On 23 June US media reported that the US Cyber Command launched a cyber-attack that disabled command and control (C&C) computer systems controlling rocket and missile launchers at an undisclosed location in Iran on 20 June. The attack followed Iran shooting down a US drone over the Strait of Hormuz, and likely Iranian attacks on commercial oil tankers.
Three key risk points:
- The US is likely to conduct further offensive cyber operations targeting Iran’s military to pre-empt any perceived security threats to the US, its allies, and commercial oil shipping in the Middle East. Such operations will aim to support broader kinetic military operations and demonstrate the strength of the US military’s cyber capabilities.
- The US’s immediate priority will be to pre-empt further attacks on military and commercial vessels in the Strait of Hormuz and the Gulf of Oman. It is highly probable further offensive cyber operations will be carried out aimed at reducing the operational capabilities of Iran’s C&C systems and missile programme, as well as limiting the state’s ability to transfer missile technology to its allies in the Middle East.
- We assess that the current cycle of escalation will motivate Iran to step up deniable cyber operations targeting the government, critical infrastructure and commercial assets in the US in strategic espionage, data theft and limited disruptive attacks.
Assessment
Though there is no independent confirmation of damage, the US’s operation against Iran’s military C&C systems is likely to have been sophisticated and aimed at causing maximum disruption. Iranian C&C systems and the command centres controlling missile and rocket launches are highly likely to be strongly secured and air-gapped from internet-connected networks, given the sensitivity of their data. Therefore, such systems are probably accessible only physically or through third parties in their supply chains
The attack highlights the US’s increased intent to penetrate and potentially sabotage Iranian military control systems and assets more broadly, as both sides anticipate further escalation. We separately assessed that Iran’s physical attacks against critical infrastructure and commercial assets in the Middle East will continue in the coming months. This provides motivation for the US to focus on downgrading the state’s missile programme and its naval and air forces’ capabilities, including targeting their commercial suppliers through espionage and sanctions.
On 22 June the US Department of Homeland Security (DHS) indicated that Iran has escalated its own cyber operations targeting the US government and critical economic sectors for strategic and commercial espionage, including using data-wiping malware. Two days earlier security researchers identified a targeted phishing email campaign by the Iran-linked advanced persistent threat (APT) group APT33, against government agencies and private companies in the US and Europe. We have not witnessed an Iranian wiper attack targeting the US territory in the past, though previous campaigns elsewhere suggest that APT33 has links to the highly effective data-destroying malware Shamoon.
Iran is unlikely to have the cyber capability to downgrade or damage US military C&C, missile or air, naval or ground-based systems in retaliation for the latest US attack, as a very high level of capability would be required for such operations. Any disruptive cyber campaigns targeting US territory are likely to remain rare and limited to commercial entities.
Outlook
The US will most likely continue attempting to compromise Iran’s military operations systems, particularly those linked to its missile programme and to any perceived air, naval and ground-based threats to commercial and naval traffic in the region’s strategic waterways. Such targeting may well extend to IT hardware production companies providing industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems to Iranian critical national infrastructure (CNI) and energy companies.
Iranian disruptive cyber threats to critical industries in the US and in the Middle East – including oil and gas, energy and maritime supply chains – are also likely to increase in the coming weeks. Phishing campaigns, such as the latest APT33 campaign, will help Iranian APTs to pre-position for more disruptive or destructive sabotage operations. Iranian APT groups will likely undertake port scanning to discover vulnerable internet-facing infrastructure, and open source research to discover vulnerabilities within target companies.
Taken from Seerist.