8 January 2020

Soleimani ‘Revenge’—This Is Why Iran’s Most Dangerous Cyber Weapons Will Stay Hidden

Zak Doffman

The fact the U.S. has taken the decision to kill Iran’s most powerful general, Qassem Suleimani, is less surprising than the fact it took them this long. The commander of the country’s Quds Force was viewed as an extreme threat to U.S. interests, the second most influential person in Iran behind Ali Khamenei, the most dangerous person in the region. American and European nationals have now been warned to leave a Middle East bracing for a short-term physical response that might include attacks on security and commercial facilities, on tourism and shipping, on the Strait of Hormuz.

We can expect something “immediate and spectacular,” says Philip Ingram, formerly a senior officer within British Military Intelligence, now a defence analyst—he expects “a longer term sustained escalation of proxy wars in the region, deniable terror attacks.” The significance of Soleimani’s killing “cannot be underestimated,” he tells me, but the organisation survives, with a protege in charge.


And that brings us to the likely cyber response. The ongoing standoff between the U.S. and Iran, and their respective allies and proxies, has integrated the physical and cyber domains as never before. The new mix and match approach means an attack in one domain can lead to retaliation in another. Iran has been developing its offensive cyber capabilities at break-neck speed. Sponsoring threat groups. Hitting industrial targets in the region and the U.S., even targeting mainstream software platforms. The U.S. government certainly expects some form of cyber response. Surely, Iran will now hit critical U.S. targets with everything it has available?

Maybe not, at least not in the way you might expect. Cyber attacks on restricted targets don’t make compelling TV news. They are largely unseen. Difficult to fact check and attribute. You really need the victim to admit the attack. Khamenei has initiated three days of highly charged public mourning and warned the U.S. that they will face “severe revenge” for the killing of Suleimani. Unseen technical hits do not fit that bill.

What does fit that bill, though, are headline grabbing attacks on mainstream consumer services, on the internet infrastructure. Not especially sophisticated, but difficult to hide. This is what cybersecurity powerhouse Check Point expects, Iran’s response to be “fast and noisy,” to come “within a matter of days.” But the firm’s lead researcher Oded Vanunu also tells me “Iran won't start a major cyber campaign—they fear that if they escalate they will get hit worse.” Put simply, if Iran pushes the U.S. too hard then the repercussions will be difficult to manage.

According to Vanunu, Iran has “the ability to target key individuals and facilities,” but not on a level anywhere close to the U.S. “You don’t activate your best cyber weapons,” he explains, “you keep them in a drawer until the day of war—now is not the time to pull them out. Iran will clearly understand that they have more to lose if they activate sophisticated tools to take down facilities or infrastructure, they’re more exposed.”

As I’ve written before, Iran understands that retaliation against the U.S. military in the cyber domain "might be akin to throwing rocks at a tank," but it can hit the vast and under-protected U.S. corporate sector at will. In the past this has been denial of service, ransomware and cyber espionage on the private sector. Now, though, Iran is likely to go further. “Iran will go for targets that create headlines—health, financial services, social media,” Check Point’s Vanunu says—he lists U.S internet household names. “The outcome will not be casualties, but hitting reputations, creating fear.”

The reality is that Iran and the U.S. have been engaging in a cyber conflict that hasn’t stopped. The U.S. has proven its ability to take down core Iranian command and control structures. Iran has attacked the soft underbelly of the U.S. commercial sector, albeit most of its focus has been on regional industrial targets. There is no reverse Stuxnet coming anytime soon, Check Point doesn’t see U.S. critical infrastructure as a key target—the repercussions would be too hard, too swift. “They're doing their calculations now—they understand the risks.”

“Iran often boasts about its own cyber-capabilities to intimidate its enemies,” Kate O’Flaherty reports for Forbes, it’s a promise they likely now need to fulfil. But in doing so, Check Point expects, the country will save its most sophisticated cyber weapons until later, until it crosses a line, until it’s prepared for that point of no return.

“They can use special zero days to take down facilities,” Vanunu says. “Iran is in a race to get those weapons, those zero days, to penetrate restricted targets. But I don’t think this is something they've done before—it will be something new.” Furthermore, once Iran breaks cover on its most sophisticated tools, the clock begins ticking. “If they use all their tools then they will be broken.” He means breaking cover on new exploits gives the U.S. an opportunity to defend against them next time around.

If Iran were to take cyber to the next level, to shift gears, it would likely need support. I’ve commented before that the threat of Russia or maybe China using Iran as a cyber proxy is something to fear. “I think it is distinctly possible that Iran offers itself to Russia and possibly China as a proxy for cyber attacks,” Ingram tells me, “for plausibly deniable terror attacks and more.” But not just yet, at least not according to Check Point. Vanunu talks of “clear cooperation between those countries,” but also says that, in his view, “Russia and China don’t need Iran as a proxy—it would be a declaration of war—it’s not a good time for this type of cyber attack.”

And so, behind the charged rhetoric and threats, we can expect some form of headline grabbing cyber response—but we should not view this as illustrative of the most powerful tools at Iran’s disposal. For that we still have longer to wait.

No comments: