We May Already Be at War with Iran
Since Thursday, January second, 2020, many pundits and US politicians have publicly stated that we are now on the brink of war with Iran. What they mean is a conventional war utilizing human, physical, and kinetic assets that operate in one or more of the four traditional dimensions of warfare (land, sea, air, and space). This has been proven by the US mobilizing some 3,500 troops from the 82nd Airborne Division and deploying them to the Middle East. At the same time, no battle lines have been drawn, even while these assets are being repositioned. While the general public is kept mainly in the dark about the extent to which the US and Iran may already be engaged in attacking each other in the Fifth Dimension of Warfare, Cyberspace. Even if it was confirmed that the US and Iran were attacking each other in cyberspace, the public’s perception of these attacks would be as denial of service events, perhaps website defacement, or, at worst, a series of data breaches. Nothing could be further from the truth; we could be talking about both data and physical asset destruction.
In March of 2018, a pair of Iranian hackers targeted the Atlanta area when they launched the ransomware known as SamSam, and it brought much of the city to a standstill. Federal estimates place the damage to the city of Atlanta from SamSam at $30M. SamSam was classic ransomware, so for a fee (0.8 Bitcoins per system or 4.5 Bitcoins per enterprise), you could recover your data. SamSam relied on several server vulnerabilities, and as such, it couldn’t infect every system it touched, and it should also be noted that for a fee, you could get your data back. While this sounds devastating, and no one likes paying a ransom, this still provided a path to recovery. It should be noted that SamSam wasn’t anywhere near as virulent as NotPetya, which had come out a year earlier.
NotPetya was a gift delivered from Pandora’s box and crafted by the Russian special forces GRU hacking unit, which has been labeled by security researchers as “Sandworm.” It is believed that Sandworm is possibly an offshoot of the “Fancy Bear” hacking group. Researchers appear confident that Fancy Bear and Sandworm are two distinct groups within the GRU as the Sandworm team has been consistent in their use of references from the fictional book “Dune” within their code. These two groups have been waging a silent one-sided asymmetric gorilla war against the former Russian states of Estonia, Georgia, and the Ukraine for well over a decade. One of the most damaging munitions developed and launched by the Sandworm team was the NotPetya worm. NotPetya is known as a wiper worm because it infects nearly everything it touches. Then when it’s confident that it’s extracted all the connection information it can from a target, it wipes the system clean using encryption then throws away the keys. A wiper is ransomware you CAN NOT recover data from, all online backups are also often destroyed, and the master boot record on the computer is scrambled. The result is a dataless, unrecoverable system that is ready to be reinstalled.
NotPetya leveraged a previously unreported zero-day, along with code that is especially effective at finding user ids and passwords stored within a Windows system’s memory. Also, NotPetya is a wiper, so there is no way to recover data. Sandworm first used NotPetya on the Ukraine in June of 2017, and it brought significant systems throughout that country to a halt. International companies with a footprint in the Ukraine became collateral damage. Countries don’t report cyber damage or losses, but large public companies are required by law.
Shipping giant Maersk had a single system in the Ukraine which became infected, and it ripped through their entire global infrastructure, thousands of systems. It wiped out all the data and programs on these systems running over a dozen shipping ports worldwide. This impacted 10s of thousands of trucks that were dropping off and picking up goods at these ports. Dozens of enormous container ships had NO record of what was on them. In the end, Maersk has spent upwards of $300M to get back online and has still not recovered some data vital to their operations, data which may be forever lost. Maersk has estimated its damage as a result of this event at nearly $10B. Pharma giant Merck was also impacted by losses estimated at $700M. Finally, Mondelez International, which owns Cadbury, Nabisco, Nestle, Hershey, Mars, and Kraft Heinz, have determined their damages at $100M.
Now all the above is data loss, not physical equipment destruction. It has long been known that hacking industrial control systems like those that manage our electrical grid, gas pipelines, petroleum refineries, water, and waste treatment systems are also a possibility. In 2010 Stuxnet was discovered to be running on Iranian systems. It is believed that this code was in place for several years on systems that were built to manage Uranium refinement for weapons production. It has been proven that Stuxnet would report valid centrifuge speeds to monitoring systems and operators while covertly wildly fluctuating the speed of these same centrifuges. The result would be the permanent destruction of these costly centrifuges. It was estimated that Stuxnet slowed down Iranian nuclear weapons development by five or more years. It wasn’t until 2012 that the US and Israel eventually took credit for this malware attack.
In parallel on August fifth of 2008, it is believed that Fancy Bear launched a cyber attack on Georgian servers that were managing the Baku–Tbilisi–Ceyhan pipeline. It has been confirmed that alarms had been suppressed, the system operators were then blinded, and the pipeline was intentionally over-pressurized, resulting in an explosion. This took the pipeline offline for 18 days.
Iran, like Russia, China, and North Korea, has a sophisticated special forces cyber weapons and operations program. Their two primary hacking groups are known as Helix Kitten and Static Kitten. According to the Crowdstrike “2019 Global Threat Report,” it is believed that Iran is responsible for launching the Shamoon wiper against oil and gas companies in Saudi Arabia. They often use spear-phishing campaigns. Another malware Iran has utilized is called MuddyWater, which relies on enabling macros within email attachments. Again these targets are often middle east focused while both Kittens have not yet moved beyond wipers. It should be expected that they will turn their sights on the US, given recent actions and comments by our current administration.
So what can we expect in the coming months? At this point, nothing is off the table. Everything that is automated and not air-gapped from the Internet is potentially vulnerable. Furthermore, the US President confirmed Sunday night that the US administration had identified Iranian cultural targets as significant. Iran will likely do the same.
