For over 20 years, Iran has been waging a Cyber War against its enemies. Iran attempts to keep its victories unpublicized and other nations are glad to mention Iranian Cyber War defeats because it demonstrates that the Iranians are vulnerable. This was the case when Iran was unsuccessful in avenging the January 2020 death via an American UAV missile strike of their chief of foreign wars commander, Quds Force general Qassem Soleimani. The mass media tends to track Iranian vengeance efforts in terms of direct attacks on Americans in Syria and Iraq, which so far have been unsuccessful. The situation is different in a less visible war, waged by Iranian hackers, where there have been victories, but Iran keeps these victories quiet because continued success depends on the victim not being aware they were attacked or who did it.
Iran victories are often won due to the efforts of Iranian hacker organizations. These are known as APTs (Advanced Persistent Threat) and for a decade one of the deadliest groups was one called APT 35. Internet security firms track these APT groups and use the APT label to identify those groups that have been around for a while, usually with the help of a national sponsor. APT35 is Iranian, has been active since 2014 and often works for the Iranian IRGC (Islamic Revolutionary Guard Corps). Security firms are constantly looking for APT campaign. One which APT35 favored used Facebook to establish dozens of fake recruiters of military personnel leaving the service and seeking civilian employment. APT35 used the social engineering approach to entice military personnel looking for a lucrative civilian job to supply useful information on their current jobs or download apps that did help them in their job search but also contained hidden malware (hacker software) giving the hackers secret access to the user’s computer and sometimes military networks as well. This APT35 exploit was detected by security firms who alerted Facebook, which began finding and canceling hundreds of APT35 accounts used to operate this swindle. Facebook kept looking until it was certain that the illegal activity was gone, and it took many months to find and delete all the fake accounts.
The APT35 recruiter campaign was damaged and destroyed. For APT35 it still counts as a win because much damage was done, and Facebook and the Department of Defense are trying to measure the extent of the damage.
Avenging Soleimani was not the only reason for the Facebook campaign, which was expensive to create and sustain. While APT35 was compensated by Iran (which benefited from some of the hacks into the US military and defense contractors), APT35’s Facebook campaign was also payback for less visible defeats APT35 suffered since 2018, when the American government secretly authorized the CIA to engage in offensive Cyber War operations. This capability had long been sought, and one reason permission was finally granted was the increased defensive Cyber War capabilities Western companies had developed. This effort was market driven because the damage done via hacking Internet networks makes it more difficult to sell Internet based equipment and services.
One of the major developments since 2001 has been the creation and growth of Internet security operations. Initially these were firms that sold and supported their own Internet security software. Soon the major Internet companies got involved again because it was good business. Hackers were seen as “agricultural pests” in the Internet based computing ecosystem. One after another Microsoft, Apple, IBM, Amazon, and others got more involved in protecting their customers from hackers. These separate operations cooperated by sharing information, especially about hacking groups as well as the new tools and techniques hackers were using. The effectiveness of this cooperative effort enabled the CIA to make a case for offensive operations. There was now enough intelligence being obtained, which the U.S. government, the largest computer and network user in the world, had access to so that the CIA could realistically plan and conduct offensive operations.
While details of offensive operations are usually kept secret, the same is not the case with many defensive operations. That is because information about hacker techniques and tools is best exploited by letting users know how they are vulnerable and how to avoid it or deal with the problem if they were a target.
One example of this came from the IBM X-Force IRIS (Incident Response and Intelligence Services) security team. One of the many hacking groups X-Force was aware of, an Iranian mercenary hacker cooperative called ITG18, had been hacked and 40 GB of hacker “how-to” videos were obtained. These videos were created to upgrade the skills of Iranian hackers via the use of Bandicam, a video recorder which creates annotated videos of activities on a video screen. These vids showed how hackers used their tools and revealed new uses or more effective use of current techniques.
