officially confirmed by the U.S. government. The Iranian hack was politically suppressed by the Obama administration, unlike the other high-profile cyber strike on an American company, Sony Pictures Entertainment (see Chapter 2), which attack was quickly attributed to North Korea as a state sponsor. The playing down of the Sands Corporation attack was no doubt the work of Rhodes’s White House information warfare program, which covertly manipulated American news reports on the Iran threat.
The Sands attack was not trivial. It cost the company some $40 million in destroyed computers and stole data, including sensitive employee data and Social Security numbers.
The attack began in the early morning hours of February 10, 2014, when hundreds of Sands computers began crashing, leaving blank screens and rendering systems inoperable. Email could not be sent or received and most of the landline telephones stopped working. The $14 billion casino company was thrown into chaos. “PCs and servers were shutting down in a cascading IT catastrophe, with many of their hard drives wiped clean. The company’s technical staff had never seen anything like it,” Bloomberg revealed. The highly networked and technology-reliant casino suffered information systems failures throughout its complex, including computers that handled loyalty rewards, programs used to check the performance and payouts of slot machines and table gambling games, and the company’s multimillion-dollar information storage systems. In a bid to prevent a ripple effect, employees were sent racing throughout the huge casino corporation’s offices unplugging as many network connections as possible in a bid to minimize damage.
For the Iranian hackers, the goal of the information warfare operation was not an attempt to hack funds or otherwise seek financial gain, as was suspected by security officials initially. This was a physically damaging and politically motivated cyberattack. The main target: Sands owner and billionaire Sheldon Ade
lson. The conservative Adelson was one of the staunchest American defenders of Israel, the key democratically governed American ally in the Middle East. Born in 1933, he was listed by Forbes as being worth some $28 billion. His title is chairman and chief executive officer of the Las Vegas Sands Corporation, which owns the Marina Bay Sands in Singapore and is the parent company of Venetian Macao Limited, which operates the Venetian Resort Hotel Casino and the Sands Expo and Convention Center. Adelson also owns the Israeli daily newspaper Israel Hayom and the Las Vegas Review-Journal. He was also a close associate of Israel’s prime minister at the time of the cyberattack, Benjamin Netanyahu.
It immediately became apparent to security technicians that the cyberattack was retaliation for a controversial speech Adelson gave in October 2013 at Yeshiva University in Manhattan. He told the gathering that his solution to the nuclear negotiations with Iran—then ongoing and incomplete—would be for the U.S. military to fire a nuclear missile into a desert near Iran, and then tell the Iranians that would be their fate if they ever threatened Israel. “And then you say, ‘See? The next one is in the middle of Tehran,’ ” Adelson said, adding that the message to Iran needs to be “we mean business. You want to be wiped out, go ahead and take a tough position and continue with your nuclear development.”
In response, two weeks after the speech Iranian supreme leader Ali Khamenei gave a speech that called on the United States to stop all such comments from being made, as if the U.S. government had the power to impose such speech constraints. A month after the Khamenei remarks, Iranian hackers launched the operation to attack the Sands. They began by conducting reconnaissance on ways to penetrate Sands information systems in an operation the company would later code-name “Yellowstone 1.”
The first breach occurred around January 8, 2014, not in Las Vegas but at the Sands Bethlehem casino in Pennsylvania, with a cyberattack against the Pennsylvania casino’s virtual private network. The hackers broke in using password-cracking software and repeated log-in attempts carried out with automated trial-and-error combinations of user identification credentials and passwords. By the end of that month, the Iranians had succeeded in what cyber sleuths call a brute-force log-in-cracking attack. The intrusion attempts paid off. On February 1, 2014, the hackers broke through to a Web development server. Once inside the electronic system, the Iranians used another password-hacking program, called Mimikatz, to obtain additional passwords and log-in credentials that were in turn used by the Iranians to eventually gain administrator-level control on February 9. One day later, the Iranians launched their large-scale cyberattack in Las Vegas. Thousands of servers, desktop computers, and laptops were damaged or rendered useless. Worse, sensitive company data was exfiltrated, including private documents and credit checks on high-profile gamblers. In the clearest link to Iran, the hackers left images on the pirated network showing Sands casinos in flames, as messages were posted on some company websites that read, “Encouraging the use of Weapons of Mass Destruction, UNDER ANY CONDITION, is a Crime.” The message was signed the “Anti WMD Team.”
From cyber-intelligence gathering, to denial-of-service attacks, to targeting the Sands, Iran’s information warfare forces have been systematically escalating operations against the United States.
Despite clear evidence of an increasing threat, the Obama administration took no action and said nothing—all to protect the feckless policy of Obama to avoid upsetting his effort to be friends with the mullahs. During a hearing on cyber threats in September 2015, Representative Joe Wilson, a South Carolina Republican, pressed Deputy Secretary of Defense Robert Work on whether the Obama administration had imposed sanctions on Iran for the Sands attack. “I’m going to have to take that for the record,” Work said in sidestepping the question. Admiral Michael Rogers, the commander of the U.S. Cyber Command and director of the NSA, who testified at the same hearing with Work, was only marginally more candid. Rogers indicated “no specific sanctions” were tied to Iranian cyberattacks. But the Cyber Command chief suggested he favored U.S. action against Iran for the attack. “Clearly a broader discussion about what’s acceptable, what’s not acceptable” is needed, he said, noting that Iranian cyberattacks against financial websites had subsided somewhat after the U.S. government began identifying publicly the activities of nefarious cyber actors. Rogers also praised greater cooperation between government and financial institutions “to see what we could do to work the resiliency piece here to preclude the Iranians’ ability to actually penetrate, which, knock on wood, we were successful with.”
