Iran Has Built an Army of Cyber-Proxies

Jordan Brunner

Jordan Brunner

Tower Tomorrow Fellow; Law student, Arizona State University

click for full bio >>

~ Also in this issue ~

~ Also by Jordan Brunner ~

From the Blog

The long-term threat of cyber-warfare is something many Westerners prefer to ignore. But America’s enemies are working overtime, and the biggest threat is not China.

Katherine Archuleta, the now ex-director of the U.S. government’s Office of Personnel Management (OPM), probably never expected that she would have to resign after only two years of service. Insisting that she was “as angry as anyone” about the recent hack of OPM’s computer system, which according to ABC “potentially exposed the personal information of tens of millions of people,” she crusaded valiantly for her job despite opposition from Republicans and Democrats alike. The cyber-attack that so angered Archuleta and members of Congress was subsequently attributed to China by Director of National Intelligence James Clapper. If he is correct, the OPM hack is the latest in a long list of Chinese cyber-attacks. They started in 2009 with the successful hack of U.S. military contractors’ computers, which was undertaken in order to steal the plans for the F-35 Joint Strike Fighter. They moved on to leading energy companies such as Marathon Oil, ExxonMobil, and ConocoPhillips. Then came a campaign against large media outlets like The Wall Street Journal and The New York Times.

China is not alone in using cyber-attacks against the United States. Iran has been linked to attacks against billionaire casino tycoon Sheldon Adelson’s Las Vegas Sands Corp. Numerous banking institutions, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T, and HSBC have also been victims. In addition, Iran has attacked Saudi Aramco, Saudi Arabia’s national petroleum and natural gas company.

But while the U.S. and the rest of the world have concentrated on the illicit cyber-activities of expansionist regimes like China and rogue states like Iran and North Korea, there is a small but growing list of private cyber-actors—often supported by the aforementioned regimes—that has been largely ignored.

When it comes to supporting these private cyber-actors, Iran is the worst offender. And the longer we wait, the more powerful they will grow.

While groups like the Chinese military’s PLA Unit 61398 are directly managed by nation-states, private actors are more difficult to combat. They cannot be held directly accountable or controlled in the same ways as state actors. Nor are they monitored properly by the nations and groups they target.

When it comes to supporting these private cyber-actors, Iran appears to be one of the worst offenders. And this support could have terrible consequences. Since Iran may not have direct control over its cyber-proxies, it is possible for its leaders to deny or obfuscate responsibility for their actions, as it does with the terrorist acts of Hezbollah, Hamas, and the Houthis. But cyber-proxies are, in the long run, a major threat to the West. And the longer we wait, the more powerful they will grow.

Iran’s cyber-breakout was fast and sudden. Within the last few years, Iran has managed to build a cyber-capability that rivals the United States, China, Russia, the United Kingdom, and Israel, who are the most dominant actors in cyberspace. According to intelligence documents released by Edward Snowden in 2013, Iran has been ramping up its surveillance of the United States government. One of these documents, written by Gen. Keith Alexander, former director of the National Security Agency, describes the threat as serious enough for the U.S. to request Britain’s assistance in containing the damage from “Iran’s discovery of computer network exploitation tools”—a technical term for cyber-weapons.

Iran’s rapid development of its cyber-capabilities stems from the fact that it had an excellent, if inadvertent, teacher named Stuxnet. Stuxnet was a virus allegedly developed in 2007 by the United States and Israel. It was part of Operation Olympic Games, which sought to sabotage Iran’s nuclear weapons program. In another document leaked by Snowden, the NSA stated that Iran “has demonstrated a clear ability to learn from the capabilities and actions of others,” including from “Western attacks against Iran’s nuclear sector.” In other words, Stuxnet taught Iran how to use cyberspace to its advantage.

