Over the past two years, Iranian hackers have targeted hundreds of companies and organizations worldwide. And now it looks like they are casting an even wider net, as they specifically target sensitive political, diplomatic and military targets in the United States, Australia, and UK. Several high-profile attacks – most recently a cyber espionage attack carried out on the Australian Parliament – now appear to be part of a long-term, state-sponsored cyber hacking campaign by Iran.
Iranian hackers behind new wave of attacks in the West
According to Rensecurity, a Los Angeles-based cybersecurity firm, Iranian hackers are behind both a high-profile 2017 attack on the UK Parliament, as well as a February 2019 hack of the Australian Parliament. This marks the first time that a cybersecurity firm has connected all the dots, showing how the methods, approaches and tactics of these attacks appear remarkably similar. While the Australian government has thus far stopped short of publicly accusing Iranian hackers for the attacks, the growing consensus is that Iranian state actors have become increasingly aggressive as they target the West. Both the Wall Street Journal and Sky News have extensively covered these attacks.
In both the 2017 UK Parliament attack and the February 2019 Australian Parliament attack, the Iranian hackers used a “brute force” method that consisted of guessing passwords to obtain access to sensitive information. In some cases, this sensitive information included records listing personal contact information of key individuals within the government. The 2017 attack, for example, targeted 10,000 different parliamentary accounts and had approximately a 1 percent success rate. In other words, the Iranian hackers succeed in obtaining the personal information of 90 different MPs.
And this is hardly the only cyber attack led by Iranian hackers in the past 18 months. For example, there was a high-profile phishing campaign led by Iranian hackers against sensitive elements of the UK public infrastructure. At one time, these Iranian hackers might have been content to go after the corporate secrets of the world’s biggest companies (such as Saudi Aramco). Now, they are targeting elements of a nation’s infrastructure – including banks, the post office, parliamentary networks and local government. In the UK, for example, Iranian hackers succeeded in obtaining the email address and mobile phone number of Post Office Chief Paula Vennells.
Possible strategic goals of the Iranian hackers
This sudden wave of activity by Iranian hackers leads to a natural question: Why, exactly, are Iranian hacking groups so eager to get their hands on the personal details of government employees and elected officials? One explanation is that the Iranian hackers are simply looking for “strategic intelligence,” and a broader understanding of how the major players within the UK or Australian governments are connected. At a time when the United States is constantly warning of military and diplomatic actions against Iran as a result of the nuclear deal, it is perhaps only natural that any state-sponsored cyber-espionage campaign would look to obtain as much information as possible about key decision-makers within these governments.
Cybersecurity experts also warn that the Iranian hackers might be looking for a way to influence political elections, spread disinformation, and undermine the political and economic systems of these countries. For example, once the Iranian hackers have the contact information of officials (including email addresses), they can begin to send out fake messages on behalf of these officials. Imagine receiving a message from the UK Prime Minister talking about Iran-linked issues. Moreover, any personal information gleaned from these accounts might be used for cyber-extortion or other activities, such as phishing campaigns or denial of service campaigns directed against certain political parties.
The third possibility, though, is the one that is really alarming. And that is that the Iranian hackers might have already launched a cyber war against the West as sort of a pre-emptive strike meant to cripple the West before it can carry out stronger economic sanctions or military action against Iran. This might explain why the Iranian hackers are stepping up their efforts against UK infrastructure. However, it is unclear how collecting a list of 100 email addresses is really going to do much to sway the outcome of any cyber war. Of far greater importance, it would seem, would be the types of corporate secrets – such as new ship designs – that have immediate impact on military strategy.
Global dimensions of the Iranian cyber offensive
One thing is certain, however, and that is the fact that the cyber offensive being carried out by Iranian hackers is now truly global. While the primary targets appear to be the intelligence-sharing Five Eyes nations of the U.S., Canada, UK, Australia and New Zealand, there is reason to believe that just about any ally of these nations could become future victims of the Iranian hackers. A cyber incident affecting some UK government agencies could be a warning signal of more to come.
In the U.S., for example, the FBI indicted 9 key leaders and officials from the Mabna Institute, an organization closely linked to the Iranian government. The FBI is also investigating the case of a former U.S. counter-intelligence agent accused of sharing information and data with Iranian hackers as part of a cyber-espionage program. In addition to this case involving a top cyber operative, hackers from the Dark Web might be coordinating with Iranian nation state actors to gain access to sensitive targets.
There appears to be a shadowy group of Iranian hackers that are backed – or, at least, encouraged – by the Iranian government. In addition to Mabna Institute, for example, there is Iridium, which has been linked to various cyber attacks in the West and is known to recruit hackers from across the Middle East and coordinate efforts with the Islamic Revolutionary Guard Corps. And it could be the case, say cybersecurity experts, these Iranian hackers are carrying out “stealth” campaigns that are designed to remain hidden and lurk in the background until just the right moment. At that time, they might be used to bring a nation’s critical infrastructure to its knees, without anyone even being aware of a cyber attack.
Going forward, it is clear that the top cybersecurity agencies in the West – including the Australian Cyber Security Centre – are going to have to step up their efforts against the Iranian hackers to protect domestic companies and government agencies. If Iranian hackers are, indeed, acting as extensions of the Iranian Revolutionary Guard or other military units, then the time might be nearing when the West will need to move from defensive cyber posture to a much more aggressive offensive cyber posture.