There has been recent focus on alleged Iran cyber activity the past few weeks, spurned on by the publication of a vendor report on Iranian operations. Per the vendor’s findings, not only was Iran likely behind the activity that was targeting government and private sector in the Middle East, it was implementing National Security Agency exploits that were stolen and dumped into the public domain by the Shadow Brokers group in April 2017. As recently as late August 2018, Iran is suspected of trying to launch influence operations ahead of the midterm elections. The conclusion is that Iran is increasingly using asymmetric attacks, particularly via cyberspace, as part of its tool box to conduct retaliatory attacks.
The new reporting comes at a time when Russia’s cyber malfeasance has largely dominated the press, due to its influence operations efforts and election shenanigans, not just in the United States but in other countries as well. Prior to the Russia focus, North Korea was the focal point with its suspected cyber activities targeting cryptocurrency, and the SWIFT banking transactions before that. Iran was propelled onto the scene with Operation Ababil
DDoS attacks against U.S. banks, as well as its suspected involvement in the wiper malware incident against Saudi Aramco. Some consider Iran a powerful cyber nation on par or close to it to China and Russia. Others, maintain that Iranian actors are much less sophisticated, preferring to implement “tried-and true tactics while targeting many individuals.” China initially led the state-led cyber espionage activity, which largely was curbed against the United States once the “no hack” pact was agreed to in 2015.
There seems to be a perpetual “revolving door” of news-cycle focus on suspected state activity, with new reports reporting on hostile espionage and exploitation occurring against global targets. The purpose of these appears to track the latest and greatest escapades of these governments using – in most cases – publicly available tools and exploits that are publicly accessible (see Shadow Brokers above) and using vectors that for the most part are routine for any hostile cyber actor (certainly, if a state actor is “sophisticated”, the intimation is that the activity hasn’t been detected as of yet, or the sophisticated tools/exploits haven’t been implemented yet).
Between the ongoing stories of adversarial state activity as aforementioned above and news of smaller nations looking to acquire offensive cyber capabilities, all indications are that media and vendor reporting will continue to push the “hostile state actor as monolith” narrative into the public eye. Yet, like the saying goes, “if everything is important, nothing is important,” which rings with authenticity with regards to state cyber activity. Actual activity or incidents that threaten to disrupt, destroy, degrade, deny, or manipulate data systems or the data resident on them deserve to be pushed to the forefront as they potentially impact everyone at all levels.
But theft of intellectual property and state secrets affect a minority, and rarely if ever will impact everyday citizens. Such vigorous scrutiny and analysis of suspected state activity should apply to the cyber crime ecosystem whose nefarious endeavors directly impact the global population. And while there are isolated incidents of law enforcement efforts arresting groups and individuals or taking down marketplaces, this has failed to put a dent into a global industry that was cited as the second most reported economic crime, according to a 2017 report by the same vendor.
This needs to change and it would be welcome to see such vendors with a wide and deep visibility into the cyber threat space to uncover some of the more “sophisticated” state actors, to apply that precision against a threat intent on exploiting everyone on the planet. Some of the more notable breaches have exposed a high volume of individual data:
2013/14 Yahoo 3 Billion Accounts
2016 Adult Friend Finder 412 Million Accounts
2014 eBay 145 Million Users
2017 Equifax 143 Million User
2008 Heartland Payment Systems 134 Million credit cards
One thing is clear – cyber criminals have proven to be as sophisticated and resourceful as state actors, often times using the same tools and techniques. The fact that this category of cyber actor is not as robustly tracked, and information shared directly to the appropriate authorities is disappointing.
This is a guest post by Emilio Iasiello