Ever since then, Iran has invested heavily in developing its own cyber-capability. It has done so in order to protect against threats like Stuxnet and execute attacks of its own. The U.S. Army’s Strategic Studies Institute chronicled the rise of the Iranian cyber force last year:

In late-2011, Iran invested at least $1 billion dollars in cyber technology, infrastructure, and expertise. In March 2012, the IRGC [the elite Iranian Revolutionary Guard Corps] claimed it had recruited around 120,000 personnel over the past three years to combat “a soft cyber war against Iran.” In early-2013, an IRGC general publically claimed Iran had the “fourth biggest cyber power among the world’s cyber armies.”

The latter claim has been substantiated by an Israel-based think tank, the Institute for National Security Studies, in its report on the matter.

The relatively inexpensive nature of computers and the wealth of students who are easily trainable in the arts of cyber-warfare have made cyber-capability increasingly attractive to rogue regimes like Iran. In contrast to the Iranian nuclear program, which has drawn the attention of world powers and forced Iran to negotiate with the United States in order to gain relief from heavy sanctions, Iran’s cyber-force draws much less attention and cannot be monitored as easily as a nuclear program. Worse still, it seems that Iran’s surreptitious development of its cyber-capabilities will only expand. Ian Bremmer, president of the global consulting firm Eurasia Group and editor-at-large at Time magazine, recently tweeted, “In 10 years’ time, Iran’s cyber capabilities will be more troubling than its nuclear program.”

Iran is adept at building terrorist and other illicit networks around the world. Its cyber-capabilities are no different. It uses the inexpensive method of training and collaborating with proxies in the art of cyber-war. It may also have collaborated with North Korea, which infamously attacked Sony in response to the film The Interview. It is possible that Iran assisted North Korea in developing the cyber-capability necessary to carry out the Sony hack. While acknowledging that there is no definite proof of this, Claudia Rosett of the Foundation for Defense of Democracies raised the question in The Tower earlier this year.

More importantly, Iran is sponsoring the cyber-capabilities of terrorist organizations in Lebanon, Yemen, and Syria. The first indication of this was from Hezbollah. The group’s cyber-activity came to the attention of the U.S. in early 2008, and it has only become more powerful in cyberspace since then. An attack that had “all the markings” of a campaign orchestrated by Hezbollah was carried out against Israeli businesses in 2012.

Lebanon’s neighbor, Syria, is home to the Syrian Electronic Army (SEA), which employs cyber-warfare in support of the Assad regime. There are rumors that indicate it is trained and financed by Iran. The SEA’s mission is to embarrass media organizations in the West that publicize the atrocities of the Assad regime, as well as track down and monitor the activities of Syrian rebels. It has been very successful at both. The SEA has attacked media outlets such as The Washington Post, the Chicago Tribune, the Financial Times, Forbes, and others. It has also hacked the software of companies like Dell, Microsoft, Ferrari, and even the humanitarian program UNICEF.

Photo: 123RF

Photo: 123RF

The group has carried out its most devastating cyber-attacks against the Syrian opposition, often using the anonymity of online platforms to its advantage. For example, its hackers pose as girls in order to lure opposition fighters into giving up seemingly harmless information that can lead to lethal crackdowns. The SEA’s sophisticated use of cyberspace developed in a very short time, and it is reasonable to infer that this was due to Iranian training. Iran has long supported the ruling Assad regime in Syria and would be happy to support those who support him.

In recent months, a group called the Yemen Cyber Army (YCA) has arisen, hacking into systems that belong to Saudi Arabia. The YCA supports the Houthi militia, which is fighting the Yemenite government and the Saudis; the Houthis are, in turn, supported by Iran. Thus far, the YCA has attacked Saudi Arabia’s Foreign, Interior, and Defense Ministries. They have also hacked the website of the Saudi-owned newspaper Al-Hayat. Messages from the group indicate that they are sponsored by Iran, and might even be entirely composed of Iranians.

Like a computer virus that starts small but steadily grows and mutates undetected, becoming deadly to the system it infects, Iran has managed to expand its cyber-presence across the Middle East. And like a virus, Iran’s mutated cyber-capabilities are as dangerous as the original.

