How US sanctions compromised Iran’s cyberdefence, touched off hacking spree that spills out into physical world
In April 2020 hackers infiltrated the systems of an Israeli water-pumping station and tampered with equipment. Individual pumps started malfunctioning as officials scrambled to keep water supplies flowing for millions of people.
After the incident, which has been linked to Iran, officials said the damage could have been much worse: They suspect the attack was intended to poison water supplies by increasing chlorine levels. Weeks later, hackers targeted an Iranian port in an apparent act of retaliation.
“This was the first time that a nation responded immediately through the cyber medium for a cyberattack,” says Lotem Finkelstein, director of threat intelligence and research at Israeli cybersecurity company Check Point.
The attacks, he says, marked the start of a new wave of hacking against infrastructure in the region, which has disrupted millions of lives.
In the past several months, those strikes have escalated. Fuel supply systems, railway controls, and an airline in Iran have all faced attacks. At the same time, hackers have posted the personal information of a million Israeli LGBTQ dating app users, and exposed certain details about the Israeli army.
The skirmishes, which have included physical sabotage and the destruction of facilities – are the latest moves in the decades-long hostilities between Iran and Israel. They’re now spilling further into shadowy acts of digital espionage and disruption.
The attacks worry experts, who say the infrastructure that underpins large parts of daily life should be off-limits for state-sponsored hackers. The US Cybersecurity and Infrastructure Security Agency has set out 16 crucial sectors – including energy, healthcare, dams and food – that it believes should be out of the scope of state-sponsored hackers. The attacks also come as Iran restarts nuclear weapons negotiations with world superpowers.
“It seems that this is a case of different actors trying to demonstrate their capabilities in order to basically establish a new kind of balance of power in the region,” says Esfandyar Batmanghelidj, a visiting fellow at the European Council on Foreign Relations think-tank, who adds there has been greater diplomacy between countries in the Middle East in recent months.
The high-profile hacks on Iranian infrastructure have been wide-ranging in their targets and attributed to both state-sponsored actors and independent hacking groups. But they have one thing in common: They’ve caused chaos and confusion for ordinary people and businesses in the country.
On July 9 -10 of this year, hackers disrupted Iranian train services and posted fake delay notices on digital billboards. “Long delays due to cyber-attacks. More information: 64411,” read a message displayed on railway station signs. The phone number is linked to the office of Iran’s supreme leader, Ayatollah Ali Khamenei.
The railway attacks, according to analysis by Check Point that has subsequently been confirmed by New York–based threat intelligence company Intezer, was linked to a group of hackers dubbed Indra, after the Hindu god of war.
The group has also conducted attacks in Syria, and is “unlikely” to be linked to a country, the analysis says. Check Point says that the little-known group appears to be “focused” on targeting entities that “cooperate with the Iranian regime,” and that it has also attacked a currency exchange and a Syria-based private airline, and threatened to attack a Syrian oil refinery in 2019 and 2020.
The office phone number was also briefly displayed on some gas station pumps in October, after a cyberattack paralysed Iran’s 4,300 gasoline stations. Thousands of stations were offline for up to 12 days as the system behind government-issued smart cards, which allow people to buy subsidised fuel, was crippled.
Motorists complained of chaos as they queued for hours waiting to refill their vehicles. The fuel attack happened around the second anniversary of the Iranian regime hiking fuel prices, then shutting down the internet after people protested the increases.
However, the gas station campaign appears to be separate from the attacks on the railway infrastructure. While an unknown group called Predatory Sparrow claimed responsibility, Iranian officials have said the attack was the work of a “state actor.”
A New York Times report this weekend, citing unnamed US defence officials, linked the attack to Israel. Other recent targets include an Iranian airline, as well as the systems behind the country’s dams and water supplies, other reports say.
“Traditionally, these kinds of attacks are reserved to nation states because we are dealing with very complicated infrastructure,” Finkelstein says. Various groups have tried to claim responsibility for the attacks. However, multiple security experts point out that attribution lacks any published technical details from officials or the groups that claim to have conducted them.
Hackers have had success against Iranian targets in part due to sanctions imposed against the country, says Amir Rashidi, director of internet security and digital rights at Iran-focused human rights organisation Miaan Group. Many products from US companies cannot be purchased or updated in Iran – including those used within infrastructure systems.
“They are not able to update those tools, the equipment or patch them or even get support,” Rashidi says. “Iran is really vulnerable when it comes to cyberdefence.”
However, these potential vulnerabilities haven’t stopped Iranian state-sponsored hackers from aggressively targeting other countries. Iranian actors have been linked to the hacking of Israeli LGBTQ dating app Atraf, which saw the sexual orientation and HIV status, among other details, of a million people published online at the start of November.
The publication of Israeli military details and data from insurance firm Shirbit have also been linked to Iranian-sponsored actors. At the same time, Iran’s hackers have been busy even further afield.
On November 17, cybersecurity officials in the US, Australia, and UK announced that state-sponsored hackers have been launching attacks against hospital and transport infrastructure in the US and Australia since March this year.
A US government technical advisory says the Iranian-backed attackers have been targeting vulnerabilities in Microsoft Exchange systems and software from security company Fortinet.
In 2009 and 2010, the US and Israel destroyed Iran’s nuclear enrichment centrifuges with the Stuxnet code and helped to kickstart other nations’ interests in infrastructure hacking. Successful instances of hackers disrupting critical infrastructure have since been relatively rare, but each one can set precedents for future attacks.
Russia’s Sandworm hackers, for instance, have launched unprecedented disruptive cyberattacks against Ukraine’s power grid and the globally disruptive NotPetya attack. However, the ruthlessness of recent attacks in the Middle East stands out.
“Iran has been the only nation-state actor willing to regularly engage in destructive attacks, mostly against Israel,” Microsoft concluded in its 2021 defence report.
Compromising infrastructure and disrupting millions of lives is a red line for many in politics and the security industry.
“It doesn’t matter if it’s Iranian infrastructure, Israeli infrastructure, Saudi infrastructure – if it’s civilian infrastructure, we should come to this mutual agreement that it shouldn’t be touched,” says Naser Aldossary, a principal industrial control system responder based in the Middle East with infrastructure security company Dragos. “The systems should be off limits.”
- A Wired report