As the U.S. government refused to denounce Iranian information warfare, an internal State Department security report I obtained revealed that Iranian cyberattacks were posing a growing danger to American security. The report includes the chart below showing a detailed timeline of several Iranian cyberattacks. The activities included the targeting of government personnel involved in arms nonproliferation from 2011, the financial cyberattacks of 2012, further attacks on large banks in 2012, the hack of the Marine Corps intranet, and what the report described as the “wiper malware” attack on the Sands Corporation.
The report was produced by an analytic group in the State Department for the Overseas Security Advisory Council and went on to identify key trends in Iranian cyber operations, the main element being retaliation, first for the Stuxnet virus, which damaged centrifuges at Natanz, and then in the Sands attack, carried out to punish Adelson for his critical remarks. “In similar fashion, the multi-stage 2012 attacks against U.S. banks and financial institutions were assessed to be a response to economic sanctions,” the report said. “Iran employs the concept of ‘soft war,’ using the Internet and other technical platforms to combat perceived enemies. Other case studies also draw parallels between tracked cyber operations and the Iranian government’s political objectives.” The report warned that “Iran is rapidly improving its cyber warfare capabilities” as a “direct result of Tehran’s investment in its cyber offensive [capabilities] noting that a growing number of Tehran-based hackers are being blamed for high-profile incidents.
“It has been assessed that these hackers have progressed from making low-level website defacements with the use of publicly available malware, to using customized and targeted implants intended for specific victims,” the report said. “As these techniques continue to increase in sophistication and focus, researchers also deduce that Iran may be preparing for future operations by growing their available technical infrastructure.”
In an ominous warning, the report revealed plans by Iranian information warriors to target critical U.S. infrastructures in the future. Several case studies noted Iran’s desire to attack critical American infrastructures—those used for everything from electricity to financial transactions, communications, and transportation—in some capacity. “Assessments continue to place critical infrastructure, supervisory control and data acquisition (SCADA) and transportation systems at the top of the list for potential targets of Iranian cyber operations,” the report said, noting that the Tehran government and the IRGC are “backing numerous groups and front entities to attack the world’s critical infrastructure.”
It was a stark warning of what was to come.
In the months after the Sands cyberattack, the Iranian information warfare threat mounted. Iran was linked to cyber threats against the American electrical grid, and then a group of Iranian hackers were indicted by a U.S. federal grand jury that linked them to a cyberattack against the water control system for a dam in upstate New York.
In California, Iranian-origin hackers struck a contractor for Calpine, a company that bills itself as the largest electrical power provider in the state and uses natural gas and geothermal resources. The hacking took place over several years beginning around August 2013 and the data theft included the downloading of design drawings on dozens of power plants, including at least one that was described as “mission critical.”
The activities were a classic example of what the U.S. military calls cy
ber reconnaissance—covertly breaking into computer networks to map their connections and links so that in a future conflict or crisis the information could be used to sabotage the American power grid, which provides vital electrical power to millions of homes and businesses.
The Calpine attack was followed by an even more serious Iranian cyberattack that attempted to gain control of the Bowman Dam, near Rye, New York, a small suburban town located about thirty-five miles north of New York City. The dam hacking was outlined in the federal indictment of seven Iranian hackers charged on March 24, 2016, with both the Bowman intrusions and the earlier denial-of-service attacks on American financial institutions. It was the first time Iranian hackers had been targeted in a legal proceeding and followed years of silence and inaction by the Obama administration, which, as we have seen, feared that any action it took against Iran would scuttle the nuclear talks and resulting deal.
The indictment was largely symbolic, given that the likelihood of ever prosecuting the seven hackers is remote. While it provided the first official and public identification of Iranians involved in hacking U.S. networks, it was a White House attempt to give the appearance that it was not completely ignoring the threat posed by Iranian cyberattacks. American intelligence and defense officials had been demanding the White House do something to counter the escalating cyber threat. Two Iranian hacker groups were identified. One is called the ITSec Team and the second is the Mersad Company. The two entities are ostensibly private computer security companies based in Iran that “performed work on behalf of the Iranian government,” including the IRGC, which the indictment recognized as one of several Iranian intelligence units.
The botnet strikes on U.S. financial institutions that took place between December 2011 and around May 2013 were orchestrated by the ITSec Team. They involved weekly attacks, usually on Tuesdays and Thursdays, that flooded banks with 140 gigabytes of information per second—up to three times the entire operating system capacity of the banks’ computers. Some forty-six major financial institutions were hit, causing hundreds of thousands of customers to be blocked from banking online, and inflicting tens of millions of dollars in damage on the companies. The ITSec Team and Mersad’s cyber targets included major financial institutions, among them Bank of America, Capital One, the New York Stock Exchange and NASDAQ stock exchange, ING Bank, BB&T, U.S. Bank, and PNC Bank.