Iran’s next move could be one of low-intensity conflict that could have a big impact on our cyber infrastructures
The level of angst and concern of a hot-war between Iran and the United States has largely been quelled, as time has put space between the flashpoint incidents that caused the relationship to move from contentious to war-footing. As the global news cycles move to other issues—be it the Coronavirus exiting China, the impeachment of the U.S. President Trump or the global economic meetings in Davos—the Iranian Islamic Revolutionary Guard Corps (IRGC) are putting in place their next move.
Based on a few years of paying attention to Iran’s intelligence actions and capabilities, I believe we will see more activity and intensity into the cyber domain as a part of the IRGC’s “low-intensity conflict” (LIC) doctrine. As the deputy director of the CIA, Robert Gates stated in 1988 in his keynote, “Low-Intensity Conflict: The Role of Intelligence,” LIC is defined largely by where the beholder is situated. He referred to a national security directive that characterized LIC as “political-military confrontation between contending states or groups, below conventional war, and above the routine, peaceful competition among states.”
“LIC is a strategy of conflict, where dilatory tactics are employed with increasing violence to wear down the opponent,” Gates, said, invoking Jean-Paul Sartre: “(The insurgent) tires out his adversary until they are sick of him.”
Thus, one could argue the Iranians have been involved in LIC within both the physical and cyber domains for quite some time.
The FBI told U.S. companies that Iranian hackers can be expected to target “cleared defense contractors, government agencies, academia and non-governmental organizations focused on Iran issues.”
We can track this activity via the Department of Justice’s trail of trials in which IRGC personnel are identified in indictments and court proceedings as actively working to insinuate themselves into U.S. infrastructure. Additionally, the Justice Department’s activities highlight to us the active role the IRGC plays in conducting espionage within the United States.
- SCADA – Bowman Dam, Rye, New York – IRGC compromised the SCADA network, from Iran.
- SCADA – Saudi Aramco – 30,000 Aramco PC’s were infected by “Shamoon malware”
- U.S. financial – IRGC conducted DDOS attacks and successfully implanted malware against the U.S. financial industry, again from Iran.
- Data theft – Nine Iranians indicted for successfully infiltrating and extracting data from 144 U.S. universities, 176 universities in 21 countries, 47 corporations, U.S. Department of Labor, U.S. Federal Energy Regulatory Commission, States of Hawaii and Indiana and the United Nations.
A key point to remember: These prosecutions are of those activities that U.S. counterintelligence entities have identified with enough detail to neutralize and prosecute. The axiom of counterespionage work is you are never able to see 100% of the activities of your adversary; thus, we don’t know which end of the iceberg of Iranian activity we are seeing.
To this end, the U.S. Cybersecurity and Infrastructure Agency (CISA) has issued an alert concerning the “imminent threat of cyber attacks sponsored by the Iranian government and military.” While the government has a history of not sharing all it knows, this alert contained specific guidance:
- Adopt a state of heightened awareness.
- Increase organizational vigilance.
- Confirm reporting processes.
- Exercise organizational incident response plans.
- Disable all unnecessary ports and protocols.
- Enhance monitoring of network and email traffic.
- Patch externally facing equipment.
- Log and limit the usage of PowerShell.
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.
RAND Corp. Associate Political Scientist Ariane Tabatabai suggested that Iran will position itself “to hit several objectives: raising the cost of U.S. policy without drawing international ire onto itself.” Among the tools identified by Tabatabai are those within the cyber toolbox that may be used against the U.S. infrastructure and financial sectors.
Preparedness Is Essential
The expectation that Iran will step back from its cyber offensive activities would be folly; indeed, one can expect that Iran will use all the arrows in its cyber quiver to target the United States.
These arrows will include straightforward courting of individuals with key knowledge (security researcher Chris Kubecka was offered a contract of $100,000 per a month to come to Iran and teach a course in protecting SCADA networks) to utilizing defector U.S. Department of Defense counterintelligence officer Monica Witt in putting together social network engagement targeting packages focused on personnel of interest.
The FBI’s and CISA warnings should be taken seriously and resources expended to protect that which needs protecting. Review your data protection schema with an eye toward anomalies both new and existing. Remember, the IRGC’s intent at this time may not be to destroy or steal your data, but more nefarious: preparing the cyber battlefield for a future point in time of the IRGC’s choosing.
The adage of all counterintelligence educators continues to hold true: You don’t get to decide if you or your entity will be a target; the adversary decides. All you can do is prepare to be targeted.