TEHRAN, Iran — For four days in early December, Iran’s top university ground to a halt. Web-conferencing software for COVID-constrained classes didn’t work. Faculty and students couldn’t access their records.
It was the latest round of attack in the low-level but escalating cyberhostilities between Iran and its adversaries, especially Israel, which have exchanged tit-for-tat hacks in a long-running shadow campaign of mutual destabilization. But the hit on the University of Tehran and other incidents like it represent a shift, experts say, from the regular targeting of military and nuclear sites toward a full-fledged cyberwar on civilian infrastructure.
“That’s an important distinction about cyberconflicts — they generally affect civilians and get the private sector,” said John Hultquist, vice president of intelligence analysis at the U.S. cybersecurity firm Mandiant.
“They’re not about military objectives. … The government is often not the audience for a lot of these incidents.”
The expansion of the Middle East cyberbattlefield comes as Iran improves defense of its controversial nuclear program, said Maysam Behravesh, a research associate at the Netherlands-based Clingendael institute who was an intelligence analyst and foreign policy adviser for Iran’s Ministry of Intelligence and Security from 2008 to 2010.
“Given that Iran’s nuclear facilities have spread all over the country and attacking the program has become much more complicated, Israel has adopted a new approach — conducting massive cyberattacks on sensitive civilian targets like dams, gasoline stations and power plants to foment nationwide riots with the objective of toppling the regime or keeping the rulers busy with day-to-day, endless riots,” Behravesh said.
Besides the University of Tehran attack earlier this month, Iran’s second-largest airline, Mahan Airlines, got hacked in November, its website made inaccessible. A large-scale hack in October disabled pumps at 4,300 gas stations across the country.
In August, a hacker group called Edalat-e Ali (Ali’s Justice) leaked security footage from an Iranian prison depicting guards beating prisoners. July saw a hack that paralyzed the railway system; another group, Tapandegan, attacked airports in major cities and municipalities. And that’s only a partial list of government-acknowledged incidents, which Tehran has attributed primarily to Israel without always showing evidence for the assertion.
After the gas station attack, new hard-line President Ebrahim Raisi called for “serious readiness in the field of cyberwar,” saying that Iranian authorities “should not allow the enemy to follow their ominous aims to make problems a trend in people’s lives,” state media reported.
Meanwhile, Iran has hit back with its own attacks, Israeli and U.S. officials and experts allege.
This month, Checkpoint, a cybersecurity firm in Tel Aviv, said a slew of Israeli companies had been targeted by an Iran-linked hacking group known as Charming Kitten. Also this month, Symantec’s threat-hunter team announced that a group whose “targeting and tactics were consistent with Iranian-sponsored actors” had engaged in a months-long campaign of attacks on telecom operators, IT services organizations and a utility company in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates and Pakistan, among others.
In November, authorities in the U.S., Britain and Australia warned that Iranian-sponsored attackers had exploited a software vulnerability to deploy ransomware attacks. Earlier this year, Facebook announced that the Iran-linked group Tortoiseshell had created fake online personas to contact U.S. service members and employees of American and European defense companies in order to send malware and extract information from their targets.
Also in November, Fars News, an agency managed by Iran’s vaunted Islamic Revolutionary Guard Corps, “doxxed” an Iran-focused Israeli cybersecurity specialist, meaning that it published the specialist’s name, phone number, home address and other details. That came on the heels of an attack by a group called Black Shadow, which released a massive trove of private data from the Israeli LGBTQ website Atraf.
The attacks have spurred a parallel race to plug vulnerabilities. On Saturday, the Israeli military announced that its Joint Cyber Defense Division had joined the United States Cyber Command for drills over the last week, the sixth such joint exercise this year. Earlier this month, Israel conducted “Collective Strength,” a simulation of major cyberattacks on financial markets that included treasury officials from the U.S., Israel, the United Arab Emirates and Britain, among others.
Iran’s relative international isolation gives it few opportunities for such partnerships. U.S.-led sanctions have also made the country particularly vulnerable to attack, forcing Iranians to rely on pirated, cracked or older versions of software without the ability to update them against new security threats.
The attack on the University of Tehran, for example, crippled an older version of Adobe Connect, a web-conferencing software suite. Faculty and students switched for a few days to Big Blue Button, a free web-conferencing system whose code is open-source — available to anyone who wants to modify it to eliminate vulnerabilities.
Sanctions also mean that Iran doesn’t have the resources to deter attacks on a national level, especially when it’s confronting far more advanced adversaries capable of finding so-called zero days, mistakes in a program’s code — unknown even to the software maker — that can be used to break in to a system.
“You have to have a massive, scaled organization that can operate all the way down to the network level at all these potential targets,” Hultquist said. “It’s already an uphill battle, and if you lack the resources, you’ll find yourself with the adversary easily gaining access.”
At the same time, with Iran’s state apparatus and private businesses forced to rely less heavily on technology and advanced systems to run equipment, the impact of an attack is less than it would be on countries like the U.S., where such systems play a larger role.
That has pushed Iran to focus on the offensive side of cyberwarfare. Instead of custom-made malware like Stuxnet, the sophisticated computer worm designed by the U.S. and Israel that wreaked havoc on Iran’s nuclear systems in 2010, Iranian hackers have deployed publicly available malware as well as cracked versions of legitimate remote-administration and security-assessment tools such as Cobalt Strike, a threat-emulation tool.
And there’s no lack of cyberwarriors. The Revolutionary Guard regularly plucks recruits in data-mining, network penetration and hacking from educational institutions such as Imam Hossein University, where scholarship students enter the guard upon graduation after passing ideological interviews and deep vetting. Those accepted aren’t allowed to work in the private sector or abroad but are paid higher salaries to compensate.
If the carrot doesn’t work, the stick comes out: According to several Iranian computer engineers who spoke on condition of anonymity, when Iran’s security services capture private hackers, they coerce them into working for the state as a way to avoid jail time.
Despite the escalation in hostilities, the attacks have so far fallen short of out-and-out war, Hultquist said.
“It’s analogous to terrorism in the sense that it’s about creating a perception of danger or insecurity based on acts that are contained and rare,” he said.
But Behravesh, the former Iranian intelligence analyst, believes the intensification in the attacks is a prelude to a larger conflict, especially with the lagging prospects of a revival of Iran’s nuclear deal with Western and other world powers.
“This change of pattern by the Israelis to hit civilian targets is a pre-strike stage, meaning they’re giving this one last chance before resorting to a full-scale military operation against Iranian nuclear facilities,” he said.
“I would say time is running out, and the world and the Middle East could be at the point of no return.”
Los Angeles Times special correspondent Khazani reported from Tehran and staff writer Bulos from Amman.