Iran’s state-sponsored computer hackers have been under a steady and unusually public bombardment in recent months, with details of their secret operations bared to the world and portions of their online infrastructure stolen away. That unwanted attention has left Iran’s cyberwarriors battered and bruised, even as tensions with the West elevate to new levels.
If you’re looking for a way to inflict pain on America and its allies without killing American troops or citizens, cyber seems like a domain that’s ripe for mischief. Fortunately for Tehran, it’s also a domain where they’ve demonstrated some notable skill. Security researchers have tracked a number of hacking gangs linked to Iran, each with its own flavor. Oil Rig, Iran’s version of Russia’s Fancy Bear, infiltrates networks far and wide through phishing attacks. The group dubbed Newscaster specializes in running fake personas on social engineering platforms to get close to a target. Elfin, or APT33, performs offensive, destructive attacks, like a November incursion into an Italian company with a presence in Saudi Arabia.
“They wiped a bunch of their computers,” said Ben Read, senior manager for cyber espionage analysis at FireEye. “So it’s something they’ve done recently.”
Thus far, there’s been no reporting of an uptick in Iranian cyberthreats over the past two months but cybersecurity firms are on guard. “They have been probing critical infrastructure organizations in the Gulf for years and there have been several destructive incidents,” John Hultquist, director of intelligence analysis at FireEye, told The Daily Beast. “We are concerned that similar incidents are imminent."
But Iran’s hackers have been having a run of bad luck, beginning last November when security companies discovered one of their covert hacking campaigns.
Dubbed DNSpionage by Cisco’s Talos, the campaign was both brazen and cunning. Instead of directly trying to penetrate a target network, the hackers were hijacking the controls for their target’s internet domain names. That allowed them to redirect incoming traffic wherever they chose. It was roughly the electronic equivalent of a thief filling out a bogus change-of-address card to forward a victim’s mail to his own address.
That sort of out-of-the-box thinking is typical of Iranian-linked hacking groups, said Read—they lack the resources of their counterparts in the U.S., China and Russia, but show unusual craftiness in their attacks. “They’re not good at overpowering the most defended spot, but they’re much better at finding the one place on your network that isn’t well defended,” Read said. “They’re sort of the guy who can use the pump fake at just the right time to get a shot off.”
FireEye publicly attributed the DNSpionage attacks, with “moderate confidence,” to the Iranian government. And though the hacks mostly targeted the Middle East, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency chose DNSpionage as the subject of its first-ever government-wide emergency directive in January, ordering other agencies to take specific defensive measures against DNS hijacking, and putting Iran’s cyber capabilities under a microscope.
It was the start of a series of public disclosures that have bathed Iran’s cyber ops in the kind of high-intensity light anathema to any covert organization.
In February, federal prosecutors unsealed espionage charges against Monica Witt, a former U.S. Air Force intelligence officer who defected to Iran. The indictment went beyond laying out the charges, and detailed how Witt allegedly helped cyber spies in Iran’s Islamic Revolutionary Guard Corps target her former military colleagues on social media, using impersonation, fake profiles and inside-information provided by Witt to infiltrate a target’s social circles. Four Iranians were charged as well.
The next month, Microsoft hit Oil Rig in another soft spot—the web addresses it uses in its phishing attacks. Repeating a tactic the company has been using against Russia’s Fancy Bear, Microsoft lawyers sued Oil Rig in federal court, winning an injunction giving its security team control of 99 domains the hackers were using to trick victims into giving up their passwords.
Things went from bad to worse for Iran’s cyber spies a few months later, when a mysterious Telegram channel opened up called “Lab Dookhtegan”—“sewn lips” in Farsi.
“We are exposing here the hacking and penetration capabilities that the malicious Iranian ministry of intelligence uses for its evil goals,” the channel announced. “These capabilities include specializing in databases, Internet service providers, programming languages, hacking implants, social engineering, etc. This damn ministry uses these capabilities to spy on innocent compatriots… The time has come to crash them.”
It was no idle boast. Since their debut, the anonymous operators of Lab Dookhtegan have meted out a wealth of inside information about Oil Rig’s tactics, tools, and targeting, including the private source code for the group’s malware, a long list of the systems they’ve hacked from Thailand to Qatar, the alleged names and biographical details of some of the individual hackers, and the blueprints for their command-and-control infrastructure, right down to the IP addresses of their rented servers.
“Exposures like that impose a cost,” said Read. “When infrastructure gets burned, they have to find a way to get money out of Iran covertly to replace it. It wouldn’t surprise me if, as a consequence of that, they had to kind of slow down.”
The leaks have proven a bonanza for some of the security experts tracking Iran’s hackers, who got the see the original source code for malware they've been encountering at crime scenes for years. Whoever is running the Telegram channels remains a mystery, but there’s no shortage of suspects—spy agencies in Israel, the United Arab Emirates, and the U.S. are all possibilities.
Despite the setbacks the Iranian cyber warriors have suffered, nobody doubts that they retain the ability to do serious damage. And Read notes that it’s usually impossible to distinguish a routine espionage hack from a destructive attack until it’s too late.
“They’re good enough to get in lots of places and mess things up,” said Read. “With what’s going on geopolitically, we’re taking them very seriously.”