After the Islamic Republic of Iran shot down an RQ-4 Global Hawk drone June 20, President Donald Trump opted against physical military strikes as retaliation. Instead, multiple news organizations reported the U.S. military quietly conducted cyber operations that targeted computer systems that control Iranian missiles launches and an intelligence organization associated with the Iranian Revolutionary Guard Corps.
Representatives from two cyber threat intelligence firms told Fifth Domain June 24 that they were aware Iran had conducted highly-customized spearphishing campaigns. In some cases, experts said, the attacks included what’s known as a lure document to entice victims to click and inadvertently install malware. U.S. government agencies were among the targets of the attacks.
In addition, experts said that the operation signals U.S. government leaders are becoming increasingly comfortable with cyberwarfare as a tool in the arsenal and, in some cases, now view cyber operations as a half-step removed from a kinetic conflict.
“This shows that we’ve improved our practical capacity to use the cyber domain as part of a whole-of-government approach, which in this case already included substantial amounts of sanctions,” said Bobby Chesney, a law professor at the University of Texas who teaches courses on cybersecurity.
Because Trump acknowledged an Iranian attack on an unmanned aircraft “is easier to accept” than one that kills Americans, Chesney said “by the same token, striking back in a way that does not kill Iranians demonstrates that Cyber Command is providing him with tools for a more-nuanced responses.”
Other experts noted that along with a series of new authorities for military cyber leaders, the recent actions are further evidence that the U.S. government is approaching cyber activities more aggressively.
“We are in a new era when it comes to offensive use of cyber capabilities, where our policymakers and senior leaders are ready to provide DoD with more flexibility and authority, and an era where DoD, in turn, is likely to be more forward leaning,” Jamil Jaffer, founder of the National Security Institute at George Mason University Law School and vice president for strategy and partnerships at IronNet Cybersecurity, told Fifth Domain.
Cyber “may not be a silver bullet, but it does seem to be providing relatively non-escalatory tools to policy makers,” Chesney said. “Indeed, reading the tea leaves from this past weekend, it appears the cyber option helped ensure there was an off-ramp from a kinetic response that might have led to further escalation.”
A response to ‘malicious cyber activity’
U.S. government officials raised the alarm about Iranian cyber activities June 22, about five hours after reporters from Yahoo! News first broke the story of the U.S. response. Yahoo! News said the U.S. cyberattack was against an Iranian spy group that supported limpet mine attacks on commercial ships earlier in June.
In a tweet, Chris Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, wrote, “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies … Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks.”
Wiper attacks are often destructive forms of malware of which all data on a network can be lost. Representatives from two cyber threat intelligence firms, FireEye, CrowdStrike, told Fifth Domain June 24 that they were aware Iran had conducted highly-customized spearphishing campaigns and representatives from two others, Recorded Future and Dragos, said while they had not seen direct evidence of the Iranian attacks, it fit the profile for their past work. In some cases, experts said, that included what’s known as a lure document to entice victims to click and potentially inadvertently install malware.
John Hultquist, director of intelligence analysis at FireEye, said his firm had identified “spearphishing activity conducted by Iranian threat actor APT33 concurrent with increasing tension in the Gulf region and with the U.S. The spearphishing campaign has targeted both public and private sectors in the U.S. This activity is consistent with intelligence collection, and the Iranian regime is also likely to be using cyber espionage to reduce the uncertainty surrounding the conflict. Notably, APT33 has historically carried out destructive cyberattacks in addition to intelligence collection.”
The key question becomes: what happens next?
Robert Knake, senior fellow for cyber policy at the Council on Foreign Relations and the co-author of the new book “The Fifth Domain,” said in this new digital landscape, both the United States and Iran are trying to be proportionate in their response.
“The question, when you’re talking about a nation state threat with the Iranians, is you really don’t know the level of sophistication they’re going to bring to the attack,” he said. “There’s no binary answer. Do I think most federal agencies are probably decently positioned to address run of the mill ransomware attacks, absolutely, right? Do the Iranians have a capability that they could cause consequences at a U.S. government agency? I think that’s likely.”
In terms of the specific targets Cyber Command reportedly hit, Chesney said he doesn’t view them as crossing a threshold. He pointed to reporting that the U.S. previously targeted North Korea’s missiles in what is called a “left of launch” approach ensuring the missiles fail to launch.
Cyber operations can be effective at eliminating these types of capabilities.
“[C]yber capabilities can be an extremely effective instrument of force projection with respect to neutralizing kinetic or conventional weapons,” Dave Weinstein, chief security officer for Claroty, wrote in an email to Fifth Domain. “Reports of the Trump administration responding to Iran's downing of a US drone with a surface-to-air missile by targeting these same systems with cyber capabilities is a proportionate response and one that limits collateral damage – both diplomatically and kinetically.”
The operations, however, are not totally risk free.
“Of course all cyber operations usually come with a temporary loss of intelligence so these responses are not without cost,” Weinstein said. “However, it’s important to recognize the value of demonstrating that the U.S. has both the will and capability to conduct precision and timely cyber operations against conventional military targets.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.