17 January 2020

How Iran Can Still Use Cyber and Drone Technology to Attack the U.S.

By Sophie Bushwick 

On Wednesday morning, in retaliation for the U.S. assassination of military leader Qasem Soleimani, Iran launched a ballistic missile attack on two Iraqi bases housing U.S. troops. This action marks the most direct Iranian attack on the U.S. in almost 40 years.

Early reports suggest Iran may have intentionally avoided loss of life in the attack in an attempt to make a statement—and to address anger among its public—without escalating the situation in a way that would lead to a large-scale military confrontation. President Donald Trump stated that no Americans had died in the attack, and he announced no new military actions. Whether the current crisis calms down or boils over, however, hostilities are likely to continue to at least simmer. To learn more about the technology at Iran’s disposal and how the nation is using it against the U.S., Scientific American spoke with Chris Meserole, a fellow in foreign policy and expert in artificial intelligence and emerging technology at the Brookings Institution, a Washington, D.C.–based think tank.

What are precision-guided weapons such as ballistic missiles and drones capable of?


That’s something that used to really be the exclusive province of the U.S. and a few other really high-tech countries. But as the cost of that technology has gone down, countries such as Iran have been able to master it as well, and they’ve developed some sophisticated weapons that are difficult for us to counter. The main thing that I worry about with Iran is that they’ve really mastered precision-guided technologies in a way that’s tremendously problematic for the U.S. and our allies in the region.

It was a really sophisticated attack that Iran carried out [against Saudi Arabian oil-processing facilities in 2019]. They had a combination of cruise missiles and drones that they flew over the oil refinery. They knew exactly what parts they needed to hit to cause the most amount of damage to the infrastructure while minimizing loss of life. And it was all contingent on their ability to really precisely target parts of the facility down to, literally—I think it was something like the meter. The precision and accuracy with which they attacked that site was really unprecedented, and it was made possible by their mastery of drone technology and cruise-missile technology. I mean, Saudi Arabia purchased an enormous amount of weaponry from the U.S. designed to secure Saudi airspace, and the fact that Iran was able to carry out that attack, even with the amount of protection that Saudi Arabia had—it’s pretty astonishing.

Iran also poses a digital threat to the U.S. What types of cyberattacks has it used in the past?

Historically, around over the past decade, [Iran] has graduated from fairly simple to increasingly complicated attacks. The early attacks that the Iranian hacker groups carried out were what are called distributed denial of service, or DDoS, attacks. And that’s basically where there’s a Web site you don't like, so you create a bunch of servers around the world, have them all trying to access that Web site at the same time, and then it just crashes. It’s a primitive form of attack, like you’re trying to squeeze a bunch of people through one front door: they all can’t fit, and so the whole thing falls apart. Those are fairly easy to set up and are kind of like the entry level of doing state-sponsored attacks. They can be very problematic, but they’re not particularly sophisticated.

Another form of attack is what’s called DNS [hijacking]—DNS is short for domain name server [or system]. There’s a central repository of domain names that match URLs to specific servers around the world. And if you can spoof somebody’s domain name, you can redirect traffic for a particular Web site. You may recall that Twitter was really essential to the popular uprising in Iran in 2009. That’s also when an Iranian proxy hacker group did a DNS attack on Twitter and redirected their traffic, for a bit, to a less pleasant Web site. Those are not trivial to do—you need computer expertise, obviously—but they’re not particularly sophisticated.

What has happened more recently is Iran has moved upstream, in terms of the quality and sophistication of their viruses. The most notable so far is this one program called Shamoon, and that virus is what’s called a wiper. Wiper refers to a class of computer virus that, once it propagates itself across a network of computers, you can use to remote wipe all of the computers that are on that network. It can be a really devastating way of just shutting down a computer network and, by extension, a larger organization. The most sophisticated hack that Iran has done so far is probably the wiper attack on [the oil company Saudi] Aramco [in 2012]. They basically just wiped out all of [Saudi] Aramco’s computers within Saudi Arabia (or a lot of them) to the point where it was fairly dangerous and tremendously damaging to [Saudi] Aramco and, by extension, to Saudi Arabia as well. I have to think that it was incredibly expensive for them to deal with that—[the cost] was probably in the tens of millions [of dollars], I would imagine, at least in terms of labor and the computer hardware that they had to replace.

The holy grail of attacks are viruses that can get into industrial control systems, or what are called ICS. The Stuxnet attack that the U.S. and Israel carried out on Iran in 2007 is an example of that kind of virus, where you get into the industrial control system of a particular hardware or piece of infrastructure, and then you can begin to control and corrupt it in ways that have physical real-world consequences. The fear that most cyber experts have is that Iran might develop the capability to get itself into the ICS of, say, the nuclear power plants or electrical grid in the U.S. We know that they’re trying to: even [less than] five years ago [it was reported that] they were trying to get into a dam in upstate New York. And if they develop that kind of capability, then it’s no longer just deleting a bunch of files from this computer, but it’s potentially having significant real-world consequences.

The simplest and most straightforward [attack] would be [one] similar to what I believe Russia did in the Ukraine a few times, where they just turn the lights off. If you’re firmly embedded in the ICS of energy companies and networks, that’s something that you can do. Thankfully, we’re fairly resilient to a large national blackout [in the U.S.]: we have so many different electrical and power systems operating around the country that you’d basically have to implant your virus on all several hundred different systems. Probably the greatest real-world attack of an ICS that [would have the most severe consequences] would be [one targeting] the systems that regulate dams, in particular dams that have large downstream populations. You could, in theory, degrade the integrity of the dam or just deliberately tell it to let water flow through and release all the water in the reservoir on a downstream population. Another area that a lot of experts worry about would be hospital infrastructures.
ADVERTISEMENT

But as far as we know, Iran has not infiltrated these systems yet—right?

We know that they’re trying; we don’t know that they have succeeded. There was a big piece of news in November, where Microsoft publicly announced that they had thwarted an attempt by Iranians. Microsoft had detected that [the elite hacker unit APT 33] was trying to break into the accounts of a pretty large number of different ICS manufacturers. It was a huge tell that Iran really is trying to get pretty sophisticated [in] developing ICS capabilities.

In the near future, what cyberattacks might we expect Iran to actually use?

In the near term, I expect them to do some of the low-level attacks. Every time there’s a major crisis between the U.S. and Iran, we do see heightened cyberactivity against our financial services, oil sector or U.S. government agencies. And what Iran is trying to do there is to project a certain amount of strength while also probing for vulnerabilities that they can exploit in any kind of major attack down the road.

But I’m a little bit more optimistic than a lot of other experts out there—I’m skeptical that they could pull off [a cyberattack] that would be really detrimental to us the way that the strike against Soleimani was detrimental to Iran. In cyberspace, they’re good enough to cause a strategic nuisance, but I don’t know that they’re necessarily willing or capable of causing a strategic catastrophe for the U.S. We should be wary of what they might do, but we also shouldn’t freak ourselves out—we shouldn’t think of them as a 10-foot-tall monster that’s going to take down all of the electrical grid on the Eastern seaboard or anything like that.

No comments: