Iranian Cyber Warfare: State Repression and International Retaliation

by Shannon Kandell

The Middle East is a region of instability, plagued by geopolitical tensions stemming from a history of tribal warfare, foreign intervention, and sectarian strife. For the often poor economies and underdeveloped defense industries of states in the region, cyber capabilities provide a vehicle by which geopolitical aims can be achieved given their limited resources. Cyber attacks are low risk given that they provide the capability to attack quickly and possibly anonymously. Additionally, for nations lacking in conventional military strength when compared to superpowers like the United States, cyber warfare provides a theatre of confrontation by which to influence international affairs without risk to life or expensive infrastructure.  Iran has increasingly turned to cyberspace as a realm to address diplomatic goals and tensions. This leveling of the playing field through Iran’s eager adoption of cyber tactics poses a global threat to telecommunications, financial institutions, and energy infrastructure. Additionally, the Iranian state apparatus has utilized their rapidly developing cyber arsenal as a tool of repression against their own citizens, thus raising global concerns regarding privacy and digital rights violations.

Cyber Tactics

 Iran relies on simple tactics to inflict substantial damage upon the networks of their adversaries. These include exploiting their vulnerabilities through disruptive attacks and cyber espionage campaigns. In this way, Iran takes advantage of cyber capabilities as an asymmetric tool in global interactions and relations. In the report “Iran’s Cyber Threat: Espionage, Sabotage, and Revenge,” Collin Anderson and Sadjadpour Karim outline how the Iranian state utilizes hacking groups as proxies for cyber attacks. The state is able to maintain plausible deniability since the groups are short lived, relatively disorganized, and lack professionalism. However, the limited level of sophistication for attacks limits the amount of damage that can be inflicted upon Iran’s global opponents.^[1] Even though the groups are state funded, Iran itself maintains such a degree of economic isolation that it lags behind the rest of the world in terms of technological development. Therefore, Iranian cyber attacks are often limited to personal emails and social media accounts held by government employees. Mark Clayton, in “Cyber-War: In Deed and Desire, Iran Emerging as a Major Power,” outlines that the threat of Iranian cyber attacks does not lie in its capability to steal information on a massive scale. Attacks commonly occur in retaliation to global events, and are often conducted in an effort to sway policy and stances regarding Iran.^[2] In this way, public speeches, policy decisions, and even news headlines can trigger data breaches or disabled networks.

The severity of cyber attacks follows a common model for analyzing threats, which is based on intent and impact. In Iran, intent is largely tied to the states’ primary goal: survival. The ability to influence political opinion and inflict harm, both internally and abroad, gives the Iranian state apparatus another arena to control for its benefit. In terms of capability, the state relies on proxy groups to carry out the attacks coordinated to benefit its political ambition of maintaining its authoritarian rule. The benefit of proxy groups lies  within plausible deniability for the state. Despite this notion of plausible deniability, Anderson and Karim identify in their report, several primary actors. Both proxy groups and those tied to the state itself, that have been linked to attacks both internal and abroad. This strategy raises numerous concerns related to international governance, particularly as norms and legal implications for actions in cyberspace are developing in tandem with malicious capabilities. If the groups deny a tie to the state, or even dissolve before the perpetrator of such attacks are identified, there is no way to attribute blame and impose legal punishment. In this way, perpetrators and the malware software utilized in past attacks are rarely discovered, and can even reemerge in the future.

Perpetrators of Cyber Attacks

Anderson and Karim identify a combination of state actors and a network of underground, cyber entities that have been linked to attacks carried out by Iran. Magic Kitten is one of the first and most developed cyber actors operating in Iran; evidence points to a tie between Magic Kitten and the Iranian Ministry of Intelligence. This tie to the state apparatus has often been utilized to attribute cyber attacks on Iranian civilians during the election of Hassan Rouhani, to Magic Kitten. Magic Kitten has also been known to target Iran’s regional rivals, notably Israel and Saudi Arabia. In this way, Magic Kitten’s attacks mold to the interest of the state, namely the interest to target political rivals as a way to maintain their authoritarian regime.^[3] 

Anderson and Karim mention the Iranian Cyber Army as an umbrella term for the underground network of proxy groups of the state commonly utilized on a short term basis to conduct targeted, political attacks that are in line with the state agenda. These groups are often corporate entities, or contractors of the Iranian security forces, thus raising the question as to what legal jurisdiction international organizations may have over the private entities of a single nation. The threat of these actors, given the far-reaching influence of the Iranian state, is high in terms of both domestic and foreign damage. Domestically, the authoritarian nature of the state enables broad surveillance capabilities and harsh punishments, thus enabling the state to sway political opinions and elections within their borders to maintain their power. Abroad, the unpredictable nature of Iranian attacks, as retaliatory rather than methodical, and the short-lived nature of the proxy groups, allows Iran to extract information, or cause damage and dodge the consequences or attribution.