In the first place, there is a fundamental problem with the way Iran is handling its cyber-influence. In empowering proxies with cyber-capability, it is employing a method very close to a foreign policy tactic called “orchestration.” Kenneth Abbot, a Jack E. Brown Professor of Law at Arizona State University, explains that orchestration is

A mode of governance widely used by intergovernmental organizations (IGOs) and other governance actors. … IGOs engage in orchestration when they enlist intermediary actors on a voluntary basis, by providing them with ideational and material support, to address target actors in pursuit of … governance goals. Orchestration is thus both indirect (because the IGO acts through intermediaries) and soft (because the IGO lacks control over intermediaries).

Although Iran’s use of proxies is not an exact replica of orchestration because the proxies are not intermediaries, the point is that Iran’s approach is indirect and soft, so as to give Iran plausible deniability of involvement.

While Iran’s approach is soft, the effects of Iran’s proxies on cyberspace are anything but. And these proxies could be as dangerous as their sponsor. Since orchestration is an entirely voluntary and soft method of governance, one of the few measures Iran can use to ensure obedience is the threat to cut off technical support. But as actors like the SEA and the YCA grow stronger and more sophisticated, they lose the need to rely on Iran. As a result, the orchestration-like relationship may dissolve over time while the danger remains.

The United States and the West would also find it difficult to control these proxies, especially using the means they have employed to control Iran. Non-state actors do not have an “address.” They are spread across countries and jurisdictions, making them hard to target or sanction. Such sanctions would also be less effective, since private cyber-actors have fewer assets than a state actor. For example, the U.S. State Department would be unable to freeze their assets, because there would little or no assets to freeze. As a result of this, private cyber-actors could prove impossible to contain or suppress by conventional means.

For the most part, the United States and its allies do not see these private cyber-actors as a real threat, certainly not on the level of nation-states like Iran, China, Russia, and North Korea. One reason appears to be that attacks from states like China are part of a global strategy, while proxies like those employed by Iran concentrate on local areas. A perfect example would be the case of the SEA, whose primary role is to stifle internal dissent. Even if cyber-actors like the SEA are able to reach beyond their borders and attack regional allies or the U.S. itself—as was the case with the SEA’s attacks on American news organizations like the Associated Press, The New York Times, CNN, and even The Onion—the Obama administration tends to see these attacks as unsophisticated and “clearly a nuisance” rather than a serious threat.

But this ignores a problem that could turn deadly in certain circumstances. The idea that private cyber-actors are not a threat because they tend to be “local” in nature not only ignores the danger as “not our problem,” but also ignores the fact that it could very quickly become our problem. Illicit cyber-activity in the Middle East causes instability, which harms U.S. interests. If the U.S. is drawn into a fight directly or through groups like the Syrian rebels, it could see itself devastated by attacks against its cyber-infrastructure, either at home or abroad. In addition, nations like China also use their cyber-capabilities to quell internal dissent. Yet China uses the same capabilities to strike the U.S. The two are not mutually exclusive.

Clearly, “local” problems can easily become international problems. The SEA, for example, has grown sophisticated enough to hack into the U.S. Army’s public website, a move on par with ISIS’s penetration of the U.S. Army’s CENTCOM Twitter page. Even the SEA’s earlier overseas attacks had some teeth. A hack of The Washington Post caused the stock market to tip downwards, because a fake post claimed that President Obama had been “injured” in an attack. All of this is more than just a “nuisance.”

The historical record also proves that the “nuisance” argument often turns out badly. President George W. Bush ignored al-Qaeda for this very reason. Before 9/11, Bush was more concerned with Iran, Iraq, and North Korea than with the issue of non-state terror, as his former counterterrorism chief has confirmed. Another more recent example is ISIS, which was once a small group of terrorists to which the U.S. paid little attention.

The threat of private cyber actors is even more pressing because, if not handled properly, they could set off a major war with little effort. With the pro-Houthi YCA attacking Saudi Arabia with impunity and the increasing likelihood that Israel and Hezbollah will go to war very soon, it wouldn’t take much to set off a conflagration. There are many different scenarios that could play out. Saudi Arabia or Israel could massively retaliate against an attack by a private cyber-actor sponsored by Iran, sparking a cyber-war that could result in a regional showdown if tensions get too high. What started as a cyber-conflict could turn into a very real war.

