August 30, 2019
A secret cyberattack against Iran in June wiped out a critical database used by Iran’s paramilitary arm to plot attacks against oil tankers and degraded Tehran’s ability to covertly target shipping traffic in the Persian Gulf, at least temporarily, senior American officials told The New York Times.
Iran is still trying to recover information destroyed in the June 20 attack and restart some of the computer systems — including military communications networks — taken offline, the officials said.
Senior officials discussed the results of the strike in part to quell doubts within the Trump administration about whether the benefits of the operation outweighed the cost — lost intelligence and lost access to a critical network used by the Islamic Revolutionary Guards Corps, Iran’s paramilitary forces.
The United States and Iran have long been involved in an undeclared cyberconflict, one carefully calibrated to remain in the gray zone between war and peace. The June 20 strike was a critical attack in that ongoing battle, officials said, and it went forward even after President Trump called off a retaliatory airstrike that day after Iran shot down an American drone.
Iran has not escalated its attacks in response, continuing its cyberoperations against the United States government and American corporations at a steady rate, according to American government officials.
American cyberoperations are designed to change Iran’s behavior without initiating a broader conflict or prompting retaliation, said Norman Roule, a former senior intelligence official. Because they are rarely acknowledged publicly, cyberstrikes are much like covert operations, he said.
“You need to ensure your adversary understands one message: The United States has enormous capabilities which they can never hope to match, and it would be best for all concerned if they simply stopped their offending actions,” Roule said.
Cyberoperations do not work exactly like other conventional warfare. A cyberattack does not necessarily deter future aggression in the same way a traditional military strike would, current and former officials say. That is in part because cyberoperations are hard to attribute and not always publicly acknowledged by either side, the senior defense official said.
Yet cyberoperations can demonstrate strength and show that the United States will respond to attacks or other hostile acts and impose costs, the official said.
Cyber Command has taken a more aggressive stance toward potential operations under the Trump administration, thanks to new congressional authorities and an executive order giving the Defense Department more leeway to plan and execute strikes.
The head of United States Cyber Command, Army Gen. Paul M. Nakasone, describes his strategy as “persistent engagement” against adversaries. Operatives for the United States and for various adversaries are carrying out constant low-level digital attacks, said the senior defense official. The American operations are calibrated to stay well below the threshold of war, the official added.
The strike on the Revolutionary Guards’ intelligence group diminished Iran’s ability to conduct covert attacks, said a senior official.
The United States government obtained intelligence that officials said showed that the Revolutionary Guards were behind the limpet mine attacks that disabled oil tankers in the Gulf in attacks in May and June, although other governments did not directly blame Iran. The military’s Central Command showed some of its evidence against Iran one day before the cyberstrike.
The White House judged the strike as a proportional response to the downing of the drone — and a way to penalize Tehran for destroying crewless aircraft.
The database targeted in the cyberattacks, according to the senior official, helped Tehran choose which tankers to target and where. No tankers have been targeted in significant covert attacks since the June 20 cyberoperation, although Tehran did seize a British tanker in retaliation for the detention of one of its own vessels.
Though the effects of the June 20 cyberoperation were always designed to be temporary, they have lasted longer than expected and Iran is still trying to repair critical communications systems and has not recovered the data lost in the attack, officials said.
Officials have not publicly outlined details of the operation. Air defense and missile systems were not targeted, the senior defense official said, calling media reports citing those targets inaccurate.
In the aftermath of the strike, some American officials have privately questioned its impact, saying they did not believe it was worth the cost. Iran probably learned critical information about the United States Cyber Command’s capabilities from it, one midlevel official said.
Cyberweapons, unlike a conventional weapon, can be used only a few times, or sometimes even once. Targets can find the vulnerability used to get access to their networks, then engineer a patch to block that opening.
“Iran is a sophisticated actor. They will look at what happened,” said Mark Quantock, a retired major general who served as the director of intelligence for the United States Central Command, which oversees operations related to Iran. “Russia, China, Iran, and even North Korea would all be able to see how they were penetrated.”
Cyberstrikes also inevitably cut off access to intelligence that American operatives gained from exploiting that vulnerability, once the adversary discovers and fixes it. Losing even some access to the Islamic Revolutionary Guards Corps, Tehran’s paramilitary force that is deeply involved with proxy forces around the Middle East, is a high price to pay, according to some officials.
Military and intelligence agencies always weigh the costs of a cyberoperation and the risks of lost information ahead of a strike, according to former officials. Intelligence officials have long been skeptical of some cyberoperations, worried that the benefits are not worth the costs.
“It can take a long time to obtain access, and that access is burned when you go into the system and delete something,” said Gary Brown, a professor at the National Defense University and former legal counsel for Cyber Command. “But on the same token, you cannot just use that as an excuse not to act. You can’t just stockpile access and never use it.”