For four days in early December, the first Iranian university shut down. The web conferencing software for classes constrained by COVID did not work. Professors and students were unable to access their files.
This was the latest round of attacks in the low-intensity but growing cyber hostilities between Iran and its adversaries, particularly Israel, which traded hacks as part of a long-running shadow campaign of mutual destabilization. But the blow to the University of Tehran and other similar incidents represent a shift, according to experts, from the regular targeting of military and nuclear sites to a full-blown cyberwar against civilian infrastructure.
“This is an important distinction about cyber conflict – it typically affects civilians and affects the private sector,” said John Hultquist, vice president of intelligence analysis at US cybersecurity firm Mandiant.
“These are not military objectives. … The government is often not the public for many of these incidents.
The expanding cyber battlefield in the Middle East comes as Iran improves defense of its controversial nuclear program, said Maysam Behravesh, associate researcher at the Netherlands-based Clingendael Institute who was an intelligence analyst and adviser in foreign policy for the Iranian Ministry of Intelligence and Security from 2008. to 2010.
As Iran’s nuclear facilities spread across the country and the program’s attack became much more complicated, Israel took a new approach: carrying out massive cyber attacks against sensitive civilian targets like roadblocks. , gas stations and power stations to foment nationwide riots with the aim of overthrowing the regime or keep the leaders busy with daily and endless riots, ”Behravesh said.
In addition to the attack on Tehran University earlier this month, Iran’s second-largest airline, Mahan Airlines, was hacked in November as its website became inaccessible. A large-scale hack in October disabled pumps at 4,300 gas stations across the country.
In August, a hacker group called Edalat-e Ali (Ali’s Justice) leaked security footage from an Iranian prison showing guards beating prisoners. July saw a hack that crippled the rail system; another group, Tapandegan, attacked airports in major cities and towns. And this is only a partial list of government-acknowledged incidents, which Tehran has attributed mainly to Israel without always showing evidence for this claim.
After the attack on the gas station, the new hard-core president Ebrahim Raisi called for “serious preparation in the area of cyber warfare”, saying the Iranian authorities “should not allow the enemy to continue their operations. disturbing goals of making problems a trend in people’s lives ”. state media reported.
Meanwhile, Iran has retaliated with its own attacks, according to Israeli and US officials and experts.
This month, Checkpoint, a cybersecurity firm in Tel Aviv, said a large number of Israeli companies had been targeted by an Iran-linked hack. group known as the Charming Kitten. Also this month, Symantec’s Threat Hunter Team announced that a group whose “targeting and tactics were consistent with Iranian-sponsored actors” had embarked on a campaign of attacks against Iran. several months against telecom operators, IT service organizations and a utility company in Israel, Jordan, Kuwait, Saudi Arabia, United Arab Emirates and Pakistan, among others.
In November, authorities in the US, UK and Australia warned that Iranian-sponsored attackers had exploited a software vulnerability to deploy ransomware attacks. Earlier this year, Facebook reported that Iranian-related group Tortoiseshell had created fake online personas to contact U.S. military personnel and employees of U.S. and European defense companies to send malware and extract information from their targets.
Also in November, Fars News, an agency run by Iran’s notorious Islamic Revolutionary Guard Corps, “doxxed” an Israeli cybersecurity specialist focused on Iran, meaning it published the name , phone number, home address and other specialist details. This follows an attack by a group called Black Shadow, which posted a huge amount of private data from the Israeli LGBTQ website Atraf.
The attacks have sparked a parallel race to plug the vulnerabilities. On Saturday, the IDF announced that its joint cyber defense division had joined the United States Cyber Command for exercises last week, the sixth such joint exercise this year. Earlier this month, Israel conducted “Collective Force,” a simulation of major cyberattacks in financial markets that included Treasury officials from the United States, Israel, the United Arab Emirates and Britain, between others.
Iran’s relative international isolation gives it few opportunities for such partnerships. US-led sanctions have also made the country particularly vulnerable to attacks, forcing Iranians to rely on pirated, cracked or older versions of software without being able to update them against new security threats.
The attack on Tehran University, for example, crippled an older version of Adobe Connect, a web conferencing software suite. Professors and students switched for a few days to Big Blue Button, a free web conferencing system with open-source code available to anyone who wants to modify it to eliminate vulnerabilities.
The sanctions also mean that Iran does not have the resources to deter attacks at the national level, especially when faced with much more advanced adversaries capable of finding so-called zero days, errors in the process. program code – not even known to the software manufacturer – that can be used to break into a system.
“You need to have a massive, large-scale organization that can operate down to the network level on all of those potential targets,” Hultquist said. “It is already a difficult battle, and if you run out of resources you will end up with the adversary who will access them easily. “
Get the latest Los Angeles Times news, surveys, analysis and more signature journalism delivered to your inbox.
You may occasionally receive promotional content from the Los Angeles Times.
At the same time, with the Iranian state apparatus and private companies forced to rely less on advanced technology and systems to operate their equipment, the impact of an attack is less than it would be on countries like the United States, where such systems play a more important role. .
This has prompted Iran to focus on the offensive side of cyberwarfare. Instead of custom malware like Stuxnet, the sophisticated computer worm designed by the United States and Israel that wreaked havoc on Iran’s nuclear systems in 2010, Iranian hackers have deployed publicly available malware along with cracked versions. remote administration and legitimate security assessment. tools such as Cobalt Strike, a threat emulation tool.
And there is no shortage of cyber warriors. Revolutionary Guards regularly recruit recruits in data mining, network penetration, and hacking at educational institutions such as Imam Hossein University, where scholarship students enter custody after graduation. after having passed ideological talks and a thorough check. Those accepted are not allowed to work in the private sector or abroad but receive higher salaries to compensate.
If the carrot does not work, the stick comes out: according to several Iranian computer engineers who requested anonymity, when the Iranian security services capture hackers, they force them to work for the state in order to avoid jail.
Despite the escalation of hostilities, the attacks so far have been far from all-out war, Hultquist said.
“It is analogous to terrorism in the sense that it is about creating a perception of danger or insecurity based on contained and rare acts,” he said.
But Behravesh, the former Iranian intelligence analyst, believes the intensification of attacks is a prelude to a wider conflict, especially with the late prospects of a resumption of Iran’s nuclear deal with Western powers. and global.
“This change in the pattern of the Israelis to strike civilian targets is a pre-strike step, which means they are giving the strike one last chance before resorting to a large-scale military operation against Iranian nuclear facilities.” , did he declare.
“I would say that time is running out and the the world and the Middle East could be at the point of no return.
Special envoy Khazani reported from Tehran and editor Bulos from Amman.