A U.S. company might respond to a cyber-attack in a similar way, sparking a war between the U.S. and the culprits. As Shane Harris points out in his new book @War: The Rise of the Military-Internet Complex, companies and institutions are responding to cyber-attacks with “hack-backs,” attempting to retrieve stolen information or retaliate against an attacker by stealing their data. Hack-backs are becoming a serious problem even within the U.S., where they are illegal unless explicitly authorized. Harris quotes a former NSA official saying, “It is illegal. It is going on. … It’s happening with very good legal advice. But I would not advise a client to try it.” Harris concludes that “A single act of self-defense could quickly escalate into a full-fledged conflict.”

It would be even easier for the military to get involved based on the standards of the new U.S. Army Law of War Manual. Maj. Gen. (ret.) Charles J. Dunlap, Jr., former Deputy Judge Advocate General of the Air Force, explained in a June blog post for the website Lawfare how an attack in cyberspace might be considered an act of war: The Department of Defense’s new policy is significant, he said, “because it shows that the U.S. defense establishment is plainly of the opinion that actual violence in no longer … necessarily required to constitute a legally-sufficient rationale for self-defense, cyber or otherwise.”

The U.S. military monitors a simulated electronic warfare test at Eglin Air Force Base. Photo: Capt. Carrie Kessler / U.S. Air Force / Wikimedia

The U.S. military monitors a simulated electronic warfare test at Eglin Air Force Base. Photo: Capt. Carrie Kessler / U.S. Air Force / Wikimedia

Attacks against critical infrastructure—such as the electrical grid—that cause mass panic or significant damage to the execution of vital functions could be construed as sufficient to invoke the legal justification of self-defense. In fact, the electrical grid would be a perfect target: Downing the grid would cause mass panic and looting while shutting down other aspects of critical infrastructure across the United States, from the New York Stock Exchange to emergency services provided by hospitals. And according Cheryl A. LaFleur, commissioner of the Federal Energy Regulatory Commission, these threats are real and definitely possible for a savvy cyber actor to carry out.

Adding to the chaos is the problem of attribution. Hackers can make an attack appear as if it came from somewhere else, meaning that a well-intentioned hack-back could end up “hacking back” the wrong country or institution. There is also the possibility of a proxy taking action against the military capabilities of the United States in order to aid its sponsor.

At the moment, China appears to be the most dangerous cyber-threat on the horizon. But the threat from Iran is also serious, given the increasing sophistication of Iran’s capabilities and, by extension, those of its proxies. By training private hackers, possibly without clear and firm direction, Iran is orchestrating the distinct possibility of a global cyber-war.

At the moment, however, private cyber-actors and proxies are not on America’s radar due to their relative obscurity. Yet it is often the danger we don’t monitor that ends up causing the most damage. How then, can the U.S. and its allies act to contain this threat?

In this case, Israel provides a glimmer of hope in an otherwise grim situation. It has had some success in countering Iran’s cyber proxies. And it was Israel, after all, that allegedly collaborated with the U.S. to create Stuxnet, which caused significant damage to Iran’s nuclear program. According to the Israel National Cyber Bureau, Israel is the second-largest exporter of cyber-related materials, making it a leader in cyber-defense. It has also become very good at securing itself against attacks by all types of cyber-actors. In fact, Israel was named one of the most cyber-secure countries in the world a few years ago. Clearly, as the cyber-threat develops, the alliance between Israel and the U.S. will be essential to the cyber-security of both countries.

Even so, Iran is developing just as quickly as Israel—if not even more quickly—and when sanctions are lifted as part of the recently signed nuclear deal, Iran will have far more substantial resources to devote to cyber-warfare. This is a threat that the U.S., Israel, and the entire free world can no longer ignore.

Banner Photo: 123RF