As part of a major change in strategy, it now appears that Iranian hackers are shifting their focus to include physically disruptive cyber attacks on critical infrastructure targets – including targets within U.S. borders. Iranian hackers known as APT33 are now looking for ways to exploit security vulnerabilities in the industrial control systems (ICS) of manufacturing plants, energy grid operators and oil refineries. In a worst-case scenario, say ICS security researchers, Iranian hackers could carry out a massive cyber attack that disrupts the U.S. energy grid and causes widespread physical damage. U.S. security experts have been carefully tracking the activities of the APT33 Iranian hackers since 2013. As a result, they have unique insights into their changing tactics and strategies.
For more than five years, Iran has maintained a reputation as one of the most aggressive nations in the global arena of state-sponsored hacking, stealing data from corporate and government networks around the world, bombarding US banks with cyberattacks, and most brazen of all, unleashing multiple waves of computer-crippling malware that hit tens of thousands of PCs across the Middle East. But amidst that noisy mayhem, one Iranian group has managed to quietly penetrate a broad series of targets around the world, until now evading the public eye. And while that group seems to have stuck to traditional spying so far, it may also be laying the groundwork for the next round of destructive attacks. Security firm FireEye has released new research into a group it calls Advanced Persistent Threat 33, attributing a prolific series of breaches of companies in the aerospace, defense, and petrochemical industries in countries as wide-ranging as Saudi Arabia, South Korea, and the US. While FireEye has closely tracked APT33 since May of last year, the security firm believes the group has been active since at least 2013, with firm evidence that it works on behalf of Iran's government.
Since Stuxnet first targeted and destroyed uranium enrichment centrifuges in Iran last decade, the cybersecurity world has waited for the next step in that digital arms race: Another piece of malicious software designed specifically to enable the damage or destruction of industrial equipment. That rare type of malware has now reappeared in the the Middle East. And this time, it seems to have the express intention of disabling the industrial safety systems that protect human life.
Not so long ago, stories about cyberwar started with scary hypotheticals: What if state-sponsored hackers were to launch widespread attacks that blacked out entire cities? Crippled banks and froze ATMs across a country? Today, these scenarios are no longer hypotheticals: Every one of those events has now actually occurred. Incident by catastrophic incident, cyberwar has left the pages of overblown science fiction and the tabletops of Pentagon war games to become a reality. More than ever before, it's become clear that the threat of hacking goes beyond nuisance vandalism, criminal profiteering, and even espionage to include the sort of physical-world disruption that was once possible to accomplish only with military attacks and terroristic sabotage. So far, there's no clearly documented case of a cyberwar attack directly causing loss of life. But a single cyberwar attack has already caused as much as $10 billion dollars in economic damage.
When the US last tightened its sanctions against Iran in 2012, then-president Barack Obama boasted that they were "virtually grinding the Iranian economy to a halt." Iran fired back with one of the broadest series of cyberattacks ever to target the US, bombarding practically every major American bank with months intermittent distributed denial of service attacks that pummeled their websites with junk traffic, knocking them offline. Three years later, the Obama administration lifted many of those sanctions in exchange for Iran's promise to halt its nuclear development; Tehran has since mostly restrained its state-sponsored online attacks against Western targets. Now, with little more than a word from President Trump, that détente appears to have ended. And with it, the lull in Iranian cyberattacks on the West may be coming to an end, too.