Washington - US Cyber Command on Thursday conducted online attacks against an Iranian intelligence group that US officials believe helped plan the attacks against oil tankers in recent weeks, according to people briefed on the operation.
The intrusion occurred the same day President Donald Trump called off a strike on Iranian targets such as radar and missile batteries. But the online operation was allowed to go forward because it was intended to be below the threshold of armed conflict - using the same shadow tactics that Iran has deployed.
The online attacks, which had been planned for several weeks, were ultimately meant to be a direct response to both the tanker attacks this month and the downing of a US drone this week, according to the people briefed on the operations.
Multiple computer systems were targeted, according to people briefed on the operations, including those believed to have been used by an Iranian intelligence group that helped plan the tanker attacks.
An additional breach, according to one person briefed on the operations, targeted other computer systems that control Iranian missile launches.
Determining the effectiveness of a cyberattack on the missile launch system is particularly difficult. Its effectiveness could be judged only if Iran tried to fire a missile and the launch failed.
The online operation was first reported Friday by Yahoo News. Few details are known, but the breach was meant to take the Iranian intelligence group offline for a time, similar to one that temporarily took down Russia's Internet Research Agency in November during and immediately after the US midterm elections.
On Saturday, Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, issued a warning about Iranian attacks on American industries and government agencies, saying, "malicious cyberactivity" was on the rise.
Iran increases cyberattacks on the US
State-backed Iranian hackers have stepped up cyberattacks on the US, according to the Department of Homeland Security's cyberagency.
There has been a "recent rise in malicious cyberactivity directed at United States industries and government agencies by Iranian regime actors and proxies", Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, said Saturday in a statement.
In recent weeks, hackers believed to be working for the Iranian government have targeted US government agencies, as well as sectors of the economy, including oil and gas, sending waves of spear-phishing emails, according to representatives of cybersecurity companies CrowdStrike and FireEye, which regularly track such activity.
It was not known if any of the hackers managed to gain access to the targeted networks with the emails, which typically mimic legitimate emails but contain malicious software.
The cyber offensive is the latest chapter in the US and Iran's ongoing cyber operations targeting the other, with this recent sharp increase in attacks occurring after the Trump administration imposed sanctions on the Iranian petrochemical sector this month.
Tensions have escalated since the US withdrew from the 2015 nuclear deal with Iran last year and began a policy of "maximum pressure". Iran has since been hit by multiple rounds of sanctions. Tensions spiked this past week after Iran shot down an unmanned US drone - an incident that nearly led to a US military strike against Iran on Thursday evening.
"Both sides are desperate to know what the other side is thinking," said John Hultquist, director of intelligence analysis at FireEye. "You can absolutely expect the regime to be leveraging every tool they have available to reduce the uncertainty about what's going to happen next, about what the US' next move will be."
CrowdStrike shared images of the spear-phishing emails with The AP.
One such email that was confirmed by FireEye appeared to come from the Executive Office of the President and seemed to be trying to recruit people for an economic adviser position. Another email was more generic and appeared to include details on updating Microsoft Outlook's global address book.
The Iranian actor involved in the cyberattack, dubbed "Refined Kitten" by CrowdStrike, has for years targeted the US energy and defense sectors, as well as allies such as Saudi Arabia and the United Arab Emirates, said Adam Meyers, vice president of intelligence at CrowdStrike.
The Department of Homeland Security said in a statement released Saturday that its agency tasked with infrastructure security has been aware of a recent rise in malicious cyber activities directed at US government agencies by Iranian regime actors and proxies.
Cybersecurity and Infrastructure Security Agency Director Christopher C. Krebs said the agency has been working with the intelligence community and cybersecurity partners to monitor Iranian cyber activity and ensure the U.S. and its allies are safe.
"What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you've lost your whole network," Krebs said.
The National Security Agency would not address discuss Iranian cyber actions specifically, but said in a statement to The Associated Press on Friday that "there have been serious issues with malicious Iranian cyber actions in the past."
"In these times of heightened tensions, it is appropriate for everyone to be alert to signs of Iranian aggression in cyberspace and ensure appropriate defenses are in place," the NSA said.
Iran has long targeted the U.S. oil and gas sectors and other critical infrastructure, but those efforts dropped significantly after the nuclear agreement was signed. After President Donald Trump withdrew the U.S. from the deal in May 2018, cyber experts said they have seen an increase in Iranian hacking efforts.
"This is not a remote war (anymore)," said Sergio Caltagirone, vice president of threat intelligence at Dragos, Inc. "This is one where Iranians could quote unquote bring the war home to the United States."
History of bad blood
Caltagirone said as nations increase their abilities to engage offensively in cyberspace, the ability of the United States to pick a fight internationally and have that fight stay out of the United States physically is increasingly reduced.
The US has had a contentious cyber history with Iran.
In 2010, the so-called Stuxnet virus disrupted the operation of thousands of centrifuges at a uranium enrichment facility in Iran. Iran accused the US and Israel of trying to undermine its nuclear program through covert operations.
Iran has also shown a willingness to conduct destructive campaigns. Iranian hackers in 2012 launched an attack against state-owned oil company Saudi Aramco, releasing a virus that erased data on 30,000 computers and left an image of a burning American flag on screens.
In 2016, the U.S. indicted Iranian hackers for a series of punishing cyberattacks on U.S. banks and a small dam outside of New York City.
U.S. Cyber Command refused to comment on the latest Iranian activity. "As a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence or planning," Pentagon spokeswoman Heather Babb said in a statement. The White House did not respond to a request for comment.
Despite the apparent cyber campaign, experts say the Iranians would not necessarily immediately exploit any access they gain into computer systems and may seek to maintain future capabilities should their relationship with the US further deteriorate.
"It's important to remember that cyber is not some magic offensive nuke you can fly over and drop one day," said Oren Falkowitz, a former National Security Agency analyst. It takes years of planning, he said, but as tensions increase, "cyber impact is going to be one of the tools they use and one of the hardest things to defend against."
