Do you remember Stuxnet? I know multiple cybersecurity professionals who entered our industry because it was the most fascinating malware anyone had ever seen. It was designed to exploit vulnerabilities in specific programmable logic controllers, in particular, the ones used by particular nuclear facilities.
Stuxnet’s intended target was a nuclear facility in Natanz, Iran, and it was first discovered in 2010. But despite the malware’s intended target, Natanz’s nuclear facility wasn’t Stuxnet’s only victim. According to researchers, only 58.85% of Stuxnet infections were in Iran, while the rest where in Indonesia, India, Azerbaijan, the United States, and Pakistan.
The controversy and intrigue of Stuxnet wasn’t just tied to its role in cyberwarfare, but also to its notoriously obfuscated code. When malware researchers can’t even determine which programming languages are being used in its creation, it makes the work of investigators massively difficult. Which of course was the intention of Stuxnet’s authors.
Only a nation-state group with millions or billions of dollars in resources can develop malware that’s so incredibly complex. There was also a lot of controversy about Stuxnet’s origin, but the cybersecurity community eventually determined that it was likely the work of an American and Israeli alliance. At that time, Stuxnet was to cyberwarfare what Sputnik was to space exploration. It was a pivotal and challenging first step. It changed everything. It was revolutionary, for better or for worse. And computer scientists will continue to discuss Stuxnet for decades. What a precedent! But the massive harm done by cyberwarfare is no laughing matter.
Relations between Iran, Saudi Arabia, Israel, and the United States have been tense for decades. Many countries around the world have tried to make peace with Iran. Honestly, the vast majority of people on this earth prefer peace. So you can imagine how worried we all were when American President Donald Trump announced on May 8th, 2018 that the United States would pull out of the Joint Comprehensive Plan of Action, colloquially known as the Iran nuclear deal. Iran, the European Union, China, France, Russia, the United Kingdom, Germany, and the United States under Barack Obama first signed the agreement on July 14th, 2015.
As far as international cyberwarfare is concerned, we’re seeing the effects of that terrible move right now. On October 16th of last year, Reuters broke some very scary news.
“The United States carried out a secret cyber operation against Iran in the wake of the Sept. 14 attacks on Saudi Arabia’s oil facilities, which Washington and Riyadh blame on Tehran, two U.S. officials have told Reuters. The officials, who spoke on condition of anonymity, said the operation took place in late September and took aim at Tehran’s ability to spread ‘propaganda.’ One of the officials said the strike affected physical hardware, but did not provide further details.”
The attack highlights how President Donald Trump’s administration has been trying to counter what it sees as Iranian aggression without spiraling into a broader conflict.
The United States, Saudi Arabia, Britain, France and Germany are all publicly blaming the attack on Iran. What’s the actual truth? Looking at practicalities, the attacks on Saudi Arabian oil facilities have made gasoline more expensive, even here in Canada. I don’t drive a car, but I can be affected by the prices of imported food at the supermarket, and by the fares I pay for public transit. Every single one of us who lives “on the grid” can be affected in some way or another.
Honestly, it doesn’t matter to me if the price of a bottle of orange juice goes up by fifty cents. What I’m really worried about are the effects of cyberwarfare. Am I going to wake up to a power outage tomorrow morning because Iran or some other country has attacked the SCADA of my local electrical utility? The industrial facilities behind our power grids, water treatment plants, and telecommunications are all vulnerable to cyberwarfare, no matter which continent we live on. The world is smaller than ever. The Internet connects not only your web browser to this webpage, but also all of our utilities, public, and commercial services. Banks, hospitals, governments, you name it.
The public has a right to know what’s going on, because we’re all affected. So I asked an expert about the new Iranian cyberwarfare controversy, America’s preparedness, and whether or not we’re getting reliable information. I reached out to Richard Stiennon, Chief Research Analyst of IT-Harvest, for his views about the controversy. He said:
“My immediate reaction to the story was that it was completely lacking in any details. The fact that the U.S. engaged in a retaliation against Iran is news. Starting with the Olympic Games – the campaign against the nuclear refining facilities in Natanz – it has been almost a standard response to Iranian aggression. It has also been the Department of Defense's stated policy, supported by Executive Orders from Bush and Obama to engage in offensive cyberattacks.”