The actors that make up the elusive Iranian Cyber Army can be defined as Advanced Persistent Threats (APTs), and each threat has been tied to a unique capability and strategy. It is noteworthy that despite these identifications, the malware utilized by these groups can be disseminated to other groups within Iran, allowing for continued innovation of cyber warfare and state contracting for political attacks.  In “The Iranian Cyberthreat,” Bradley Barth analyzes the different APTs currently active in Iranian cyber warfare. APT 35, consisting of the groups Newscatter, Newsbeef, and Charming Kitten, is known for creating fake accounts on social media platforms to direct users to visit phony websites. Through these fake accounts, APT 35 is able to gain access to user information. APT 34, encompassing the groups Oil Rig and Helix Kitten, has been attributed to spying and reconnaissance missions in the Middle East. Oil Rig has specifically targeted companies within the IT sector, while Helix Kitten directs its attacks at aviation, energy, financial, and governmental institutions. APT 33, identified last year by the cyber firm Fire Eye, poses the most damaging threat. It has been associated with hacking attacks on petrochemical companies against the U.S. and Saudi Arabia. In “Meet APT 33: A Gnarly Iranian Hacker Crew Threatening Destruction,” Thomas Fox-Brewster outlines how the group that emerged in 2013, initially attributed to successful hacks in aviation industries, has progressed to acquire far more destructive capabilities. Previously, APT 33 would utilize phishing emails to gain access to aviation company information, companies targeted by APT 33 include Boeing and Northrop Grumman Aviation Arabia. Now, Fox-Brewster highlights APT 33’s desire to inflict more damage with a shift in targets to critical infrastructure, namely the energy sector.^[4] New targets of APT 33 reflect this, as there are now increasingly directed attacks toward government entities and industrial control agencies. In Saudi Arabia,this intention actually came to fruition.

Iran’s use of malware agents in a variety of cyber attacks indicates a capability to inflict damage and access data. Shamoon was utilized against Saudi Arabia in the Aramco Attack, an attack illustrative of cyber concerns specifically within the region of the Middle East. In “Cyber Security Challenges in the Middle East,” Sameh Aboul-Enien, of the Geneva Centre for Security Policy, discusses the dependency within this region upon the oil and gas industries as drivers of state funding, as well as economic and political stability. This dependency exacerbates the threats to national security posed by an attack on these sectors, illustrated specifically by an attack carried out in 2012. That year, APT 33 conducted an attack on Aramco that destroyed 35,000 computers.^[5] Shamoon malware, the tool used in the attack, has not changed; now APT 33 is utilizing the malware simultaneously against multiple targets in the region, thus heightening the cumulative impact of the malware. This increases the risk of widespread infrastructure damage and network breaches for an already vulnerable industry, one that is tied extensively to state stability within the Middle East. Aboul-Enien concludes that “cybersecurity is directly connected to nuclear security,” highlighting the threat posed by the Shamoon malware agent if it were to fall into malicious hands.

Iran is not merely a perpetrator of cyber attacks, but has also been a victim. Stuxnet is a malware agent that was actually originally used against Iran by Israel and the U.S. in Operation Olympic Games in June 2009. In this attack, Israel and the U.S. used the malware agent Stuxnet against an Iranian nuclear facility, which resulted in severe setbacks in Iran’s nuclear development. Stuxnet is a computer worm designed not for data breaches, but instead, designated to inflict physical damages. As APT 33 is heading toward inflicting more destructive attacks, it is likely that they will seek to acquire the malware agent previously used against them for the purpose of retaliation. Anderson and Karim discuss how the Iranian regime often re-engineers the malware used against them to be deployed against its adversaries. Thus, it is likely that with state funding, APTs in Iran will, in the end, acquire the malware that had been used against them.

