April 17, 2015

The Growing Cyberthreat from Iran: The Initial Report of Project Pistachio Harvest

Executive Summary:

Iran is emerging as a significant cyberthreat to the US and its allies. The size and sophistication of the   nation’s hacking capabilities have grown markedly over the last few years, and Iran has already penetrated well-defended networks in the US and Saudi Arabia and seized and destroyed sensitive data. The lifting of economic sanctions as a result of the recently announced framework for a nuclear deal with Iran will dramatically increase the resources Iran can put toward expanding its cyberattack infrastructure.

We must anticipate that the Iranian cyberthreat may well begin to grow much more rapidly. Yet we must also avoid overreacting to this threat, which is not yet unmanageable. The first requirement of developing a sound response is understanding the nature of the problem, which is the aim of this report.

Download the full report.

Pistachio Harvest is a collaborative project between Norse Corporation and the Critical Threats Project at the American Enterprise Institute to describe Iran’s footprint in cyberspace and identify important trends in Iranian cyberattacks. It draws on data from the Norse Intelligence Network, which consists of several million advanced sensors distributed around the globe. A sensor is basically a computer emulation designed to look like an actual website, email login portal, or some other kind of Internet-based system for a bank, university, power plant, electrical switching station, or other public or private computer systems that might interest a hacker. Sensors are designed to appear poorly secured, including known and zero-day vulnerabilities to lure hackers into trying to break into them. The odds of accidentally connecting to a Norse sensor are low. They do not belong to real companies or show up on search engines. Data from Norse systems combined with open-source information collected by the analysts of the Critical Threats Project have allowed us to see and outline for the first time the real nature and extent of the Iranian cyberthreat.

A particular challenge is that the Islamic Republic has two sets of information technology infrastructure—the one it is building in Iran and the one it is renting and buying in the West. Both are attacking the computer systems of America and its allies, and both are influenced to different degrees by the regime and its security services. We cannot think of the Iranian cyberfootprint as confined to Iranian soil.

That fact creates great dangers for the West, but also offers opportunities. Iranian companies, including some under international sanctions and some affiliated with the Islamic Revolutionary Guard Corps (IRGC) and global terrorist organizations like Hezbollah, are hosting websites, mail servers, and other IT systems in the United States, Canada, Germany, the United Kingdom, and elsewhere. Simply by registering and paying a fee, Iranian security services and ordinary citizens can gain access to advanced computer systems and software that the West has been trying to prevent them from getting at all. The bad news is that they are getting them anyway, and in one of the most efficient ways possible—by renting what they need from us without having to go to the trouble of building or stealing it themselves.

The good news is that Western companies own these systems. They could, if they choose, deny Iranian entities sanctioned for terrorism or human rights violations access to their systems. Western governments could—and should—develop and publish lists of such entities and the cyberinfrastructure they maintain to facilitate that effort, broken down by industry. The entities hosting these systems could deal Iran a significant blow in this way, while helping to protect themselves and their other customers from the attacks coming from Iranian-rented machines.

But the Islamic Republic is also using networks within Iran to prepare and conduct sophisticated cyberattacks. Our investigations have uncovered efforts launched by the IRGC from its own computer systems to take control of American machines using sophisticated techniques. IRGC systems hit ports with known and dangerous compromises from many different systems over months. They also scanned hundreds of US systems from a single Iranian server in a few seconds. These attacks would have been lost in normal traffic if they had not all hit Norse sensor infrastructure and thereby revealed their patterns.

Sharif University of Technology, one of Iran’s premier schools, conducted similar automated searches for vulnerable US infrastructure using a different algorithm to obfuscate its activities. A Sharif IP address would try to connect with target systems on port 445 twice within a few seconds. Then a different Sharif IP address would try to connect with a different target on the same port twice within a few seconds. All of the IP addresses were clearly owned and operated by Sharif University, but none of them hosted any public-facing systems. The pattern of attacks, once again, was visible only because so many of them hit Norse infrastructure.

The attacks from the IRGC systems and from Sharif’s computers could have penetrated vulnerable systems and potentially gained complete control over them. They could have used that control to attack still other Western computers while obscuring Iran’s involvement almost completely. Or they could have damaged the systems they initially penetrated, which could just as well have belonged to banks, airports, power stations, or any other critical infrastructure system as to Norse.

The Iranians are, indeed, also attempting to identify vulnerable supervisory control and automated data acquisition (SCADA) systems such as those that operate and monitor our electrical grid. Norse sensors emulating such systems were probed several times in the course of our study’s timeframe. It seems clear that elements within Iran are working to build a database of vulnerable systems in the US, damage to which could cause severe harm to the US economy and citizens.

The good news in all of this is that we know that the attacks Norse detected all failed—the sensors they hit were not real systems controlling anything. The bad news is that we can be certain that these were not the only attacks and equally certain that some of the others succeeded.

It would be comforting to imagine that the recently announced nuclear framework agreement will put a stop to all of this, that a new era of détente will end this cyber arms race. There is, unfortunately, no reason to believe that that will be the case. Both the White House and Iranian leadership have repeatedly emphasized that the nuclear deal is independent of all other issues outstanding between the US and Iran. The agreement itself stipulates that US sanctions against Iran for supporting terrorism and human rights violations will remain in place. Iran’s behavior in Iraq, Syria, Lebanon, Yemen, and Tehran indicates that this support and those violations will continue.

Whatever the final outcome of the nuclear negotiations, we must expect that the threat of a cyberattack from Iran will continue to grow. We may have just enough time to get ready to meet that threat.


Download the full report as a PDF.