ITG18 was in it for the money, but the Bandicam videos showed that the victims were often military or government personnel who might have access to information that could be sold to any country interested in that sort of thing. The ITG18 hack also revealed many tools and techniques APT35 used, and all Iranian hackers saw the American effort that publicized their tools as a direct attack that must be avenged.
X-Force gained a lot of useful information from the Bandicam videos and passed on a lot of it to IBM customers and computer users in general. For example, the videos revealed some techniques that were not known while also revealing how effective some security techniques were. For example, banks and other Internet services have long urged their customers to use second-factor authentication when logging in. The second factor is usually a four-digit security code sent to the users’ cell phone. There have been several claims that second-factor schemes could be hacked, even though this took a lot of effort. The ITG18 videos revealed that hackers were advised to ignore accounts that used second factor because it consumed so much time to hack and there were so many accounts available that did not use second factor.
Israel is one of the two countries, the other is the United States, which participates in a perpetual Cyber War with Iran, one that receives little official publicity. Not even all the damage is publicized, as a lot of the damage is undetected, often for a long time, by the victim. While Iran has made the most noise about this Cyber War, Israel is doing the most destruction. Israel wants to keep it that way and keep it quiet. Partly this is to keep the Iranians confused, but it is also to keep Israeli government lawyers happy. A lot of the tactics and weapons used in Cyber War are of uncertain legality. The traditional Laws of War have not caught up with Cyber War. This process has been going on for some time, and some aspects of it do surface in the media. For example, Israel established the National Cybernetic Taskforce, with orders to devise and implement defensive measures to protect the economy and government from Internet based attacks. The task force consisted of about eighty people and was run by a retired general. Existing Internet security efforts, and military Cyber War organizations have discovered a growing number of vulnerabilities in the national Internet infrastructure. The only solution to this growing vulnerability is a large-scale effort to monitor the national network infrastructure for vulnerabilities and fix them as quickly as possible. You will never catch all the vulnerabilities, but in Cyber War, as in the more conventional kind, victory is not always a matter of who is better, but who is worse and more vulnerable to attack.
Israel makes no secret of what it thinks about its CyberWar capabilities. Israel eventually revealed that its cryptography operation (Unit 8200) has added computer hacking to its skill set. The head of Israeli Military Intelligence said that he believed Israel had become the leading practitioner of Cyber War. This came in the wake of suspicions that Israel rather than the US had created the Stuxnet worm, which got into Iran's nuclear fuel enrichment equipment and destroyed a lot of it. Iran also complained that a 2011 worm, called Star, caused them trouble.
Intelligence organizations usually keep quiet about their capabilities but, in this case, the Israelis felt it was more useful to scare the Iranians with the threat of more stuff like Stuxnet. But the Iranians have turned around and tried to attack Israel and are determined to keep at it for as long as it takes. This struggle between Israel and Iran is nothing new. At one point, Israel announced that Unit 8200 had cracked an Iranian communications code, an operation that allowed Israel to read messages concerning Iranian efforts to keep its nuclear weapons program going with Pakistani help, despite Iranian promises to UN weapons inspectors that the program was being shut down.
It has long been known that Unit 8200 of the Israeli army specialized in cracking codes for the government. This was known because so many men who had served in Unit 8200 went on to start companies specializing in cryptography (coding information so that no unauthorized personnel can know what the data is.) But it is unusual for a code-cracking organization to admit to deciphering someone's code. The Iranians stopped using the code in question, or the Israelis just wanted to scare the Iranians. Israel is concerned about Iran getting nuclear weapons, mainly because the Islamic conservatives that control Iran have as one of their primary goals the destruction of Israel. In response to these Iranian threats, Israel has said that it will do whatever it takes to stop Iran from getting nukes. This includes doing the unthinkable, admitting that you had successfully taken apart an opponent's secret code. Israel keeps trying to convince Iran that a long-time superiority in codebreaking was now accompanied by similarly exceptional hacking skills. Whether it was true or not, it's got to have rattled the Iranians. The failure of their counterattacks can only have added to their unease.