Use of Cyber Tools for Internal Repression

Cyber capabilities are not merely utilized by these actors for the purposes of international and regional warfare and confrontation. In fact, the Iranian state utilizes its cyber capabilities as tools for internal repression. Anderson and Karim address how the Iranian government conducts cyber operations for the purpose of espionage against the private sector, and for surveillance of human rights advocates. These cyber operations conducted by the state are motivated largely by fear that social media platforms pose a threat to regime stability. The Iranian government, at odds with an era of progressing global connectivity, is attempting to reassert its monopoly over communications and domestic networks.

In “Cyberwar and Iranian Strategy,” Ilan Berman outlines the way in which the Iranian government has attempted to isolate the population from outside networks and media platforms by re-establishing control over domestic, online connections. He discusses how the state has developed an alternative national internet, which serves as a sophisticated method to filter systems and exclude these foreign influences.The alternative network not only reroutes users to regime-approved websites, but also entirely denies users access to some online material. Berman makes the argument that the state is suppressing dissent by denying digital rights of expression to their people.  Even more disturbing is how, in a way, they are constructing a localized online reality for their citizens within the Islamic Republic.^[a][b] This falls to the Iranian Revolutionary Guard Corps, specifically within the Corps the Supreme Council of Cyberspace, to constantly and comprehensively monitor domestic and international cyberspace.^[c][d] The Iranian Revolutionary Guard Corps is a branch of the Iranian military tasked with defending the regime; the mission of this group has been extended to include the monitoring of cyberspace in order to suppress dissent as it manifests on online platforms. In response, many Iranian citizens have moved communications to platforms hosted outside of Iran, or have been utilizing encryption as a way to guard themselves against the far reaching surveillance capabilities of the state.^[6] This is motivated not only by recent cyber programs and legal measures, but also by the experience of the Green Movement in June 2009, when the government suppressed protests via restrictions of online access.

The Green Movement refers to the widespread popular uprisings that emerged following the reelection of Mahmoud Almadinejad. This mass mobilization was a primary trigger for the state’s reassertion of control over the Internet and online communication. Following the largely fraudulent election, Berman discusses how activists turned to social media as a way to galvanize support for protests and organize rallies and political gatherings. This posed a domestic challenge to the authority of the Islamic Republic’s regime, and as a result they imposed brutal and unjust surveillance and censorship programs. The regime was able to cut off mass communication as a means of putting down demonstrations. The use of far reaching surveillance as a primary tactic to assure regime stability and continued authority is illustrated by the specific groups and organizations targeted in cyber operations.

Common targets of cyber attacks are government officials, reformist politicians, media professionals, religious minorities, cultural figures, opposition groups, terrorist organizations, and ethnic separatist movements.^[7] Surveillance of government officials, an operation conducted by the Iranian Ministry of Foreign Affairs, is done to monitor, track, and repress political rivals as well as collect information to be used as blackmail. Cyber warfare thus has been used as a weapon against the state itself, not just its opponents. Through data breaches, the state is able to demand unyielding obedience through fear, dependence, and insecurity. Less surprising than intergovernmental spying and blackmail is the state’s surveillance of opposition groups, who are blatantly attempting to undermine the authoritarian status quo. Common tactics utilized against internal opponents include political arrests, shutting down websites, denying access to online material, and hacking into personal accounts. Iran’s extension of its authoritarian rule for online platforms has thus transformed the freedom of the Internet into a vehicle for its own propaganda. Notably, Iran’s targeting of opponents to their regime is not an endeavor limited to domestic surveillance and censorship. Rather, Iran has been known to target international NGOs and human rights organizations in an effort to disrupt their advocacy endeavors via cyber attacks and hacks.

Transnational Repression

The state has not merely targeted human rights organizations, but has also been known to specifically target the political exiles who often work with these institutions. Iranian political exiles are often attracted to or even recruited by human rights advocacy organizations in an effort to inspire social change and justice within their native country. Following the Green Movement in particular, many of the individuals who were targeted by repressive state policies online, fled Iran to continue their fight against the state via online platforms and news outlets. Through interviews and case studies of Iranian political exiles, it becomes clear that Iran’s cyber strategy against dissenters and advocates for social justice does not halt at its border. Rather, the state takes advantage of the transnational capabilities of cyber warfare. In this way, Iranian actions within cyberspace are not strictly delineated to domestic and international spheres; the two dimensions of their cyber strategy are interlocked. They both serve the single intent that defines the Iranian cyber threat: the survival of the regime.

In the paper “Exit and Voice in a Digital Age: Iran’s Exiled Activities and the Authoritarian State,” Marcus Michaelsen gives an account of several interviews with prominent Iranian political exiles. They tell the story of how the Iranian state has continued to infringe upon their freedom of expression, a transnational level of repression made possible through cyber attacks. Given the lack of transparency within the Iranian regime, Michaelsen relies on first-hand accounts of repression from the exiles themselves to shed light on the far reaching capabilities of the Iranian regime. Masih Alinejad, a political exile now working as a journalist, describes how the Iranian security apparatus was able to penetrate her email and social media accounts. She talks about how her accounts are now full of threats, and how her previous activism against the mandatory veil has been curtailed because of constant “insulting and vulgar comments” on her posts and photos.^[8] In this way, the authoritarian character of the Iranian state, one that demands obedience through fear and intimidation, is able to transcend its borders through^[e][f] cyberspace and global connections online.

Michaelsen also tells the story of Mansoureh Shojaee, a woman’s rights activist who left Iran in 2010, to demonstrate the threat the Iranian state poses to advocates for human rights and social change. Shojaee discusses how she has received numerous summons to interrogation from Tehran. It is this pressure, especially because Shojaee’s family had remained in Iran, that is a “means of control” that persists even after individuals flee Iran.^[9] Mansoureh Shojaee’s character was still tarnished by the Iranian government even after having resettled in the UK. Frequent broadcasts have portrayed the politically active journalist as “morally corrupt, as a prostitute, a drug addict.”^[10] Such accusations carry particular weight in Iran’s still largely conservative society that follows a religious state ideology; it discredits opponents by tying social justice activists to Western, non-Iranian values. These attacks are made possible through the Iranian state monopoly over internal networks and broadcasting. They serve as not merely a way to manipulate the domestic populations’ perception of international actors, but also as a way to undermine the credibility of individuals abroad to safeguard their authoritarian rule.

Legal Basis

In terms of the legal justifications for the Islamic Republic’s vast censorship and surveillance apparatus, its laws reveal a consistent reliance on vague ambiguities as a basis for unjust practices. Specifically, the tie between the state and the values of Islam has been shaped in Iran to encompass a mandate for the state to guard against “immoral behavior;” this has led to state intervention into areas of life that violate international laws and norms regarding human rights.^[11] Andrew Smith, a senior legal officer at Article 19 Law, has analyzed Iran’s Computer Crimes Law, as the primary legal measure that has been used to justify censorship and widespread surveillance on the basis of safeguarding public morality. His interpretation focuses on how ambiguous phrasing and vague terminology has been manipulated to justify human rights abuses.

The Computer Crimes Law is the latest addition to Iran’s expansive surveillance system. Smith highlights how the legal measure “is saturated with provisions that criminalise legitimate expression,” namely crimes against “‘public morality and chastity’ and the ‘dissemination of lies.’” The legal code does not provide defence for those who claim to be acting in public interest, and the punishments attributed to these violations of public morality standards are entirely out of proportion. The Computer Crimes Law renders the death penalty a viable punishment for violations committed on online platforms. Examples of such violations from the first two articles of the law include “‘illegal access’ to data, computers and telecommunication systems that are protected by ‘security measures,’” and “illegal access to content being transmitted through ‘nonpublic’ communications by computer, telecommunication, electromagnetic or optical systems.”^[12]  Article 3 of the Computer Crimes Law justifies these violations through the state’s duty to defend national security and state interest. However, Smith makes the argument that the law is primarily a measure manipulated by the state to “harass, intimidate, and detain those that dare to criticise it.”

The Computer Crimes Law is linked to previous legal norms that have laid the foundation for broad government censorship. Smith argues that the Constitution largely “lays the foundations for the institutionalization of censorship” through a privileged position of a single religious belief system as a guiding force for government measures to be implemented is only vaguely defined and enumerated in legal codes and frameworks. Among these vaguely defined and commonly abused legal codes, Smith notes two in particular: the Press Law and the Islamic Penal Code. The Press Law, originally passed in 1986 to encompass broad restrictions of content publication and dissemination, now has been extended to apply these restrictions to online forums and platforms as well. The Islamic Penal Code outlines the penalties tied to content that violates provisions of morality, and many of these provisions often carry excessive penalties that violate international norms of proportionality and fairness. Smith points out the common flaw in the Computer Crimes Law– that the penalties for the vaguely defined “illegal access” of data are consistently disproportionate to their supposed threat to national security. This allows the state to imprison people for extended time periods for even the smallest expression of dissent via online platforms or social media accounts.

This state monopoly over networks and media in Iran takes internal repression to an international scale, as evidenced by the way in which political exiles still face unjust persecution online. Michaelsen describes how state actors not only “seek to undermine the links of exiles into the country,” but also aims “to punish claims to public attention that challenge the regime’s position in the domestic and international arenas.” Iran’s domestic systems of internet control and censorship thus have global implications, particularly on “transnational advocacy networks.”^[13] In this way, the very networks and connectivity that allow for a dialogue of progress and social justice expose political exiles and international human rights activists to the repression of the very regimes they seek to change.

The response of international organizations and alliances to Iran’s infringement on privacy rights and rights to expression via online platforms has been extensive. Anderson and Karim highlight the Internet Freedom Agenda as an international initiative that promotes norms of secure online flows of information, while also emphasizing free access to information, global networks and websites.This agenda calls for the “promotion of democratic values within internet governance frameworks,” values that entirely counteract the authoritarian principles embodied in Iran’s vast and authoritarian censorship and surveillance system. Barth highlights Article 19 of the Universal Declaration of Human Rights, which denies interference in the the freedom of expression through media. The UN General Assembly Resolution on the “Creation of a global culture of cyber security” is another measure Barth brings into focus, specifically as one advocating the need for democratic principles safeguarding the free flow of information and protection of personal information. Despite the existence of this international dialogue and articulation of norms, it is critical to note that international declarations by the UN and other international bodies do not carry any legally binding obligation. Their force is merely moral and political in terms of their influence, but remain dependent on domestic policy to impose any sweeping reform.

Conclusions

The concern with Iran then, is that the capability to exert vast control over the networks of their citizens may allow them to permeate networks abroad. Anderson and Karim bring up the fact that “Iranian campaigns do not maintain clear boundaries between operations directed against its internal opposition and those directed against foreign adversaries.”^[14] Without a limit on surveillance within their borders, the Islamic Republic is free to continually develop and interfere in the online activities of their citizens, as evidenced especially by their actions with political exiles. The development of hacking software and data breach capabilities to safeguard their own regime poses the danger that in an increasingly connected world, this surveillance and frequent hacks of networks will not be strictly against their own citizens. It has already been witnessed through Iran’s capability to hack into the personal accounts of government personnel of their adversaries using proxy groups and APTs. Domestic free reign and monopoly over the Internet merely increases the Iran’s capability to constantly develop new methods to assert complete control over cyberspace. This raises questions as to how cyber threats can be handled. While conventional warfare is visible, manageable, and allows blame to be attributed, cyber attacks remain elusive and a threat to national and global security.

***

Bibliography

Aboul-Enein, Sameh. “Cyber Security Challenges in the Middle East.” Geneva Papers. Geneva Centre for Security Policy, April 2017.

Anderson, Collin, and Karim Sadjadpour. “Iran’s Cyber Threat: Espionage, Sabotage, and Revenge.” Cyber Policy Initiative Program, Carnegie Endowment for International Peace, 4 Jan. 2018.

Barth, Bradley. “The Iranian Cyberthreat.” SC Media US, Haymarket Media, Inc., 5 Mar. 2018.

Berman, Ilan. “Cyberwar And Iranian Strategy.” Ilan Berman, Pundicity, Aug. 2012.

Clayton, Mark. “Cyber-War: In Deed and Desire, Iran Emerging as a Major Power.” Passcode, The Christian Science Monitor, 16 Mar. 2014.

Fox-Brewster, Thomas. “Meet APT33: A Gnarly Iranian Hacker Crew Threatening Destruction.” Forbes, Forbes Magazine, 20 Sept. 2017.

Fruhlinger, Josh. “What Is Stuxnet, Who Created It and How Does It Work?” CSO Online, CSO, 22 Aug. 2017.

Michaelsen, Marcus. “Exit and Voice in a Digital Age: Iran’s Exiled Activists and the Authoritarian State.” Globalizations 15, no. 2 (2016): 248-64.

Smith, Andrew. “Islamic Republic of Iran: Computer Crimes Law.” Article 19, Mar. 2012.

Young, Michael. “How Important Has Cyber Warfare Become to the States of the Middle East?” Diwan, Carnegie Middle East Center, 1 Feb. 2018.