He continued: “In retrospect, Stuxnet, used in the Olympic Games, was effective in setting back Iran's efforts to produce nuclear grade uranium. I think however, that cyberattacks, unless they are destructive of physical property, are not an effective or proportionate response to attacks such as the missiles fired at a Saudi oil refinery.”
Next I asked Richard, “How do you think Iranian cyberwarfare units compare to American ones? Who has the competitive advantage, and how might that affect Saudi Arabia?”
He replied, “I believe Iran is far behind the U.S. in cyberattack capability. The U.S. has tens of billions devoted to its dark budget which includes cyberattack. That said, the U.S has many more vulnerable assets than Iran has so Iran does not need to be very sophisticated to be successful in attacking U.S. companies, agencies, or military assets.”
I had a couple of final questions for Mr. Stiennon: “Do you think the American media has been evasive about reporting about the extent of the US's cyberwarfare capabilities? If so, why? And do you think the general public will learn about the kind of cyberwarfare activity that's conducted between the United States and Iran?”
He answered, “I think American media in general is shy of covering U.S. cyber activities with a few exceptions like Ellen Nakashima at the Washington Post. The real culprits in coverage are the tech firms that track the activities of so-called APT groups. U.S. research firms ignore the activities of the U.S. intel community. We have to rely on reports from the likes of malware researchers or leaks published in Der Spiegle. Eventually the general public will learn about the ongoing cyber skirmishes between the U.S. and Iran. They may have to read about it in history books though.
Stuxnet introduced everyone to the threat (and effectiveness) of attacks against critical infrastructure. Since those days the media have staffed up on cyber beat reporters. Many journalists have written books about cyberattacks and reinvented themselves as experts in the field. This is a golden era of cyber reporting.”
If this is indeed the golden era of cyber reporting, I’m honored to have a small part in that. (Thank you, Mr. Stiennon.)
And as I continued my research for this article, more news broke about international tensions with Iran. Reuters reported this follow up:
“Western officials rank Russia and Iran as two of the most dangerous threats in cyberspace, alongside China and North Korea, with both governments accused of conducting hacking operations against countries around the world. Intelligence officials said there was no evidence of collusion between Turla and its Iranian victim, a hacking group known as 'APT34’ which cybersecurity researchers say works for the Iranian government.
So what do we really know about APT34? I decided to see what research is available about the cyberwarfare group. They’ve been around since at least 2014, but the media started paying attention to them in 2017.Rather, the Russian hackers infiltrated the Iranian group's infrastructure in order to ‘masquerade as an adversary which victims would expect to target them,’ or so said GCHQ's (Paul) Chichester.”
Wired’s Lily Hay Newman wrote at the time, “The international intelligence agency always has a keen interest in Iran's hacking activity. And new research published on Thursday indicates the country's efforts show no signs of slowing. In fact, a new network reconnaissance group—security researchers call them Advanced Persistent Threat 34—has spent the last few years burrowing deep into critical infrastructure companies. Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat.”
Newman continued: “Researchers tracked 34 of the group's attacks on institutions in seven Middle Eastern countries between 2015 and mid-2017, but says APT 34 has been operational since at least 2014. The group appears to target financial, energy, telecommunications, and chemical companies, and researchers say it has moderate confidence that its hackers are Iranians.”
I have a feeling that significant Iranian cyberwarfare has only just begun. We’re just spotting the first major signs now. Iran has been greatly mistreated by various foreign governments. But now the fallout from decades of turmoil in Iran could be the electrical grids and industrial facilities that we rely on here in Canada, the United States, and Europe.
When I visited Ottawa, Canada this May to cover the CyberTitan cybersecurity competition for ThreatVector, I had the honor of meeting Brigadier-General A.R. Jayne, Director General Cyberspace of Canada. We had a one-on-one chat at one point.
Jayne is in charge of all of Canada’s cyberwarfare defense. Of course he knows better than to tell me any classified information, but I still learned from him.
During the course of our conversation I commented to him, “Conventional warfare results in bombed cities and civilians getting shot dead. But conventional warfare is contained to specific warzones. That’s where the collateral damage is. I worry that cyberwarfare means that those of us who are thousands of miles away from conventional warzones can still be harmed by collateral damage in the form of attacks on the SCADAs and ICSes behind our utilities, the ones we depend upon.”
“I worry about that too,” Jayne replied.
“Thanks to the Internet, the whole entire world is a potential cyberwarfare zone,” I commented.
He replied, “Yep. And that’s why I do what I do.”