A set of documents obtained by Sky News, allegedly obtained from the Iranian cyber command, details plans by Iran to do advanced real-world damage with cyber attacks. While the documents do not indicate that Iran is actively planning to execute these attacks, the country appears to be creating a folder of plans to call upon in event of war. The strategies include using cyber attacks to sink container ships, attack utilities in foreign countries (with one that documents a plan to make fuel pumps at gas stations explode), and even attack facilities by making smart device controls malfunction.
While there are no specific targets or plans indicating an imminent attack, the documents indicate that Iran is interested in directing these attacks against western countries; primarily the United States, United Kingdom and France.
Iran wargames for doing real-world damage with cyber attacks
The 57-page collection of five research reports was leaked to Sky News by an anonymous security source, who says that they originate from the Shahid Kaveh offensive cyber unit of Iran’s Islamic Revolutionary Guard Corps’ (IRGC) cyber command; all are marked “very confidential” and are the sorts of materials that rarely make it out to public view. The source believes that the secretive agency is building a “target bank” to keep on hand and use whenever the circumstance presents itself.
The work focuses heavily on civilian infrastructure, something that has been a matter of greatly heightened concern after the recent attacks on Colonial Pipeline and JBS. Each of the reports focuses on a specific category or type of target, and most are dated at some point in 2020.
One of the reports focuses on the filtration and “ballast water” systems of large cargo ships. The report notes that these systems require very precise operation, and could potentially tip the ship over and destroy it if disrupted. The controls are linked to land-based operations via satellite systems. There is a second report that focuses on maritime satellite communications, this one focusing on a commonly-used communication system called the Sealink CIR that provides phone and fax connections to land. This report did not reference a specific vulnerability or attack type, but appeared to be conducting research to see how many of these devices were connected to the internet and had exposed login screens.
Another report examines the possibility of turning retail fuel pumps into weapons by hacking a component called an “automatic tank gauge” that tracks fuel flow and can be remotely accessed. The report concludes that it is theoretically possible to make a pump explode by remotely increasing the temperature of the gas; it is also possible to simply cut the fuel off from the pump with a cyber attack. This vulnerability appears to be in a specific type of fuel pump manufactured by United States-based Franklin Fueling Systems, which provides pumps all over the world. A spokesman for Franklin responded to the statement by saying that remote control of an automatic tank gauge by an attacker was theoretically possible, but the company did not believe that the temperature could be increased enough to cause an explosion and that redundant safety systems were in place to prevent accidents of this nature.
The final two reports focus on smart devices used as environmental controls in both residential and business settings. One of the reports consists of nine pages of research into all sorts of smart devices incorporated into building management systems, cataloging the companies that manufacture these devices and provide related services. A 22-page report goes in depth on German electrical equipment manufacturer WAGO, and a potential vulnerability in its programmable logic controller (PLC) systems; however, this report concludes that it is not presently viable as a cyber attack method as there is no means of assessing the damage caused. However, it does suggest further research into “weak points.”
Response to threat of cyber attacks
While these planned cyber attacks are mostly general ideas not necessarily supported by specific known vulnerabilities, leaders of the Western nations most likely to be targeted by Iran are taking the threat seriously. General Sir Patrick Sanders, the top military officer overseeing UK cyber operations, told Sky News: “They are among the most advanced cyber actors. We take their capabilities seriously. We don’t overstate it. They are a serious actor and they have behaved really irresponsibly in the past.”
Richard Blech, CEO and Founder of XSOC CORP, believes that the US national security response will be equally serious: “Iran has most certainly been on the radar recently and continues to be a growing threat to global critical infrastructure, along with their other geopolitical allies as well. Just last week we saw Iran infiltrating the US military by catfishing military members on Facebook Messenger, so I do not find it surprising at all that they are now moving onto these new tactics of file compilation on civilian critical infrastructure. While other nations’ cybercriminals are often motivated by financial gain more than espionage, I believe being perceived as a viable and dangerous threat actor is the primary motivating factor in Iran’s case and to a certain extent, espionage to use in bartering for other assets with their allies. But regardless of the motivation behind these cyber attacks, the most important thing we can do is appreciate that the situation with Iran is on our radar so we can properly prepare with security measures and mitigate the risks of falling victim to an attack. The US government should be prepared to act will all countermeasures available and fully enforce sanctions on Iran.”
Nation-states have long had the ability to direct cyber attacks against each other’s physical infrastructure and potentially cause fatalities in that way, but this power has largely been held in reserve as it is seen by most as an unacceptable escalation that could trigger a conventional war. Some actors have been edging toward using cyber attack capabilities in this way, however, Iran among them. Israel is thought to have been behind an attack on the computers controlling Iran’s port traffic last year, after Iran allegedly attempted an attack on Israel’s water systems.