Private cyber threat researchers at FireEye concluded that the evidence points to Iranian sponsorship. (iStockphoto)

By Annie Fixler

January 26, 2019

The Department of Homeland Security (DHS) issued an emergency directive on Tuesday to all federal agencies to take immediate steps to combat a campaign to redirect internet traffic to websites controlled by malicious actors. Although DHS did not link this series of malicious operations to Iran, private cyber threat researchers at FireEye concluded that the evidence points to Iranian sponsorship. This operation follows a trend of global Iranian cyber campaigns, as identified in a November FDD report.

While FireEye could only conclude “with moderate confidence” that Iranian actors were responsible for the operation, the firm noted that the “activity aligns with Iranian government interests.” This is consistent with assessments that the Islamic Republic relies on quasi-independent groups to conduct its cyberattacks. In an in-depth study of the cyber threat landscape in Iran, threat intelligence firm Recorded Future concluded that there is “consistent evidence” that cyber operations emanating from Iran are “government-sponsored.”

The scale of this two-year operation is unprecedented. FireEye discovered related activity dating back to January 2017, predating the Trump administration’s maximum pressure campaign against Iran and the U.S. withdrawal from the nuclear deal between Iran and the international community. “We found at least 50 different organizations affected across at least 12 countries — and that’s just what we’ve found so far,” a FireEye senior manager told The Washington Post.

According to FireEye and Cisco, the “sophisticated” and “innovative” campaign used at least three different methods to manipulate “Domain Name System” (DNS) records, which translate URLs into numerical IP addresses so that internet users’ requests reach the intended websites. “DNS hijacking” enables hackers to decrypt the redirected internet traffic, read emails, and steal credentials.

This is the latest in a series of exceptional operations for Iranian hackers. The Department of Justice issued an indictment in November against two Iranian hackers responsible for $30 million in losses as a result of ransomware attacks. Assistant Attorney General Brian Benczkowski called the indictment “the first of its kind.” In August, Facebook, Google, and Twitter dismantled hundreds of accounts in what was the first reported case of Iranian influence operations exploiting U.S. social media. In March, the Justice Department charged nine Iranians in “one of the largest state-sponsored hacking campaigns ever prosecuted.” The past two years have also witnessed the resurgence of the Shamoonvirus, the original variation of which destroyed a then-unprecedented 35,000 computers at Saudi Aramco.

DHS warned that the interception of web and email traffic affected “multiple executive branch agency domains” and posed “significant and imminent risks to agency information and information systems.” Given the scale and persistence of the threat, DHS is right to require that agencies change DNS account passwords and implement multi-factor authentication. Yet good defenses are insufficient to combat Iranian cyber operations. Indictments and sanctions help to hold attackers accountable, but have a limited deterrent effect. Until the Islamic Republic recognizes that Washington is prepared to disable the networks responsible for such attacks, the leadership in Tehran will continue to commission them.

Foundation for Defense of Democracies

About Track Persia

Track PersiaTrack Persia is a Platform run by dedicated analysts who spend much of their time researching the Middle East, in due process we fall upon many indications of growing expansionary ambitions on the part of Iran in the MENA region and the wider Islamic world. These ambitions commonly increase tensions and undermine stability.