Pierluigi Paganini March 10, 2015

A newly disclosed secret report illustrates the tightening of cyber dispute between the United States and Iran , both for spying and sabotage.

Since Robert Tappan Morris in 1988 created the first worm, cyberspace started to change its virtual state in a critical cyberwar field.  Even if the first worm was an error, aimed at trying to calculate the vastness of the Internet, it became an inspiration for all the studies and cyber activities in the recent history.

The most famous case is related the Stuxnet virus, the malware was discovered by VirusBlokAda in June 2010. The security community defined it as the first “cyber weapon” in the history because it was “used to attack” the nuclear central of Natanz in Iran with the intent to cause physical damages. The facts were confirmed by the popular whistleblower Edward Snowden, in 2013, which declared that the USA and Israel created Stuxnet to slow down the Iranian nuclear program. Stuxnet was programmed to take control of computers in the nuclear central and send specific commands to sabotage the rotation speed of turbines leading to their damage.

This attack was one of the most important actions taken by “Operation Olympic Games”, started by G.W. Bush and continued by the Obama administration. This campaign was operated for the disruption of Iran’s nuclear program in order to avoid Israeli strikes on Iran using conventional weapons.

A NSA’s document leaked by Snowden confirms the digital arm race of the US that aim to “dominate” the fifth element of warfare, the cyberspace.

A newly disclosed secret report illustrates the tightening of cyber dispute between the United States and Iran , both for spying and sabotage. The document was written in April 2013 for Gen. Keith B. Alexander, director of the National Security Agency, and described how the Iranian Government discovered US plans to hit Iranian networks.

Cyberspace is a new strategic war field and even if the diplomacy is trying to focus attention on nuclear weapons, it is principal battlefield for many ongoing disputes:

“Iran’s destructive cyber attack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary. Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.”

The document reports about the Shamoon virus, which was used by the hacking crew called “The Cutting Sword of Justice” to infect systems at Saudi Aramco. Intelligence experts believe the hacking team comes from Iran and is backed by Government of Teheran. It also addresses another state-sponsored attack, the one conducted with the Flame malware. Flame was used to compromise computers especially in Middle East. This worm hit a huge number of Iranian computers especially in the Iranian Oil Ministry, as well as others. Flame compromised private organizations and government entities in many countries such as Sudan, Syria, Egypt, and Saudi Arabia. As a nuclear bomb, it strikes not only the target but also civilians and all that is near the target.

 “Iran continues to conduct  distributed denial-of-service (DDOS) attacks against numerous U.S. financial institutions, and is currently in the third phase of a series of such attacks that began in August 2012. SIGINT indicates that these attacks are in retaliation to Western activities against Iran’s nuclear sector and that senior officials in the Iranian government are aware of these attacks.” continues the document.

It refers to the DDoS attacks that hit systems at JP Morgan Chase and the Bank of America, which flooded their websites causing an interruption of service for their customers.

The NSA document is clear about who attacked Saudi Aramco, but does not identify who created the Flame worm. On 19^th June 2012, the Washington Post wrote that the Flame attack was carried out under the coordination of US and Israel. The day after the Washington Post article was published, Israel’s Ministry of Finance, Defense, Police, the main Intelligence Service, and the Prime Minister’s sites were unavailable.

On 21st June 2012, Iran’s Intelligence Minister Heydar Moslehi said:

“Based on obtained information, America and the Zionist regime (Israel) along with the MI6 planned an operation to launch a massive cyber attack against Iran’s facilities following the meeting between Iran and the P5+1 in Moscow.” declared the Iran’s Intelligence Minister Heydar Moslehi on 21st June 2012.

In my opinion, he refers to the Central Bank of Iran attack that occurred suddenly after the failure of negotiation between Iran and Moscow on country’s nuclear program the 19^th of June. Just a month later, the “Cyber Warriors Team” from Iran compromised the SSL certificate of NSA.

Again, the NSA documents that were disclosed online, revealed the collaboration between UK, Israel and USA:

“Emphasize that we have successfully worked multiple high-priority surges with GCHQ that have allowed us to refine maintaining mission continuity and seamless transition, and maximize our target coverage. ”

To be more specific:

“The respective NSA-ISNU and GCHQ-ISNU bilateral relationships had gotten to the point that each participant recognized the need for the trilateral engagement to advance this specific topic. ”

It’s clear that cyberspace is a battlefield for almost every country. The actions taken are clear and also the Disarmament and International Security committee (DISEC) detailed in its Background Guide (SurreyMUN 2015) two kinds of operations operated in information warfare context: espionage and sabotage.

Referring to Sabotage it states:

“but just remember it means “do something” whereas espionage here means “learn something”.

The DISEC guide reported all the major cyber attacks from 2007 till 2013, including the DDoS on Estonia that took down banks, newspapers and governments websites, a planned attack the Israel’s Internet Infrastructure in 2009, the Stuxnet worm in 2010, the Red October in 2012, and the most recent NSA leak in 2013.  We can  easily remember the last actions made by the Cyber Caliphate on twitter accounts of  Albuquerque Journal and other minor attacks made in the name of Jihad or Islam around the globe, or the major attack on Sony which could have involved North Korea.

As we can read in INSS-CSFI report of 15^th February 2015, as a consequence of all the actions on cyberspace, made for offensive or defensive purposes, all the most important countries involved in those scenarios are organizing a team or a specific Bureau for cyber defence:

“Israel National Cyber Bureau (INCB), which will continue setting national policy, in building a pioneering technological force for the State of Israel as a global leader in the cyber field ”.

The  report notes that the USA is building a new agency that will drive all cyber warfare actions, leading actual agency such as FBI, CIA, NSA, DHS and military cyber commands.  Even the UK is building the 77^th brigade that will operate against Islamist propaganda like ISIS. Last, but no less interesting, is that Der Spiegel said that Russia’s new military doctrine, signed at the end of 2014, declared that a cyber hazard will be qualified such as a military hazard.

Why buy a weapon when I have a keyboard?   

Written by Alessandro Contini

Alessandro Contini operates as Cyber Security Consultant in national and international realities. Starting from a long experience and technical expertise on system architectures, in particular related to Critical Infrastructure. Alessandro collaborates as Cyber Intelligence specialist to find deeper information in Cyber Crime and Terrorism scenarios.

Edited by Pierluigi Paganini

(Security Affairs –  Phishing kits, cybercrime)