Editor's Note: This security-focused assessment is one of many such analyses found at Stratfor Threat Lens, a unique protective intelligence product designed with corporate security leaders in mind. Threat Lens enables industry professionals and organizations to anticipate, identify, measure and mitigate emerging threats to people, assets and intellectual property the world over. Threat Lens is the only unified solution that analyzes and forecasts security risk from a holistic perspective, bringing all the most relevant global insights into a single, interactive threat dashboard.
Continued U.S. sanctions and Israel's aggressive strategy against Iran in Syria and Iraq have backed Iran into a corner, forcing it to become more aggressive in its counterstrategy. In 2019, Iran made a significant shift in its asymmetric strategy in the Persian Gulf and on the Arabian Peninsula when it launched missile, drone and bombing attacks that inflicted significant damage on regional oil exports and Saudi Arabia's oil industry. Now it appears that Iran may be making the same shift toward inflicting physical damage using cyberattacks as well. Such a shift would entail a significantly higher risk of further cyberattacks on Arab, U.S., Israeli and other Western companies operating in the region, as well as for critical infrastructure worldwide.
In April, Iranian-backed cyber actors targeted Israeli water infrastructure in an attack that could have increased the amount of chlorine to dangerous levels. The Israel National Cyber Directorate stopped the attack when operators noticed that water pumps were malfunctioning. While few details about the incident have emerged, the hackers apparently deployed malware targeting the plant's industrial control systems' programmable logic controllers once they gained entry into the network.
Prior to April's attack, Iran's offensive cyber operations did not damage critical civilian infrastructure but rather focused on deleting data and records and on accessing information, but April's cyberattack was intended to significantly physically damage and disrupt Israel's water supply. Iran has spent years attempting to gain entry to critical infrastructure and developing the necessary cyber tools to target industrial control systems to damage infrastructure and economic targets.
- Iran saw firsthand what offensive cyber operations can cause when the Stuxnet virus, likely the work of Israel and the United States, caused significant damage to Iran's nuclear program when it targeted enrichment activities and centrifuges in 2010.
A 2016 U.S. indictment highlighted Iran's attempt to gain entry into a U.S. dam, and Iranian-backed hackers have increasingly tested for vulnerabilities in, and tried to gain entry to, critical infrastructure in Bahrain, Israel and other countries.
If Iran's attempts to disrupt critical infrastructure continue, it will force other countries to respond in kind to maintain some level of deterrence — risking continued tit-for-tat escalation.
Tehran now appears to have both the willingness and capability to conduct attacks on industrial control systems in response to the significant economic damage inflicted on it by U.S. sanctions, and to accept the associated risk with using destructive offensive cyberattacks. Last November, cybersecurity researchers noted that the Iranian-backed hacking group, APT33 (aka Elfin, aka Refined Kitten), had increasingly been focusing its efforts on infiltrating critical infrastructure networks, leading to speculation that Iran would try to deploy Shamoon or other malware or viruses to target industrial control systems. This follows a shift in Iran's military activity last year when it went from merely threatening to shut down the Strait of Hormuz and harassing the U.S. Navy in the Persian Gulf to actually planting mines on commercial tankers and conducting drone and missile strikes against Saudi Arabia's oil industry. Iran has not carried out similar missile and drone attacks since last September, likely over fears of escalation to military conflict, but may be assessing that cyber activity reduces the risk of rapid escalation and carries less risk of direct military conflict even though it carries a higher risk of retaliatory cyberattacks.
Iran will continue to expand its cyber capabilities, but its acquisition of such skills will remain relatively slow when compared to more highly skilled rivals like Israel, Russia, China and the United States – still, even second-tier cyber powers can inflict significant damage due to the challenge of hardening systems from cyberattacks. If Iran's attempts to disrupt critical infrastructure continue, it will force other countries to respond in kind to maintain some level of deterrence — risking continued tit-for-tat escalation. Israel already apparently did this in May when it launched a cyberattack against an Iranian port, disrupting activities there. Protecting against cyberattacks is notoriously difficult due to a wide range of potential vulnerabilities and access points to systems.
Israel is likely to remain a focal point for Iran's cyber operations against civilian and government targets. Israel has been very aggressive in targeting Iranian activity not only through constant cyber activity trying to gain entry to critical infrastructure in Iran, but also by striking Islamic Revolutionary Guard targets in Syria and Iraq to reduce Iran's geographic reach close to Israel. Iran will continue to seek as many vulnerabilities in Israeli critical infrastructure including water and power infrastructure, and in commercial entities where data wiping, surveillance and intelligence-gathering operations remain priorities for hacking groups.
U.S. companies operating in the region are also likely to face increased risk, but critical infrastructure operators back in the United States may also face a higher risk. One of the key reasons Iran has developed asymmetric capabilities is to hit back strategically at the United States and its allies. None of Iran's asymmetric capabilities other than cyberattacks can directly inflict damage in the United States. With the exception of commercially oriented hackers conducting ransomware attacks, Iran poses the most significant threat to U.S. critical infrastructure and strategic industries when it comes to disruption. Russia and China possess far more advanced cyber tools and will seek to infiltrate networks more often, but neither has the intent to disrupt and cause as much significant damage as Iran does.
Saudi Arabia and other Gulf Cooperation Council countries are also logical targets for continued attacks, including on oil and gas companies, water companies and other critical infrastructure operators. Unlike Israel and the United States, Saudi Arabia and other GCC countries do not want to risk confrontation with Iran and do not carry out offensive cyber operations directly — but their ties to the United States will continue to make them targets for Iranian activity. Civilian infrastructure including desalination plants, refineries, and oil and gas processing facilities are all likely to continue being targeted for entry. While they may not be as high a priority for Iran as striking out directly at the United States or Israel, GCC cyber capabilities pale by comparison to U.S. and Israeli capabilities, increasing their vulnerability to Iran.