Ever since President Trump took office, tensions with Iran have been escalating. In 2018 the United States unilaterally withdrew from the 2015 nuclear deal with Iran, before beginning to follow a big stick policy aimed at ending Iran’s nuclear ambitions.
The tension culminated in Trump ordering a military strike in response to Iran’s surprise successful downing of a highly-advanced US surveillance drone on June 20, 2019. However, Trump backed out of this military attack at the last moment.
The underlying reason for Trump’s controversial decision to back off was unknown at the time. However, an online attack carried out by the US Cyber Command against an Iranian intelligence group following involvement in recent oil tanker attacks, offers some clues to the truth behind Trump’s cancellation of the strike. The cyber intrusion occurred the same day President Trump aborted the strike which had been planned to hit targets such as radar and missile batteries in Iran.
The fact that this online operation had been going on secretly for several weeks before the incident shows us that one reason behind the military strike cancelation was the hidden war taking place in the cyber domain between the two enemies. It seems that those in charge of the cyber operation in Washington vetoed any conventional military action that could disturb or interrupt their ongoing efforts.
People briefed on the operations, reported to the New York Times that the cyber-attack hit multiple computer systems including those controlling Iran’s missile launches. However, given the secretive nature of cyber warfare, accurate corroboration of these reports remains virtually impossible.
These online operations are considered to be only part of a long history of cyber warfare between the United States and Iran. Only recently, CrowdStrike and FireEye (both well-known companies that work on tracking cyber-attacks against targets within the United States) predicted an increase of Iranian cyber offensive activities. The company representatives are convinced that hackers, believed to be working for the Iranian government, have recently targeted US government agencies, as well as sectors of the economy including oil and gas, by sending waves of spear-phishing emails.
Despite being accused of launching several harmful cyber-attacks against the United States and its allies, Iran maintains plausible deniability. Most notable among these attacks were the 2012-13 Operation Ababil campaign against US financial institutions, the 2012 Shamoon attack against oil giant Saudi Aramco, and the 2014 strike against Las Vegas Sands Corporation.
Operation Ababil was in response to a new package of US economic sanctions against Iran. A hacker group known as the Izz ad-Din al-Qassam Cyber Fighters has claimed responsibility for the attacks in online posts. The high complexity of the operation convinced the US administration that the attackers were hackers connected to the Iranian government. They deployed Distributed Denial of Service attacks (DDoS) in a very sophisticated way, which in turn enabled them to successfully block service to users by directing a huge amount of fake traffic to bring down websites, resulting in system failure.
The operation was massive in terms of its scope and effectiveness. It targeted several major banks in the United States such as: Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC. The online websites of these banks were badly damaged for a while, although no bank accounts were breached, and no customers’ money was taken during the attack. Whilst it took a short time for the banks to recover, the operation caused tens of millions of dollars in damage and sent shockwaves through financial circles in America.
The 2012 Shamoon attack against oil giant Saudi Aramco was an example of Iran’s retaliatory cyber-attack. A group of hackers who refer to themselves as ‘Cutting Sword of Justice’ took credit for this action, justifying the attack by expressing their outrage at Saudi regional policy. The attack was one of the most destructive acts of computer sabotage on Aramco to date. The virus erased data on three-quarters of Aramco’s corporate PCs and replaced documents, spreadsheets, e-mails and files with an image of a burning US flag.
Iran, as usual, kept silent. However, consensus among the US intelligence agencies clearly pointed the finger of blame at Iran, whose nuclear program suffered severely from a US made cyber weapon that destroyed many of its centrifuges in 2010.
The unprecedented attack had shocked Iran deeply, hitting its most advanced reactor at Natanz uranium enrichment plant. A cyberworm called the Flame (which had been developed in cooperation with the United States and Israeli intelligence services) managed to reach Iran’s nuclear reactor despite all the advanced protection measures taken by the Iranians. The Flame was a multi-purpose malware, with 650,000 lines of code, 4,000 times more than standard software.
The operation came to be known as Stuxnet and was unlike any other operation with its use of an unknown virus or worm. Rather than simply hijacking targeted computers or stealing information from them, it transcended the digital realm to wreak physical destruction on equipment controlled by the affected computers.
The operation was initiated by George W. Bush as he sought alternatives to deal with Iran after setbacks in Iraq during his presidency. With the military option for dealing with Iran hidden, US intelligence agencies proposed dealing with Iran’s nuclear program in a less conventional way. The method relies on the idea of an unprecedented cyber-attack which would destroy or disable Iran’s nuclear program. When President Bush himself briefed the newly elected President Obama on the details of the process, the latter was impressed with the idea and endorsed its implementation.
Stuxnet was a twofold operation: in the first stage it made the centrifuges of Natanz plant spin dangerously fast for about 15 minutes, before returning them to normal speed. About a month later, the second stage began by slowing the centrifuges down for around 50 minutes. This was repeated for several months and round 25 percent of Iran’s centrifuges in the Natanz nuclear plant (2000 out of 8700) were decommissioned as a direct result of the damage caused by the attack.
Whilst it is possible to argue that Stuxnet did not bring the Iranian nuclear program to its knees, it unleashed a new generation of cyber-attacks whose effects are not limited to the virtual domain, but can also reach the physical one, causing real harm to vital infrastructure.
All in all, tit-for-tat cyber-attacks between Iran and the United States will not stop at this level. There is a high probability that the frequency of attacks will increase in the short and medium term, especially as the United States moves to activate a more effective offensive strategy in cyberspace known as active defense.
To date, cyber-attacks have not directly provoked a genuine military response, but the key question remains; whether these online operations would lead either Washington or Tehran to use their military arsenal against each other as a result of a provocative cyber-attack.