The Reuters News Agency on Wednesday reported that the United States carried out a secret cyber operation against Iran. The digital attacks were in response to the September 14 attacks on Saudi Arabia’s oil facilities, which the governments of the U.S., Saudi Arabia, Great Britain, France and Germany publicly blamed on Iran. Tehran has denied involvement in the strike, but the Iran-aligned Houthi militant group based in Yemen did claim responsibility.
According to Reuters, two U.S. officials – who spoke to the wire service on condition of anonymity – said the operation took place late last month, and took aim at Tehran’s ability to spread “propaganda.” One of the officials said the attacks affected physical hardware. Reuters also noted that this latest attack highlighted the White House effort to counter Iranian aggression in the region without it spiraling into a larger border conflict.
This latest strike was also described as being more limited than other such operations against Iran this year – including those that followed the downing of an American drone in June, as well as the alleged attack by Iran’s Revolutionary Guards on oil tankers in the Persian Gulf in May.
The Pentagon has declined to comment about the cyber strike.
“As a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence, or planning,” Pentagon spokesperson Elissa Smith told Reuters.
Cyber as a Response
This is also far from the first time that the U.S. has engaged in a cyber attack against the Iranian regime. While the United States never publicly claimed responsibility, it is believed that a joint U.S.-Israeli effort was behind the 2009 deployment of the malicious Stuxnet computer worm on Iran’s Natanz nuclear facility.
Stuxnet, which is considered to be the largest and most expensive malware ever created, was believed to have been developed jointly by the U.S. and Israel in 2005 or 2006 to cripple Iran’s nuclear weapon program without Tehran even knowing it was under attack. There are reports that it may have first been deployed in 2007, but either didn’t reach its intended target or it was just gathering intelligence.
Iran has so far been unable to launch any cyber attacks on the magnitude of Stuxnet, but a hacking group linked to Tehran – dubbed “Phosphorous” by Microsoft – tried to infiltrate email accounts related to President Trump’s re-election campaign. Throughout the end of August and into September the group made more than 2,700 attempts to identify consumer accounts and attacked 241 in total.
While it could take months to determine the impact of these latest attacks, cyber is generally seen as a less-provocative option, but one that can still do considerable damage.
“The publicized portion of the U.S. cyber response that targeted ‘physical hardware’ used by Iran to ‘spread propaganda’ seems like a weaker response to an attack that put half of Saudi Arabia’s oil production capacity out of commission,” said Ben West, global security analyst at Stratfor.
“However, the publicized component of the attack is likely only part of the story,” West told ClearanceJobs. “We know that the U.S. has been targeting Iran for a long time and there is likely far more actions ongoing that officials are not going to talk about to maintain the integrity of other operations.”
The New Battlefield
Unlike past U.S. responses that included the use of bombs and missiles – such as the U.S. sorties against Libya in the 1980s and Iraq in the 1990s – cyber can do less physical damage, have very little if any body count or collateral damage and yet still do real and lasting harm.
“These types of offensive cyber-attacks on critical national infrastructure organizations have quickly become the latest battlefield for many geo-political rivals on the world stage,” said Danielle VanZandt, industry analyst for security, aerospace, defense and security at Frost & Sullivan.
“With how quickly these attacks can be coordinated and carried out, all without the need to launch or fire a physical projectiles, cyber-attacks can not only save a country millions in new equipment costs, but also lessen the potential for casualties among their ranks and be carried out safely within their borders without the need to deploy a military battalion,” VanZandt told ClearanceJobs. “For all these benefits, nations can still conduct warfare activities and cause significant damage to their enemies – a seeming win-win situation for them.”
That isn’t to say that the risks of using cyber as an offensive weapon are minimal.
“(The)increased connectivity amongst defense agencies and military technology also opens potential pathways for offensive military strikes to move beyond attacks on actual facilities or battle locations and begin to attack military systems and personnel far outside of a true battlefield,” explained VanZandt.
Because cyber attacks can be costly to those on the receiving end, there is also the danger that such conflicts could escalate even faster than one that involves physical military hardware and actual troops.
“The U.S. is far more vulnerable because of our connectedness and reliance upon our connectedness,” warned West.
He added that our reliance on this connectivity has created a bigger surface area for attacks.
“Other countries do not show the kind of discretion for collateral damage the U.S. does,” West noted. “Iran doesn’t have teams of lawyers and Congress overseeing IRGC and APT teams targeting U.S. and other Western targets. So, even though U.S. cyber capabilities are likely superior, it’s also a theater (where) we’re extremely vulnerable.”
Attacks on critical infrastructure sites including oil fields will likely only continue to grow.
“Many of the attacks targeting these facilities can be linked back to nation-states, not a hacking collective or rogue hacker looking to make a statement,” said Frost & Sullivan’s VanZandt. “The potential for a cyber-attack on these sites, particularly when it comes to critical sites that ordinary citizens rely on for services – i.e., electricity in the winter or water during a summer day – is significant, but it is up to the nations themselves to weigh defensive cyber-protections of these sites versus their desire to conduct offensive cyber maneuvers first.”